Why WAFs are vital for defense-in-depth cloud strategies

Vulnerabilities hidden within copious lines of code and stealthy data breaches are hard to detect, more so when an organization lacks the tools and capabilities to discover them. But a data breach is often a telltale sign of a poorly designed web application.

And as more applications are moved to the cloud, the security challenge is becoming more urgent and daunting. Be it an on-premise or a cloud deployment, or in a physical or a virtualized data center, organizations face the same threats to network, application and data security.

Organizations extending applications to the cloud also extend notions of identity, network and access control, information protection, and endpoint security, say officials at cloud-connected security vendor Barracuda Networks. That’s why organizations, especially those in Singapore that are among the top adopters of cloud computing in Asia, must first fill the functional gaps between cloud infrastructure security and a defense-in-depth strategy to securely migrate applications to the cloud.

“In the wake of recent hacking incidents impacting businesses and government organizations in Singapore, it is important for the market to understand how web application firewalls (WAFs) provide additional and dedicated defense for the end user’s web services and application infrastructure; bolstering security measures already in place, such as the network firewall,” says Benny Lim, SEA regional director at Barracuda Networks.

WAFs can protect web applications or workloads deployed in Microsoft’s Windows Azure cloud platform by, for instance, blocking a poorly designed web application that might pose security risks from running on a VM. Such protection makes Azure, which is built on the same secure infrastructure as Bing, Microsoft.com and Office 365, resilient against application-level threats. 

A WAF can be deployed as hardware or virtual appliance, either on-premise or in the cloud.

Scale and simplify

A fully integrated WAF, like the Barracuda Web Application Firewall, enables organizations migrating applications to public cloud platforms, like Amazon Web Services (AWS) and Windows Azure, to protect those applications from threats like SQL injection, application DDoS, cross-site scripting attacks and unauthorized access.

The WAF can also dynamically scale to meet application performance and workload requirements on these platforms. “Windows Azure is working closely with Barracuda to help customers as they move more and more of their on-premise workloads into the Windows Azure cloud platform,” says Venkat Gatamneni, senior product marketing manager of Windows Azure at Microsoft.

With security a top concern for cloud adopters, Barracuda has also augmented application security with its Next Generation Firewall through the Azure and AWS public cloud platforms. This enables secure multi-tier networks and high-speed (more than 1Gbps) site-to-site secure remote access from on-premise networks to those platforms and virtual networks within those platforms. End users, meanwhile, gain high-performance connectivity to the cloud from branch offices and their client devices.

Additionally, predefined security templates for web applications and third-party packaged applications like Microsoft SharePoint simplify IT so that companies of all sizes can secure applications without complex configuration and management. When used with a next-gen firewall, centralized management capabilities reduce management overhead further for scalable and fault-tolerant network infrastructure.

All-round protection

The Universiti of Malaysia Perlis (UniMAP), a fast-growing Malaysian engineering university, relies on the security offered by Barracuda WAF’s reverse-proxy architecture to fend off SQL injection and other malware attacks occurring five to 10 times per hour on its multiple application servers, web services and informational websites.

“More important, [the WAF] is a single point of protection for all our inbound and outbound Internet traffic as well as peer-to-peer,” says Nasrudin Abd Shukor, director of UniMAP’s Information and Communication Technology Center (ICT). “It includes all the best practices for application security right out of the box.”

Serving students and staff on more than 30 different campuses, as well as the general public, the university required a solution to “ensure network performance, scalability, uninterrupted, ubiquitous online access, and foremost, to protect the multi-application environment from any loss of confidential data,” Abd Shukor adds.

Web traffic passing through the firewalls uses HTTP and HTTPS protocols so university students and lecturers gain secure encrypted communication with web applications. A dashboard aids troubleshooting and management through real-time visibility into attack statistics, system performance, traffic, resource usage and other information.

Speed up services

The WAF’s real-time visibility is particularly important for government agencies concerned with not only critical web infrastructure protection but also application performance and reliability.

As a government agency security officer puts it, “the Barracuda Web Application Firewall improves web security for our custom applications and third-party software. It also provides enhanced visibility to attacks against our infrastructure.”

Apart from securing websites, third-party applications and custom cloud applications, deploying a WAF solution in proxy mode will help to further strengthen security, accelerate applications and enable SSL offloading.

The Barracuda Web Application Firewall automatically converts an insecure HTTP web application into an encrypted HTTPS application without having to rewrite any code, according to Barracuda officials. It handles SSL encryption on behalf of the web application and rewrites traffic in real time to use the secure HTTPS protocol. Essentially, it encrypts or decrypts on behalf of the web server, freeing up server resources.

WAFs’ extensive functionalities are geared to drive defense-in-depth cloud strategies – facilitating easy management and administration, comprehensively protecting cloud applications, and accelerating application and content delivery.