Free Application Firewall
KEMP Loadmaster provides industry leading performance as a Load Balancer and as an Application Delivery Controller. In addition LoadMaster provides functions that you may not know about such as SSL Offloading, Reverse Proxy for applications such as Microsoft Exchange, and web application firewall functionality. The latter is provided via a freely downloadable Web Application Firewall (WAF) add-on pack for all LoadMaster versions: physical device, virtual machine, bare metal, and Cloud based LoadMaster instances. WAF also supports deployment on our fully functional free LoadMaster solution.
The functionality provided by WAF is the same irrespective of which LoadMaster version it is running on. With the exception that the free version does not include the commercial rules found in the paid versions. The core web application firewall is provided by the industry leading ModSecurity engine augmented with rules and settings recommended by Trustwave as a result of their comprehensive knowledge of web application threats. WAF enhances traditional security infrastructure, like firewalls and intrusion detection systems by adding the ability to inspect inbound and outbound network traffic at the Application level of the network stack. By operating at Layer 7 and using the ability to open and inspect inbound network packets even if encrypted allows for known threats to be detected and mitigated. Known threats are always changing, and it can be hard for busy system administrators to keep up to date with the evolving threat landscape. To assist with this task WAF can auto-update daily to get new threat definitions to protect web applications as fully as possible. These new definitions are created by security experts from KEMP and others so that IT support personnel don’t have to be up to date every day on the latest threats.
The included rules protect against vulnerabilities in all of the popular commercial web applications. They also protect against the common vulnerabilities outlined in the OWASP top 10 list. For web applications that have been written in-house or customised from commercial offerings, additional custom rules can be added to the WAF as required. When developing these rules it is possible to run WAF in Passive mode so that events are just logged rather than acted upon. This allows web applications to be characterised to determine the best rules to protect them. When this is known the rules can be moved to a LoadMaster with WAF running in Active mode. In active mode suspicious events are both logged and the data packets are not delivered to the application.
In addition to the inbound protection provided by WAF, it can also provide outbound protection to stop sensitive information leaking from an organisation. Rules can be added to inspect outgoing network traffic to prevent data such as personally identifiable information, credit card numbers, or any other sensitive data that you define from being transmitted over the network. This is invaluable when operating in regulated sectors like the PCI-DSS financial sector, or for patient data in health settings.
Because WAF is fully functional, irrespective of which version of LoadMaster it is deployed on, it can be used in a wide variety of scenarios. For mission critical, high performing web applications WAF is an ideal choice to help protect them and ensure service availability. The same is true for other web applications at all levels from small departments Intranet applications all the way up. As WAF can also run on Free LoadMaster it is ideal for development and testing use as well. In DevOps scenarios Free LoadMaster and WAF are an ideal pairing to mimic commercial load balancer and web application firewall deployments for development, testing, deployment, and support workflows. This allow the full functionality of production systems to be used without having to duplicate the costs of multiple systems for Dev, UAT, Training etc.