Serverius Web Application Firewall (WAF)

And there it finally is! After 1,5 years of in-house development the first final version of the Serverius Web Application Firewall (WAF) is available for all users.
This cloud based WAF is the new addition to Serverius its famous DDoS protection cyber security suite.

Default WAF functionality with lots of extra technical functionality allows users to secure their web applications in the most fast and efficient way.

WAF protection in the cloud

The WAF is working as an external scrubbing cloud service. It’s a clustered web proxy were only the clean data traffic is sent to the webserver. This way the webhosting servers will never be overwhelmed by data traffic and/or CPU/IO load. It solves the problem of self hosted web application firewalls which can only handle a small amount of requests. For example, a fast new hosting server (fast CPU, 10Gbps uplinks) is in most cases only able to process up to 500Mbps of http(s) requests. And like you may know an average http(s) attack these days is way higher than this. 10Gbps+ http(s) Layer 7 attacks are most common these days. As a result of the off-site cloud protection, no protection processes will run on the server. Therefore administrators can do much more with the same hardware. It saves them buying new hardware. And of course a cloud is much better to maintain than any other self hosted WAF, because there is only 1 overview for all your websites which are hosted on all your hosting servers. You’re finally rid of management per server!

100% Serverius build!

The new WAF doesn’t use any commercial WAF vendors. We build it our self and are using anycast to load balance traffic. The WAF is hosted on a huge Docker cluster which runs many application servers based on NGNIX and LUA with precompiled Open Source, commercial and private WAF rules that protect users against all known web attacks. On top of this users can set source IP flood control, they can use the website lockdown tool, disable all possible http(s) request methods, enable advance debugging, set custom error and captcha pages, use default + private IP reputation databases, more than a thousand applications rulesets, etc, etc. In other words:

Web security by default

Although most web hosting companies still don’t offer WAF protection by default, it’s to be expected that this will change in the coming years. Because more and more clients request web security by default. Everyone understands that everything is hackable and therefore basic protection is always needed. Even without notice of any attacks, it’s not acceptable anymore these days to let (automated) hackers or bots try to touch the application and just let it happen. It’s your responsibility to avoid simple hacks. Especially with the upcoming GDPR on the horizon, a WAF will be essential for any hosted application.
Al features in the client panel are also available by Rest API. With this API users can integrate the WAF into their own back-end. Currently two Serverius colocation clients are integrating the WAF into their ordering process. This way any website will get basic WAF protection by default and advanced protection is offered as a paid extra. Everything is automated without any human intervention. The system engineer only have to watch his client web application overview and can support his clients as a service.

Carrier WAF by using private IP space

To use the service users can simply change their domain name DNS records to the protected WAF IP’s of Serverius. Inside the client panel the external destination IP is set which will forward the cleaned data traffic to the IP which is hosting the website. But in many cases this is not an option, for example when a hosting company is using its own IP space outside Serverius. Attackers can find the source IP and will bypass the protection. Therefore it’s key for IP network owners to use their own private IP space within the WAF. Like you would expect, it’s also possible using redundant carrier VLAN or GRE tunnels. When the IP space is announced by the WAF infrastructure, the user can keep is current IP space in his DNS and he doesn’t need to change anything else.

Future features

While the WAF is in its first version, our wish/to-do list contains already 150+ new features. These will all be added in the upcoming months. To give you an idea of what will be added; an app scanner what periodically will scan the web application and configure the WAF, more logging and graphs from the new Elastic logging cluster, Lets encrypt SSL certificate support, wider attack notifications, more white label administrator dashboard features, HTTPS decrypted attack data traffic packet capture, oversea PoP locations, etc. If anyone has a feature request, please let u know by email or phone.

cloudfest logo

Come visit us at CloudFest 2018!

From today till friday at CloudFest 2018 at booth H21 (near the entrance), visitors can see the new Web Application Firewall in action. Our Sales persons together with NOC and R&D will demonstrate some default attacks and are available to discuss how to integrate the new WAF into existing hosting environments. See you at CloudFest!

Related Posts