Lessons Learned: How to Deploy a Hybrid WAF

Five years ago the New York Times picked up a case study that we had published about a hacktivist group. We were looking at an emerging security landscape – one in which distributed denial of service (DDoS) attacks were a major concern.

At the time we had more on-premises security layers than cloud-based services. We had to prepare to ensure site uptime and availability to maintain productivity and our public reputation. We started implementing a hybrid web application firewall (WAF) solution that had both  cloud and on-premises solutions. Wherever technically feasible, we added Incapsula to every incoming, on-premises implementation so as to serve both our customers and our own sites. In the end, only one site had to remain unprotected and was subsequently hit. Back then it took two hours to identify a DDoS assault which is typical for a first time DDoS experience.

What is a Hybrid WAF?

Here at Imperva our hybrid WAF uses our SecureSphere product inside the firewall, while Incapsula sits outside the firewall, closer to the end users to block attacks at the perimeter and also improve user experience.

SecureSphere

Imperva SecureSphere is a web application firewall that sits closer to your assets and applications. We chose it for the following reasons.

• It accommodates every change from marketing to the website and allows very tight security configuration lockdown.
• It mitigates internal threats from both malicious and compromised insiders.
• Its highly granular rules offer specific configurations for every possible case.
• It can accommodate very specific actions for edge cases, including unique use cases.

Incapsula

By using client classification and proprietary profiling tools, the Incapsula service quickly learns end user behavior through staff analysis and automated tools. The cloud WAF can stop an attack closer to the source before it hits your network perimeter and is especially equipped to deal with web (application) and DDoS (network) attacks. Some Incapsula features that work well for us include,

• Superior machine learning and classification techniques.
• Its large network comprised of a vast mix of sites representing the real-world web landscape that lets us evaluate emerging patterns and quickly develop mitigation policies for newly-discovered vulnerabilities.
• The content delivery network (CDN) comprised of global data centers that provides a performance boost for our sites by delivering cached content from a source that is closer to our users’ locations.

Choosing a Security Solution

Our journey to build a strong security posture for our company has taken us through evaluating all the solutions available. We decided that to protect 100 percent of our web assets and secure our non-web properties we needed both a cloud service that was backed by on-premises security. Here’s how we went about it.

Since our goal was to completely secure our web assets, we needed scalable and resilient capabilities in our desired security solution. As Incapsula expanded its services, we put Imperva’s web assets behind the Incapsula cloud. While a cloud security protects assets outside the corporate environment, we also need solutions to protect against malicious and compromised insiders.

The final piece was to strengthen the protection of our infrastructure. To make sure infrastructure remains available at our data center, we needed to protect our entire IP range. Incapsula Infrastructure Protection covers this area of our digital assets.

Our infrastructure includes web, email, and other assets in entire subnet ranges. During an attack, traffic is rerouted through Incapsula scrubbing centers using BGP announcements. All incoming network traffic is inspected and filtered, and only legitimate traffic is forwarded to our network via GRE tunneling. Once Incapsula acts as the ISP, it advertises all protected IP range announcements, adding an extra layer of security.

Some of our assets require infrastructure protection for individual IP addresses. This deployment lets us secure a single IP address without using BGP routing. We use a protected IP address from Incapsula and clean traffic is forwarded through a redundant, secure, two-way GRE tunnel to the origin IP.

We are currently implementing Infrastructure Protection for Imperva. As you know security evolves as a company grows. What has your experience been? If you have any questions please leave me a comment.