Web Application Firewall

The Serverius Web Application Firewall is a cloud based protection environment to filter, monitor, and forward HTTP(S) traffic to any web application.

Aggressive web traffic to your web applications comes hand in hand with large-scale DDoS attacks. The Serverius WAF protects web, mobile and API applications against web attacks. Our default WAF functionality will secure and boost application performance to any private, hybrid or multi-cloud application environment.

Web Application Firewall default features:

  • Default and customized OWASP rule sets.
  • Protection against Distributed Denial of Service (DDoS) attacks
  • Load balancing with advance health checks, supporting your application availability in hybrid cloud environments.
  • Advanced Security Operations Centers support, supplementing and supporting your own in-house IT team.
  • Free Let’s Encrypt SSL certificate for every website.
  • Fully compatible rest API.
  • Multiple cleaning datacenters (PoPs).

API first

The WAF has been developed by a “API first” principle, which means that all available functionality is offered by https://api.serverius.net. And also a full featured web interface is offered at the Serverius client panel: https://my.serverius.net. This way organizations can easily integrate the WAF into their infrastructure, let the WAF be part of their own security environment and make easy changes by hand.

Web application Firewall API

Let’s Encrypt by default

When adding a domain to the WAF, a Let’s Encrypt SSL certificate will created by default. It will save you install and update SSL certificates at your hosting environment. And of course, this free SSL can also be overruled by your personal/commercial SSL certificate.

Application DDoS protection

Protect against advanced application-layer DDoS (SlowLoris, RUDY and Slow Read attacks) attacks which are different from volumetric DDoS attacks with fingerprinting and IP reputation to identify real request from fake ones. Secure against application DDoS using a variety of risk assessment techniques such as application-centric thresholds, protocol checks, session integrity, active and passive client challenges, historical client reputation blacklists and anomalous idle-time detection.

Application DDoS protecton by WAF

OWASP Core Rule Set support

The OWASP ModSecurity Top 10 Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The Serverius WAF support many common attack categories like including SQL Injection (SQLi), Cross Site Scripting (XSS), Local File Inclusion (LFI), Remote File Inclusion (RFI), Remote Code Execution (RCE), PHP Code Injection.

Multi-site cleaning datacenters PoPs

The Serverius WAF service is a hosted in both Serverius datacenters and many datacenters in Europe. By using anycast IP routing any local web request will be inspected locally and re-routed to the shortest path possible. Therefore the best possible latency is offered. Also, by using all those scrubbing PoPs Serverius is able to offer users a extremely high scrubbing performance.

Currently the PoPs are:

  • Dronten (SDC1), Netherlands
  • Meppel (SDC2), Netherlands
  • Sofia, Bulgaria
  • Stockholm, Sweden
  • Zurich, Switzerland

Destination IP load balancing

Web traffic from the WAF proxy can be forwarded to one or multiple public IP addresses. This allows users to distribute load to multiple hosting resources to maximize their throughput, create redundancy, and avoid overload of any single resource.

You can use many lad balancing types like Round Robin, Weighted Round Robin,  Least Connection and Weighted Least Connection. And of course the addition of IP subnets can be set by web interface or API.

White label: using your own private IP subnets

The WAF can be used with Serverius IP space or Serverius name servers or your private IP space. This unique functionality allow ISP an cloud providers to use the Web Application Firewall and DDoS protection as a white label service.

proxy ip subnet load balancing destination ip subnet