Web Application Firewall Goes Hybrid to Strengthen DDoS Defenses


As accelerating digitalization creates new opportunities for businesses in all industries to engage with customers, this growing reliance on websites and apps gives bad actors more opportunities to strike. A well-timed DDoS attack can bring an organization to its knees. Randy D’Souza, Director of Product Management at Neustar Security Services, discusses how a Hybrid Web Application Firewall (WAF) can play an instrumental role in efforts to mitigate escalating cyber risk.

The best-designed schemes usually have one thing in common: a reliable backup plan. For cybersecurity professionals, integrating defense in depth across a wide variety of technologies and data is mostly second nature at this point. The acceleration of life online has introduced new opportunities and efficiencies across all industries, but it has been a double-edged sword in a sense, as the increased functionality of websites, apps and their management interfaces has resulted in a corresponding increase in attack surfaces and accelerated opportunities for malicious actors to find and exploit vulnerabilities. The DDoS threat alone can be enough to bring organizations to their knees, but implementing a hybrid WAF solution can help mitigate the risks.

One of the ways organizations build their defense in depth is by using an on-premises WAF. They can be perfect for some needs – especially if you’re combining the WAF with an Application Delivery Controller, you’re dealing with legacy infrastructure, for Transport-Layer Security (TLS) termination inside your data center. data, or if you need closecontextual analysis of data directly in front of the real application server. They are also great for internal applications that are not publicly exposed to the internet and can be quite functional for writing and propagating very specific rules. But their limitations – physical (an on-premises WAF is often tied to a load balancer that is also in the physical data center and usually contains an application delivery controller) and others – are well documented.

Conversely, a cloud-based WAF allows you to easily do things like failover from one data center to another, apply more site-wide rules that consume more processing resources and help maintain profitability easily as it allows organizations to shift costs from a capital expense to an operational expense.

But it is also possible to use both an on-premises WAF in conjunction with a cloud WAF to balance each other’s capabilities and provide better defense in depth. I’d like to explore where you should consider using both, especially where a cloud solution will offload an on-premises solution.

Keeping pace with evolving DDoS attacks is a challenge

Like other cybersecurity threats, those of a DDoS nature have evolved rapidly in recent years in terms of frequency, duration, maximum size in megabits per second (Mbps), amount of packets per second (PPS), and number requests per second (RPS). Organizations that have not updated their security protocols accordingly are likely to become increasingly vulnerable.

DDoS attacks are on the rise, with targets spanning a wide range of businesses and industries. In addition to their increasing number, these attacks have grown in scale thanks to the proliferation of larger botnets. Advances in technology have also contributed to noticeable changes in the complexity of DDoS attacks, with nefarious actors better able to control these larger botnets as well as personalize attacks based on better monitoring of victims and introducing variations in technique, time and duration that leave security professionals guessing.

The pandemic-induced change in the way the world works has only added to the security challenges. As many companies have shifted to remote and hybrid working arrangements, relied more on the cloud, and the intranet has become the extranet, the number of applications needed has grown exponentially in some cases. , resulting in a significantly expanded attack surface. These enterprise ecosystems must maintain their integrity to maintain internal operations and productivity as well as external interoperability.

Just as hybrid working has become a solution for many organizations seeking to balance the needs of their workforce, a hybrid approach to WAF implementation is considered a current best practice for mitigating DDoS attacks.

Not Just for Workers: Hybrid Switches to DDoS Defense

Orchestrating an on-premises WAF solution with an upstream provider of an on-demand – or better yet, always-on – DDoS solution has emerged as a promising approach to protecting Internet-connected assets from attack.

Frontline defense is naturally the onsite component. As always, at the network level, enterprises must establish controls to allow legitimate traffic and maintain traffic visibility. Under normal circumstances, an on-premises WAF would need to use lots of RAM and CPU to inspect traffic touching HTTP content, especially in cases where security teams establish more site-wide rules. While these systems can handle steady traffic and even some elevation, they will be stressed when inundated with requests, such as during an HTTP flood or other application-level DDoS attack. . The WAF will fail to open or close, and neither option is acceptable.

When anticipating or actively subject to a DDoS attack, companies with an on-premises WAF can scale their CPU as needed and limit upstream requests with an on-demand cloud-WAF provider. With such an always-on solution in place, businesses have more confidence that some protection is always on and traffic is being assessed through a mitigation infrastructure. In this mode, you can think of a cloud WAF as being offloaded to an on-premises WAF, where rules are created on-premises but then pushed to the cloud WAF to scale them to more users and more requests.

An added benefit of a hybrid WAF approach with an always-on service is that upon detection of an attack, stricter protocols can be applied instantly. Such functionality has an advantage over on-demand services due to faster detection speeds that help contain damage and minimize disruption. When offered through a proxy, this same always-on protection can enable security teams to decrypt traffic and apply specific defenses to identify and combat nuanced application-layer attacks.

See more: DDoS Attacks: A Growing Cybersecurity Problem in Remote Learning

Adaptive defense for a changing attacking environment

The adage “the best defense is a good attack” is particularly relevant for cybersecurity professionals. The threat landscape and business environment are constantly changing, and malicious actors quickly identify gaps and take advantage of companies that move too slowly to shut them down. Protocols adopted to address DDoS risk even two years ago may be insufficient to protect against today’s threats, let alone emerging ones.

It is nearly impossible for enterprises to predict when, where, and how DDoS attacks will materialize, but they can take proactive steps to instill confidence in the security measures adopted. First, an enterprise’s threat surface is constantly changing as applications are introduced and removed. Keeping an ongoing inventory of what needs to be protected will help security teams know which solutions are best suited. For example, they may determine that an on-premises WAF solution paired with an on-demand cloud WAF is sufficient, or they may find that an always-on approach is the only method to provide the desired level of security.

Moreover, it is not enough to know what must be protected. Security professionals must also understand the value of each asset and develop solutions accordingly. Disruption to internet-connected assets, for example, can harm customers’ trust in a brand and have repercussions if a prolonged outage causes customers to seek out competitors’ services. Engaging a proxy for on-demand or always-on WAF services can have a significant impact on results. Keep in mind that a cloud WAF can be upgraded much more easily than an on-premises solution.

Finally, outsourcing some of the security coverage is unavoidable, given the speed at which DDoS attack vectors grow and the specialized knowledge and skills required to address them. As companies engage WAF service providers, it is essential to train and maintain a comprehensive understanding of how these solutions integrate with existing systems and how they also scale to meet emerging trends.

The good news: resources are available

When it comes to maintaining cybersecurity and a reliable internet presence, the stakes are undoubtedly high. Employees, management, customers and partners all expect 100% uptime, and extended outages of Internet-connected assets are costly. By engaging security experts and leveraging available advancements, organizations can learn and apply the best mix of WAF support to mitigate risk and ensure business continuity.

What are your thoughts on adopting a hybrid WAF strategy for your organization? Tell us about Facebook, Twitterand LinkedIn. We would like to know!



Comments are closed.