Intrusion Prevention, Detection and Web Application Firewalls

As more and more businesses are hosted online and increasingly on cloud platforms such as AWS, it is critical to ensure robust cybersecurity defenses are in place. Typically, the security architecture for most web facing applications begins with boundary protection using a firewall. There are a number of security sub-systems such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF) which are generally considered as basic requirements. This is especially true for online businesses offering services in the Healthcare, Financial, Government and Commercial payments market.

As always there is a wide variety of choices and it is critical to understand the role of each one of the security systems to make an informed implementation decision. Let us begin by reviewing some of the basic definition on what these system do and the protections they provide.

Intrusion Prevention System (IPS) — An IPS is an appliance that monitors and analyzes network traffic to detect malicious patterns and potentially harmful packets. Typically, most IPS offer firewall, unified threat management and routing capabilities. There are numerous advances in IPS technology with a sophisticated set of capabilities including in-line deep packet inspection, intrusion prevention through rules & signature detection, application inspection and control, SSL/SSH traffic inspection, website filtering and quality of service/bandwidth management. While there are many products in the marketplace, a common example of such a solution is Fortinet’s FortiGate product.

Web Application Firewall (WAF) — A WAF is typically an appliance or service that is used to secure your web sites/applications against threats like DoS, Cross Site Scripting, and SQL injection, etc. The WAF appliance is positioned before the web server. Typically, a WAF provides the ability to configure security rules and conditions through a web ACL (access control list) that detects and prevents malicious requests from being processed by the web server. Given the need for performance many SaaS and online business providers use Content Delivery Networks (CDN) such as AWS CloudFront or Akamai which offer integrated WAF capabilities. An example of a standalone product is Fortinet’s FortiWeb product. The diagram below shows a typical WAF configuration in a AWS VPC.

Figure 1: Diagram showing WAF deployment within a AWS VPC

It is important to note that the diagram provides a highly simplified diagram. Generally, speaking one would want the WAF (or IPS) for that matter not to be configured as a single point of failure (SPOF). In the diagram shown above there are two sets of load balancers (ELB) and external and internal one to allow for multiple WAS instances in in separate Availability Zones. However, some solutions such as Fortinet’s FortiWeb provide load balancing capability do not need the external load balancer.

For SaaS and online businesses looking for a simple solution to get started, AWS WAF is something to consider. AWS recently launched a Web Application Firewall as an add-on service to AWS CloudFront. AWS WAF detects and blocks malicious web requests targeted at web applications through rules that can help protect against common web exploits like SQL injection and cross-site scripting. Key concepts associated with AWS WAF include conditions, rules, web ACLs, and actions which are explained in greater detail…Read more at the stackArmor Blog.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.