There are many security capabilities offered as cloud-based services today, including Web and email filtering, network traffic access controls and monitoring, and tokenization for payment card transactions. One important distinction to make is security services “in the cloud,” or those that are integrated into cloud environments as virtual appliances for consumer use and control, versus security “for the cloud,”-- Security as a Service...
for other cloud providers to channel traffic and data through. In this tip on cloud security services, we’ll focus on cloud-based Web application filtering and monitoring and distributed denial-of-service (DDoS) attack prevention services, which may be offered in both models.
Web application firewalls
There are several types of cloud-based Web application firewall (WAF) services being offered. The first falls into the “security in the cloud” category, with current hardware and software-based WAFs offering virtual appliances for use within cloud provider environments for Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) clouds. These vendors include Imperva Inc. and Art of Defence GmbH., and are available in well-known cloud environments like Amazon EC2, GoGrid and Terremark. The cost to implement these virtual appliances is usually reasonable, and the additional filtering for common Web application attacks, as well as limited behavioral profiling, can be invaluable for cloud customers. Many data breaches start with SQL injection and similar attack scenarios, so this is a service that should be investigated, especially for cloud applications that handle sensitive data. Performance can be somewhat impacted, however, and applications that have very high performance needs will require significant testing before enabling in-depth rule sets on any WAF appliance.
Art of Defence is somewhat unique in that it hosts all WAF service offerings within the EC2 cloud, making implementation particularly simple for Amazon customers. In addition, Amazon offers Citrix NetScaler WAF capabilities to AWS customers who prefer not to manage a dedicated WAF virtual appliance themselves..
Several Security as a Service providers have created “security for the cloud” WAF offerings, as well. Imperva has launched a cloud-based WAF service company called Incapsula that is targeted primarily at small and medium businesses that want a simple way to direct their Web application traffic through a WAF without managing one onsite or in a cloud environment. Getting started requires only a few DNS changes, and Incapsula seems focused primarily on detecting and preventing the major Web-based threats and issues, including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. Some focus is also placed on caching and reduction of traffic overhead..
Akamai Technologies Inc. has been providing cloud-based WAF capabilities since 2009, when it began offering application filtering based on the open source ModSecurity WAF platform, although customized to run on the Akamai EdgePlatform network. Its current capabilities include IP whitelisting and blacklisting, as well as rule customization to detect and block protocol anomalies, SQL injection and XSS attacks, content leakage and other security violations. Recently, Akamai announced they would be collaborating with Qualys and other companies on the new open source WAF project, IronBee.
Distributed denial-of-service protection
For DDoS protection, several “in the cloud” offerings are available from providers like Terremark, Rackspace and NaviSite. DDoS protection is offered as an additional managed service that customers can add to their cloud hosting plans. DDoS protection services can range in price and scope, depending on the level of customization required. For simple redundancy and DNS “shielding” services, the cost is usually minimal, but this can go up for customers with large numbers of sites and virtual hosts, since more operational overhead is incurred by the service provider. Most customers will not require DDoS protection, but organizations that have stringent uptime requirements, or may be susceptible to DDoS attacks, should evaluate whether these services are available and meet their specific needs within cloud hosting environments.
Other companies offer DDoS protection “for the cloud,” where cloud customers or customers hosting their own data can send traffic through their infrastructure to be monitored and managed. Akamai offers one such service called DDoS Defense, which consists of multiple components including DNS security with DNSSEC, traffic prioritization and bandwidth control, Web acceleration, server “masking” from the public Internet, and others. Another firm that offers cloud-based DDos protection is DOSarrest, based in Vancouver. Its Proxy Defense and customized services offer a DDoS “buffer” for sites, effectively processing traffic and controlling bandwidth as needed when customers come under attack. For very high-traffic sites like eBay, Amazon and others, this is an important security offering, as DDoS attacks are often trivial to launch for coordinated attackers, and can effectively shut down Web-based businesses for a period of time.
Cloud-based WAF and DDoS protection services represent a step forward for convenient security implementation. WAF products have traditionally been viewed as difficult to implement and manage. Simplifying integration with virtual appliances and outsourcing most of the operational configuration and management to cloud provider staff makes sense in many cases for cutting costs and leveraging specialized expertise. DDoS protection is a highly specialized security capability that becomes much more accessible to customers in a cloud model, and benefits from the inherent scalability and redundancy of cloud platforms and data centers.
About the author:
Dave Shackleford is a founder and principal consultant with Voodoo Security and also a certified SANS instructor.