1、Improving Web Application Security:The Akamai Approach to WAFAkamai White Paper The Akamai Approach to WAF 2INTRODUCTION 3CHALLENGES WITH DEPLOYING WAFS 3WAF DESIGN PRINCIPLES 4 Accurate Protection 4 Visibility into Attacks 4 Adaptability to Changing Threats 4 Adequate Scale 5 Ease of Management 5KO

2、NA RULE SET 5 Broader and More Flexible Rules 5 Anomaly Scoring Model 5 Weighted Risk Scoring 6 Custom Rules 6CLOSED LOOP TESTING AND UPDATING KRS 6 Automated WAF Testing Framework 6 Testing with Real-world Data 7 Publishing Rule Changes 7 Rule Versioning 8THREAT INTELLIGENCE 8 Cloud Security Intell

3、igence 8 Threat Research and Incident Response 8 Client Reputation 10GLOBALLY DISTRIBUTED CLOUD PLATFORM 10 Global Scale 10 Performance 10MANAGED SECURITY SERVICES 11 Ongoing WAF Management 11 Managed Attack Support 11CONCLUSION 11TABLE OF CONTENTSAkamai White Paper The Akamai Approach to WAF 3Intro

4、ductionMany security professionals consider the web application firewall(WAF)to be among the most complex security technologies on the market today.Sitting in the middle of the HTTP conversation between users and a web application,the WAF inspects HTTP traffic passing through it for any attacks as d

5、efined by a list of rules.The complexity of this task comes inherently with its basic definition,that of:Relying on a pre-defined list of rules to identify malicious HTTP requests,with thousands of potential exploits to guard against.In addition,new attack vectors or additional permutations of exist

6、ing ones are continuously being discovered and exploited.Relying on a pre-defined list of rules to identify malicious HTTP requests interspersed with legitimate HTTP traffic,while the characteristics of legitimate traffic differ on a per-application basis and change over time.Complicating this task,

7、organizations have little ability today to measure,understand or quantify the effectiveness of their WAF solution in a real-time and unpredictable environment.This has led to challenges experienced by organizations in terms of accuracy,performance and management overhead.The Akamai approach to WAF c

8、ombines a)an anomaly detection model with b)a repeatable testing framework to measure effectiveness,c)threat intelligence to identify the latest threats,d)a cloud platform for global scale,and e)managed security services to help organizations better protect their websites and web applications over t

9、ime.Challenges with Deploying WAFsMany organizations have web application firewall solutions deployed today.However,these deployments often fail to meet their initial expectations in terms of effectiveness,ease of management and impact on protected web applications.In a March 2015 report,the Ponemon

10、 Institute surveyed 594 IT professionals responsible for web application security about the status of their organizations WAF deployment.20%23%25%30%2%Inline deploymentOut-of-line deploymentCombination of line and out-of-line deploymentWAF is not deployedUnsureWhile 68%of the respondents had deploye

11、d a WAF,only 20%had deployed it inline.Twenty-three percent had deployed their WAF out-of-line,while a further 25%deployed it in a combination of inline and out-of-line configurations.Because a WAF must be deployed inline in order to block malicious requests,this behavior indicates that organization

12、s face significant challenges in deploying their existing WAF solutions,including:Accuracy most WAF vendors either do not provide accuracy measurements or measure it using a limited set of test traffic,and organizations often do not understand the potential impact of false positives or false negativ

13、es until after they have purchased a solution.As a result,organizations often purchase a WAF intending to deploy it inline,but deploy it out-of-line once the impact on legitimate users is discovered.Not enough people many organizations underestimate the overhead required to properly maintain a WAF o

14、ver time.Without dedicated resources,WAF configurations can quickly become out of date as applications change,risking a higher rate of false positives and false negatives.As a result,organizations often pull their WAF out of line once the configuration becomes out of date.Performance a WAF solution

15、with insufficient scale can reduce the performance of the protected applications.Because of the challenge in quantifying any performance impact prior to purchasing a solution and deploying it inline,organizations often purchase a WAF solution with the intention of deploying it inline,but end up depl

16、oying it out of line once they observe a web performance impact.Fail-open/fail-closed under extremely high traffic conditions,traditional hardware WAF appliances are designed either to fail-open or fail-closed.In a fail-open situation,the WAF will allow all traffic to the application without inspect

17、ing for or blocking malicious traffic.In a fail-closed situation,the WAF will block all traffic from the web application.Because of this behavior,organizations often need to pull WAF appliances out of line during extremely high traffic in order to maintain web application availability.Figure 1:Respo

18、nse to the question,“What best describes your organizations approach to WAF?”Breakdown of WAF deploymentPonemon Institute,January 2015Akamai White Paper The Akamai Approach to WAF 4WAF Design Principles In the Ponemon survey,the low percentage of respondents with an inline WAF deployment points at a

19、 significant industry challenge.Any vendor can build a WAF solution and bring it to market with relative ease,as demonstrated by the prevalence of commercial offerings built around the open-source OWASP ModSecurity Core Rule Set(CRS).However,it is very difficult for a vendor to design an effective W

20、AF one that can be deployed inline to protect organizations applications over time as new vulnerabilities are discovered,the amount of protected web traffic grows and the web applications themselves change.What factors contribute to the effectiveness of a WAF?While no security solution can be 100%ef

21、fective,all WAF solutions should strive to provide the following:1.Accurate protection can it stop more web attacks while blocking fewer legitimate users?2.Visibility into attacks can it remove the guesswork from identifying and responding to attacks?3.Adaptability to changing threats how well will

22、it stop unknown attacks?4.Adequate scale can it handle all of the web traffic that an application is likely to see,without becoming a bottleneck?5.Ease of management how much effort is required to deploy and manage it over time?Accurate ProtectionEvery WAF solution relies on the quality of its rule

23、set to identify web attacks without blocking legitimate users.Historically,WAF solutions have required organizations to make a tradeoff between false positives and false negatives typically prioritizing the minimization of false positives at the expense of a greater number of false negatives.While t

24、his alleviates many organizations concerns about accidentally blocking legitimate users,it also protects against fewer web attacks.A more effective approach offers a lower rate of both false positives and false negatives,increasing the accuracy of the protection provided while still minimizing impac

25、t on legitimate users.Understanding AccuracyAccuracy measures the ability of a WAF to simultaneously stop attacks while not inadvertently blocking legitimate users and considers four variables:True positives(TP)real attacks that are properly identified and blocked by the WAF.False positives(FP)legit

26、imate user requests that are improperly identified as an attack and blocked by the WAF.True negatives(TN)legitimate user requests that are passed through to the application.False negatives(FN)real attacks that are not properly identified and blocked by the WAF and are passed through to the applicati

27、on.Visibility into AttacksTraditional WAF solutions provide a never-ending stream of alerts and rely on administrators to analyze the alerts and determine if an attack has occurred.This requires web security resources and expertise that many organizations do not have.A more effective approach provid

28、es visibility into and context around online attacks that have occurred notifying an organization when,where and how an attack occurred and immediately providing administrators with any pertinent information.This relieves administrators of the burden of determining whether or not an attack has occur

29、red and instead enables them to immediately focus on any additional response,if needed.Adaptability to Changing ThreatsOrganizations must continuously update their WAF solution to address new vulnerabilities as they are discovered.In this context,most WAF solutions focus on how quickly a new rule ca

30、n be created and deployed when needed.However,this ignores two other requirements that must first be met:Awareness of vulnerability most organizations do not have visibility into the latest threats and must rely on their security vendor.However,WAF vendors often do not have the visibility themselves

31、 and struggle to notify customers of new attack vectors or provide rule updates in a timely manner.Akamai White Paper The Akamai Approach to WAF 5 Security resources and expertise most WAF vendors rely on organizations to create and deploy new rules as well as retest the updated WAF configuration fo

32、r false positives and false negatives.However,most organizations either do not have or do not allocate sufficient time or resources to do so.A more sustainable approach should leverage global visibility into changing threats,analyze new threats with a robust threat research capability and provide an

33、y necessary rule updates to protect against them with the least possible amount of impact on users and protected web applications.Adequate ScaleA WAF solution without enough scale to handle the amount of incoming traffic can easily become a bottleneck,reducing web performance and possibly failing.Un

34、fortunately,it can be difficult for organizations to predict the amount of traffic up front or quantify the scale required in a WAF solution.As a result,many organizations select a solution that does not have adequate scale and are forced to pull it out of line when the level of traffic exceeds its

35、capabilities either temporarily during traffic spikes or permanently as a result of web application growth leaving the web application unprotected.A more effective approach seamlessly scales to match traffic demands as they vary over time and provide continuous protection without interruption or red

36、ucing web performance.Ease of ManagementIn addition to updating for new vulnerabilities,a WAF solution needs to be continuously updated to reflect changes in the applications that it protects.This requires continuously scanning new web applications as they are first deployed as well as existing appl

37、ications when they are updated,identifying new vulnerabilities and configuring rules to address those vulnerabilities.Web applications are constantly changing,and most organizations do not have the resources or expertise necessary to manage a WAF solution over time.A more manageable approach should

38、help organizations identify rule updates that need to be made and implement them with minimal overhead.Kona Rule SetAkamai introduced its web application firewall solution in 2009 as the worlds first cloud-based WAF.Built on a proprietary rules engine,the Akamai WAF solution takes a different approa

39、ch from many traditional solutions.The Kona Rule Set(KRS)employs a small number of flexible rules in conjunction with an anomaly scoring model to better address the design principles of improved accuracy and visibility into attacks.Broader and More Flexible RulesRather than address every vulnerabili

40、ty with a dedicated rule,KRS utilizes a smaller number of broader but more flexible rules to identify malicious requests.Akamai designed the underlying signatures for every rule to detect different attributes shared by multiple vulnerabilities,not the specific vulnerabilities themselves.This means t

41、hat individual rules no longer determine if a request is malicious on their own,and KRS does not alert on or block requests based on individual rule triggers.Instead,multiple rules now work together to identify an attack.Because every rule inspects for attributes that are common across multiple vuln

42、erabilities,KRS has a higher likelihood of catching new attack permutations with existing rules.This improves the response that KRS provides to potential zero-day attacks vulnerabilities that may not yet be known but have similar attributes to existing ones and reduces the operational overhead requi

43、red to manage Akamais WAF solution over time.Anomaly Scoring ModelKRS augments its WAF rules with an anomaly detection capability that provides context around individual rule triggers.Every rule trigger represents an anomaly not a definitive conclusion,but a partial indicator that a request is malic

44、ious.In addition,different combinations of rule triggers can often be observed occurring together during different types of attacks.Creating an automated WAF testing framework enables Akamai to analyze the prevalence of every rule trigger across a wide range of known attack vectors as well as accide

45、ntal byproducts of legitimate requests.KRS captures the observed patterns with an anomaly-scoring model.With an anomaly-scoring model,KRS evaluates every request against the full list of enabled WAF rules and assigns a risk score based on the cumulative score of every rule triggered.KRS then alerts

46、on or blocks a request if the cumulative risk score for that request exceeds the defined threshold for the relevant category.This provides several advantages:Higher accuracy different rules have varying levels of accuracy in identifying malicious web requests.However,an anomaly-scoring model require

47、s multiple rules to work together in order to determine the overall risk score of a request.This approach recognizes the role that many inaccurate rules have in helping to identify web attacks but reduces their ability to act on their own.Akamai White Paper The Akamai Approach to WAF 6 Less noise KR

48、S generates an alert any time a request receives a risk score that exceeds the risk threshold,as opposed to whenever an individual rule triggers.This results in fewer alerts that administrators have to analyze and higher confidence that each alert seen represents an actual attack that must be invest

49、igated.Weighted Risk ScoringWith an anomaly-scoring model,the scoring methodology has a significant impact on the effectiveness of the WAF solution.Different rules have varying levels of accuracy,and a well-designed rule set relies on multiple rules working together to identify an web attack.For exa

50、mple,one rule may be prone to false positives on its own but is indicative of an attack when triggered in conjunction with another rule.Akamai assigns every rule in KRS a weighted risk score that reflects its accuracy and contribution within the broader rule set towards identifying a malicious reque

51、st.The scoring methodology for KRS relies on two Akamai capabilities:Visibility Akamai delivers 15-30%of daily global web traffic,providing it with visibility into a substantial volume of legitimate and malicious HTTP requests targeting thousands of customer websites.This includes many known to be p

52、rone to false positives and false negatives.As a result,Akamai web security teams have a deep understanding of the characteristics demonstrated by legitimate and malicious traffic as well as scenarios that can lead to lower rule accuracy.Closed-loop testing Akamai performs closed-loop testing to con

53、tinuously measure the overall accuracy of KRS,identify sources of false positives and false negatives,and adjust score weightings as needed.Closed loop testing provides essential feedback to ensure proper weighting for every individual rule and improve overall KRS accuracy over time.Custom RulesIn c

54、ertain situations,web applications may have unique security requirements that are not covered by default with KRS.These situations can include web applications that behave abnormally or that support an organization-specific businesses process but can be easily mistaken for an web attack.Akamais WAF

55、solution does provide the capability to create custom rules to expand the protections of KRS and cover any unique web application and organizational requirements.However,the anomaly-scoring model combined with a mechanism to publish rule updates provides KRS with a broad,flexible and well-designed r

56、ule set that often limits the need to create custom rules.Closed Loop Testing and Updating KRSA web application firewall has a static configuration,protecting a defined list of web applications against a known set of threats.However,most organizations do not have sufficient resources or security exp

57、ertise to continuously track developing threats,update their WAF configurations,and retest against their web traffic to ensure low false positives and false negatives.Akamai continuously updates the Kona Rule Set using closed loop testing to account for changing threats while maintaining accuracy.Au

58、tomated WAF Testing FrameworkAkamai continuously tests its WAF solution using an automated WAF-testing framework.Daily test runs subject the WAF to a very large real-world set of both legitimate and malicious HTTP requests.Akamai then compares the full HTTP request and response with the expected or

59、ideal results,analyzes root causes for false positives and false negatives,and updates existing or creates new rules.The automated WAF-testing framework provides a construct to measure WAF accuracy in a repeatable and consistent manner over time.As shown in Figure 2,this allows Akamai to better unde

60、rstand how changes to KRS impact overall accuracy and improve rule coverage while minimizing false positives and false negatives.0.94%28.90%4.89%3.62%0.09%0.06%CRS 2.2.6KRS(Oct 2013)KRS(Oct 2014)False positivesFalse negativesFigure 2:Continuously improving KRS accuracy through closed-loop testingMea

61、suring KRS accuracyAkamai White Paper The Akamai Approach to WAF 7Testing with Real-world DataTesting a WAF solution relies on a simple premise send different attack vectors through a WAF and verify that the enabled rules stop the web attacks.However,real-world environments are more complex than tes

62、t environments and often lead to false positives and false negatives.Designing a testing framework with accuracy in mind requires additional verification not just that the tested rules detected attacks,but that they do so without inadvertently triggering false positives or false negatives.Equally im

63、portant,it requires the use of real web traffic,with a large mix of both legitimate and attack traffic designed to stress the WAF response.Akamais automated WAF testing framework simulates live web traffic by combining a real-world set of HTTP requests with known attack vectors and exploits in a rat

64、io of 95%legitimate to 5%attack traffic.Legitimate traffic comprises over 12,000 different HTTP requests based on recorded interactions with a large number of public websites,including:All of the Alexa Top 100 websites Websites representing a broad range of industry verticals,including e-commerce,fi

65、nancial services,media,social networking,and health&life sciences Specific websites from Akamai customers that are known to generate an above-average percentage of false positives and false negativesAttack traffic comprises over 700 attack vectors and exploits cultivated from Akamais Cloud Security

66、Intelligence data analysis engine as well as publicly available tools and databases,including:Commercial web scanners Common attack tools like sqlmap and Havij Other known exploits from the Offensive Security Exploits Database Archive.Publishing Rule ChangesThe automated WAF testing framework allows

67、 Akamai to continuously identify rules that can be improved,create new or modify existing rules,and measure the results of any change in terms of accuracy.In addition,Akamai may release new WAF rules in response to newly discovered vulnerabilities,depending on their severity and existing coverage un

68、der available KRS rules.Akamai publishes rule changes to customers in two ways:Standard Akamai makes regular updates to KRS as required.Rule changes are available for all customers to enable through the Luna Control Center.Akamai releases new rules to KRS in situations where a large majority of cust

69、omers are impacted or can benefit from the change.Custom custom rules provide a rapid response for targeted or affected customers to implement on an individual basis.Akamai releases custom rules in situations requiring minimal implementation time or impacting a small subset of specific customers and

70、 notifies customers through their support team.Balancing FP and FNFigure 2 shows the accuracy of Akamais WAF in a generic configuration before tuning for a specific customer environment.The 3.62%false-negative rate illustrates a tension present in any WAF solution the need to balance between false p

71、ositives and false negatives.When tuning KRS,Akamais threat research team strives for the optimal balance between false positives and false negatives while working to minimizing both.Examining the false negatives reveals a number of probes that pose low risk but closely resemble legitimate user requ

72、ests,and further tuning KRS to identify them as malicious risks increases the false positive rate.In this case,the benefit of a lower false positive rate outweighs that of slightly higher false negatives.Organizations have the option to further tune KRS for their specific environment to remove these

73、 false negatives as well as create custom rules as necessary.Akamai White Paper The Akamai Approach to WAF 8Rule VersioningAkamai does not automatically implement rule changes for customers in order to minimize any unexpected impact on false positive and false negative.Instead,Akamai publishes the r

74、ule changes and notifies customers of their availability through a rule-versioning feature.With rule versioning,customers can see new rules or changes to existing rules in the Luna Control Center.Customers can then choose to enable individual rule changes as appropriate or necessary for their specif

75、ic web application environment.Rule versioning provides Akamai customers with flexibility and granularity in configuring specific versions of individual rules within a KRS release.In addition,it allows Akamai to rapidly release new rules in response to critical vulnerabilities without the overhead o

76、f updating KRS as a whole.Case Study CVE-2015-1635On April 14,2015,Microsoft disclosed a vulnerability existing in the HTTP protocol stack(HTTP.sys)for multiple versions of the Windows operating system.Described in CVE-2015-1635,this vulnerability potentially allows remote attackers to execute arbit

77、rary code through a specially crafted HTTP request.CVE-2015-1635 did not impact Akamai production servers.However,Windows Internet Information Systems(IIS)is widely adopted for web servers within the Akamai customer base.Akamai created a new WAF rule that blocked attempts to exploit this vulnerabili

78、ty and made it available to customers:April 16,2015 Akamai announced a custom rule on Akamai Community and requested affected customers to contact Akamai Customer Care.April 20,2015 Akamai released a standard rule for KRS and made it available for all customers to enable through Luna Control Center.

79、Threat IntelligenceHaving a robust and in-house threat intelligence capability improves a WAF vendors ability to respond to developing threats.However,the quality,timeliness and actionability of the intelligence provided will determine the amount of impact on application security effectiveness.Akama

80、i continuously analyzes the data available through the Intelligent PlatformTM to identify current trends in the threat landscape,new attack vectors as they are first seen and currently active attackers.Akamai then incorporates that intelligence into its WAF solution in multiple ways incident respons

81、e,continuously improved WAF rules and the Client Reputation product.Cloud Security IntelligenceCloud Security Intelligence(CSI)provides Akamai with the mechanism to analyze attack traffic on a global scale against every Akamai customer in a timely manner.CSI utilizes Apache Hadoop to ingest over 20

82、TB of attack data every day and retain it for 45 days,with over 2 PB of data stored at any time.CSI leverages Akamais visibility into web traffic to thousands of the largest,most heavily trafficked and most frequently attacked online businesses to acquire relevant and high-quality data for analysis

83、by Akamais threat research team:WAF rule triggers CSI ingests data directly from Akamais global WAF deployments,capturing actual attack events targeting every Akamai security customer.CDN logs CSI incorporates offline analysis performed on event logs from every Akamai customer,including those that h

84、ave not deployed its WAF solution.Akamai White Paper The Akamai Approach to WAF 9Threat Research and Incident ResponseThreat research and incident response organizations provide human intelligence and analysis to complement and broaden the attack coverage of a WAF solution.Akamai employs multiple te

85、ams with different charters to support its WAF customers as well as identify new attack vectors that may require additional WAF rules:Threat research the Akamai Threat Research Team performs regular analysis of web attack trends across the entire Akamai customer base as well as custom analysis for i

86、ndividual customers as required.The Akamai Threat Research Team designs and implements heuristics to query CSI for actionable intelligence to support the creation of custom WAF rules,broader KRS updates and the Client Reputation product.Incident response Akamai operates two incident response teams t

87、he Computer Security Incident Response Team(CSIRT)and Security Emergency Response Team(SERT)to work with Akamais global security operations center(SOC)and provide analysis and incident response for individual customers when they experience an attack.In addition,CSIRT monitors frequently attacked Aka

88、mai customers,representing a broad range of industry verticals,as a leading indicator of new attack vectors or trends.Figure 3:The Akamai WAF solution can see over 80 million rule triggers hourly across a broad range of industry verticalsCase Study Remote File InclusionOn January 5,2014,an Akamai cu

89、stomer reported an unknown attack and asked Akamai to investigate.Analyzing the customers event logs,CSIRT identified the first known attempt to exploit a remote file inclusion(RFI)vulnerability with 2,122 different RFI exploit attempts.In parallel,the Akamai Threat Research Team queried CSI to iden

90、tify other Akamai customers who may have been targeted by this attacker as well as other attackers making similar RFI exploit attempts.They found that:This attacker had targeted 34 different websites,with a total of 24,301 RFI exploit attempts.This attacker was part of a 272-strong botnet that had t

91、argeted 1,696 different websites with 1,358,980 RFI exploit attempts.Akamai determined that the attacker was targeting Akamai customers with the Skipfish web vulnerability scanner,which had been recently updated to include RFI vulnerabilities.Within three days,CSIRT issued a threat advisory to affec

92、ted customers detailing the attack vector and providing a custom WAF rule to block unauthorized scans for RFI vulnerabilities.In addition,Akamai created a standard KRS rule to block RFI exploits and made it available to all Akamai customers running KRS.Akamai White Paper The Akamai Approach to WAF 1

93、0Client ReputationClient Reputation augments Akamais WAF solution with an additional layer of defense using behavioral analysis.While a WAF identifies individual malicious HTTP requests,Client Reputation identifies clients at higher risk of issuing those requests.Client Reputation performs hourly qu

94、eries to CSI to identify potentially malicious clients and score them based on prior interactions with other Akamai customers.It then provides that risk score to the WAF,allowing it to alert on or block clients from issuing requests according to customizable thresholds.Client Reputation provides a s

95、imple mechanism for individual organizations to leverage Akamais visibility into the actions of 40 million unique IP addresses on a daily basis and hundreds of millions monthly.154924811Case study:US national retailerMalicious IP addresses detected over 24-hour periodDetected by WAFDetected by Clien

96、t ReputationFigure 4:Comparison of malicious IP address detected by Client Reputation and the WAF over a 24-hour periodAs shown in Figure 4,this visibility can help organizations detect a greater number of threats than relying on a WAF alone.Organizations can enable this protection without the overh

97、ead of managing IP whitelists and blacklists.In addition,the ability to take action based on a reputational score allows organizations to customize the protection provided to the level of risk appropriate for their business.Globally Distributed Cloud PlatformAkamai deploys its WAF solution on a glob

98、ally distributed cloud platform comprising over 189,000 servers in more than 1,400 networks and 100 countries around the world.Because users and attackers connect to protected websites through the closest Akamai server,this provides web application security at a global scale without impacting perfor

99、mance.Global ScaleA web application firewall inspects incoming HTTP requests and evaluates the contents of each request against the list of enabled rules.For a WAF,the issue of scale revolves around both its ability to inspect the required volume of web traffic initially and as it increases over tim

100、e and the number of WAF rules required to evaluate that traffic against.Traditional hardware-based WAF solutions often suffer from poor scale because they are limited to the CPU and memory resources available within the appliance and may have to compete with other solutions on the same appliance.Dep

101、loying a WAF across Akamais cloud platform eliminates the issue of scale by leveraging Akamais distributed server resources to inspect incoming web traffic.Users and attackers connect to protected websites through the closest Akamai server,which then inspects traffic for attacks and blocks any detec

102、ted malicious requests.This allows Akamais WAF solution to seamlessly scale with any increase in the amount of web application traffic both sudden spikes in traffic as well as long-term growth as well as with new user locations around the world.PerformanceWhile security solutions are not designed to

103、 improve performance,poor performance can hinder deployment of a security solution especially a WAF solution deployed inline in front of an application.Protected websites represent critical business functions and reducing performance can lead to reduced revenue,poor user experience,or slower time to

104、 market.Figure 5 shows that IT professionals prioritize security and performance differently depending on their role in the organization.Security professionals will prioritize the quality and effectiveness of the security provided,while application owners place a premium on application performance.S

105、ecurity is more importantPerformance is more importantBoth security and performance are equally important20%23%25%The global scale of Akamais cloud platform allows the WAF to protect web applications without reducing performance.The globally distributed WAF inspects HTTP traffic as it first comes on

106、to the platform,distributing the CPU and memory resources required to inspect that traffic across all of the servers on the platform.This removes the issue of performance as a source of intra-organizational friction and an obstruction to deploymentIs Security or Performance more important?Ponemon In

107、stitute,May 2015Akamai White Paper The Akamai Approach to WAF 11Managed Security ServicesManaging a WAF solution requires dedicated resources,with expertise in both the protected web applications as well as potential attacks.However,most organizations do not have enough staff to dedicate to managing

108、 their WAF solution or analyzing and investigating alerts.For customers deploying its WAF solution,Akamai provides two levels of managed services to help organizations monitor their protected web applications,respond to security incidents and manage their WAF over time.Ongoing WAF ManagementA web ap

109、plication firewall requires ongoing management in order to keep its configuration up to date with changes in protected web applications and capture newly discovered threats.Akamai helps organizations integrate this process with the natural lifecycles of their protected web applications with two capa

110、bilities:Regularly scheduled reviews to evaluate recent web application changes,reevaluate alert thresholds,perform false-positive and true-positive analysis,and recommend appropriate configuration updates.Ongoing configuration assistance to analyze proposed rule changes or available rule updates,ev

111、aluate the impact of proposed web application changes,and implement any required WAF configuration.Managed Attack SupportIn addition to ongoing WAF management,Akamai can also provide customers with managed attack support 24/7 monitoring of protected websites and a managed response to any detected at

112、tacks.Managed attack support utilizes staff in Akamais global SOC to respond to security incidents as they occur by:Responding to WAF alerts and customer requests and performing further investigation of issues.Determining an appropriate attack signature and deploying additional mitigation measures.W

113、orking with customer application teams to measure the effectiveness and accuracy of deployed mitigations,adjusting mitigations as necessary.Reviewing overall response with customer application teams after the incident.ConclusionThe Akamai approach starts from an appreciation of the WAF as one of the

114、 most complex web security solutions available to organizations today.With a wide range of required security resources and expertise,few organizations have the capability to deploy and manage a WAF effectively on their own.The Akamai approach aims to make effective web application security available

115、 to any organization by simplifying much of the complexity around the WAF,as well as within the WAF itself.The Kona Rule Set provides the foundation for Akamais WAF solution,increasing accuracy and visibility into attacks as they occur.In addition,Akamai has constructed mechanisms around KRS to redu

116、ce the complexity of managing the WAF over time,including closed-loop testing to introduce new rules while improving accuracy,threat intelligence to keep abreast of the latest threats and managed security services to help organizations align the WAF to the lifecycles of their web applications.2015 A

117、kamai Technologies,Inc.All Rights Reserved.Reproduction in whole or in part in any form or medium without express written permission is prohibited.Akamai and the Akamai wave logo are registered trademarks.Other trademarks contained herein are the property of their respective owners.Akamai believes t

118、hat the information in this publication is accurate as of its publication date;such information is subject to change without notice.Published 09/15.Akamai is headquartered in Cambridge,Massachusetts in the United States with operations in more than 57 offices around the world.Our services and renown

119、ed customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide.Addresses,phone numbers and contact information for all locations are listed on the global leader in Content Delivery Network(CDN)services,Akamai makes the Internet fast,re

120、liable and secure for its customers.The companys advanced web performance,mobile performance,cloud security and media delivery solutions are revolutionizing how businesses optimize consumer,enterprise and entertainment experiences for any device,anywhere.To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward,please visit or ,and follow Akamai on Twitter.