New Web Application Firewall features

New Web Application Firewall features

Serverius its Web Application Firewall (WAF) expanded with lots of features like a new load-balancer API, free website SSL, tailor made captcha’s, IP black and white lists, automatic child porn blocker and three new scrubbing datacenters in Europe.

Patrick Cress, software engineer within the Serverius R&D team, explains why
the Web Application Firewall is offering more than an average WAF.

Infrastructure and ecosystem

Serverius supplies from multiple locations datacentre-colocation, connectivity and cybersecurity services. The company invests a lot in developing the services. To this end, employees are encouraged to acquire new knowledge and to maintain existing knowledge. Serverius is serious, as evidence by the fact that 40 percent of revenue is reserved for Research & Development every year.

This unprecedented large reservation is bearing fruit, because the compony is experiencing good growth for each of the services. Serverius also distinguishes itself from the rest of the market by offering services for free. For both the Speed-IX peering platform and the Sercurius security platform, users can use the services after registering without an invoice being sent. Serverius does this in order to contribute positively to an better and safer internet.

Sercurius

Sercurius is the name of the free-to-use security platform from Serverius. Patrick Cress: “Sercurius is the free variant of our security portfolio. It uses the Serverius API to offer services for anyone with their own website so that they can make it a lot safer. Exactly the same API that we use for Sercurius can also be used by other companies. Viewed from Serverius, Sercurius is a customer who uses the API to build up their own security portfolio. ”

Free and anonymous

Everyone with their own website, or websites under management, can use Sercurius for free. The user logs on to the website and thereby gives his consent that his anonymous data is used to further develop the services. Cress indicates that the anonymized data is really important. “We see a lot of attacks in real-time, whereby the attack data is thrown in a lot and analyzed by means of AI. The resulting patterns are then used to improve the security of Serverius and Sercurius customers. We are convinced that this method, including the use of AI, is the only way to remain successful in the fight against cyber criminals. “

Expanded

Registering with Sercurius gives the user access to a well-arranged cockpit where the services are mentioned and explained to which things are added on a weekly basis. “We work with two-week sprints, which means that these existing services are constantly improving and structural services are being added,” says Cress. He thereby explicitly indicates that Sercurius will never be finished, that is also impossible for a security service.

The first impression of the cockpit is that it is an extensive offer. It will appeal to anyone who does not have their own infrastructure that so much security can be added with a few clicks. That security also becomes virtually real-time active. Everyone can understand, activate, adjust or switch off in the meantime. In-depth technical knowledge is not required. “That is one of our starting points for this service,” says Cress. “Anyone with a website must immediately understand this without a long study.”

Dutch

Sercurius is also the answer to questions about more security from companies that need a web interface for back office activities. Instead of paid solutions from partly non-Dutch providers, they can register for free with Sercurius. If Cress appoints that target group, a special USP from Sercurius will be discussed. All the data needed to run the service remains in the Netherlands in data centers of the Dutch company Serverius. “We see 100% Dutch increasingly coming up as a requirement and it is therefore very logical for us to meet it.”

Components

Sercurius currently consists of the following services: load balancing, source rate limiting, IP reputation, free SSL, Captchas, a rule-based filter engine. Logging and Metrics will be added soon. The operation of a load balancer speaks for itself. Source Rate limiting means that the website holder can set the maximum number of requests in order to ward off unwanted traffic. The function is enabled by default for all Sercurius users, because this also protects the underlying Serverius platform. IP reputation is also standard. The user can add whitelists and blacklists himself.

sercurius dashboard free web application firewall

Everyone with their own website can use Sercurius for free

Free SSL

Free SSL uses Let’s Encrypt. This part of Sercurius perfectly supports the innovative nature of the security platform. First, it shows that the websites that are registered with Sercurius do not have to run in the Serverius data centers. Secondly, the system looks at every website, wherever hosted, that is registered. As soon as that website generates traffic and there is no SSL active, Sercurius automatically creates this. The renewal of SSL (which can be complex with Let’s Encrypt) is also automatic. Cress indicates that part of the sector is not happy with Sercurius and that the SSL module in particular is a thorn in the eyes of some.

Serverius offers more options with the captchas, including individualization, than the well-known Google version briefly touches Cress. What he pays attention to for longer is the rule based filter engine. “That is our flagship product. We have grouped known rules, including the OWASP top 10, per application type. In the dashboard, check if you have a WordPress, Joomla or Drupal environment. You are then automatically protected against the known specific attacks aimed at those CMS systems. The user can activate additional rules himself.

Using the EOKM database

Serverius is the only service in the Netherlands that also uses the EOKM (Online Child Abuse Expertise) database. This database contains millions of hashes of illegal photo and video material that have been collected by the police forces of the Netherlands and Canada. As soon as a website or other online environment uses Sercurius as security, he is sure that no illegal and punishable material can be uploaded. This is again 1 of the functions where you can see that the Serverius WAF can be used perfectly for users such as forums, etc., where people do not always have a hold on the hosted content. Cress: “We are the first in the Netherlands to make this possible. We don’t just say that we think safe and better internet is important for BV Nederland – we also deliver the solutions. ”With this, Serverius clearly demonstrates its responsibility for better internet.

Compliant

Via the explanation about the EOKM database the conversation ends up with the AVG. Since May of last year, many companies must be able to prove that they are in control when it comes to the safe storage and processing of personal data. Cress: “There is a clear trend that companies, institutions and also governments must organize the processes in such a way that it is clear that they are complying with the laws and regulations. Being compliant is no longer showing a stamped certificate. Processes must be permanently monitored because only quick and correct intervention is possible. That is why Serverius offers security to the website owner with automated advice so that they can also make their web application better. Sercurius offers all that and, as Cress has already mentioned, has the additional advantage that the data does not leave the Netherlands.

patrick explaining the WAF

Roll out

The performance requirements that web environments must meet can only be realized if more security is not accompanied by high latency. For this reason, the Serverius WAF consists of multiple filter locations (PoPs), which are hosted inside and outside of Serverius data centers. There are already three PoPs in the Netherlands at the moment. The rollout within Europe has now started. The roadmap worldwide speaks of 20 operational PoPs for Q3 2020 with a focus on America and Asia.

Cress and his colleagues look forward to the rollout with confidence. Sercurius is in fact built up from scratch, with Golang, the programming language of Google, playing a central role. Golang is an incomparable scripting language that leads to highly efficient use of the physical filter hardware. Thanks to Golang, Sercurius can run on a fraction of the hardware that would be needed with a different language. “We are currently at a tenth of the hardware and the performance is at least ten times higher than the use of existing software such as NGiNX,” explains Cress with a laugh. “As a result, we can offer our security platform without much extra latency and it also offers us a lot of advantage to roll out our product internationally.”

This way of working is not unique. Parties such as Google, Uber and Dropbox have already preceded them and thanks to this language they have been able to quickly increase the footprint. If it is up to Cress and his colleagues, Sercurius may also be added to that list of success stories. But with the important precondition that Sercurius is and remains a free service.