Category Archives: waf

Data Protection Laws & Compliance As Drivers of WAF Adoption

WAFs are among the most common security controls used by organizations in both the public and private sectors to protect their web applications against common web exploits.

Driven by the extensive growth in attack volume against web applications, the global WAF market size is expected to reach $6.89 billion by 2024. What else is driving this growth across industries?

Driver of WAF adoption

compliance waf firewall

In a research study by Computing, 62% of  IT decision makers surveyed across various industries stated regulatory compliance as their primary reason for purchasing a WAF.

With regulations introduced to protect consumer data safety, businesses and organizations are keen to adopt industry standards like PCI-DSS (Payment Card Industry Data Security Standard), given that the standard is a prerequisite for businesses who need to accept and process online credit card payments.

Other notable drivers of WAF adoption in the study found that: 

  • 46% of respondents find that inherent vulnerabilities to application layer attacks had enabled them to present a compelling business case for a WAF.
  • 23% were driven by penetration testing that alerted them to some serious vulnerabilities in their web applications. 
  • 18% stated that there was simply no other cost-effective way of securing legacy applications.

Role of WAF in data protection laws

 

In the 1990s, there were only 20 data privacy laws worldwide. Now, there are over 100.  In many cases, government regulations require the deployment of a WAF, either explicitly or implicitly. 

WAFs by their very nature are designed to protect an organization’s core assets (i.e. web applications) and maintain data integrity. That’s why countries with mature cybersecurity markets tend to have data protection or data privacy laws in place to address data security.

One of the most well-known government laws contributing to WAF adoption is the GDPR (General Data Protection Regulation), which is the EU’s answer to adhere to data protection and privacy for all its citizens.

However, not all countries have highly developed laws like the GDRP. Many countries have data protection laws that are too general and might not provide enough guidance to delegate any sort of accountability for companies that hold user data. In these cases, there is also no mention of deploying a WAF.

Saudi Arabia, for example, has privacy laws similar to those found in other countries but their laws simply address privacy and data collection with no mention of data security or clause to notify users of notification of data breaches. 

Why compliance and protecting customer data matter

Besides a desire to avoid any penalties or suspended privileges of their services, adhering to data protection laws and compliance industry standards also establish trust among data owners. 

By demonstrating a commitment to data protection through compliance, more users will be willing to engage with their services. If an organization does not uphold these standards, users will be less willing to just give up their personal information, and a company’s reputation may be on the line.

Therefore, it makes sense that any company that processes, manages, and stores personal data must engage in the proper security protocols to protect user data and notify users of any data breaches.

Though not all data privacy laws explicitly require WAF adoption, data protection can be achieved with its implementation. 

Take a look below at some of the laws around the world aimed at protecting user data.

Europe North America Latin America
EU: GDPR (General Data Protection Regulation) Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) Brazil: Lei Geral de Proteção de Dados (LGPD)
UK: Data Protection Act 2018 US: Privacy Act of 1974 Family Educational Rights and Privacy Act (FERPA) Mexico: Federal Law on Protection of Personal Data Held by Individuals (LFPDPPP)
Sweden: Data Protection Act (DPA) Argentina: Personal Data Protection Act 2000 (Law No. 25,326)
France: French Data Protection Act 2 (FDPA)
Germany: Federal Data Protection Act 2017 (Bundesdatenschutzgesetz – BDSG)
Middle East Africa Asia-Pacific
Israel: Privacy Protection Law (5741-1981) South Africa: Protection of Personal Information Act 2013 (POPIA) Singapore: The Personal Data Protection Act 2012
Hong Kong: Personal Data Privacy Ordinance Cap 486 (PDPO)
Australia: Privacy Act of 1988 and Telecommunications Act 1997
Malaysia: Personal Data Protection Act (PDPA)

Is there a famous data privacy law we missed? Drop us a line!

The post Data Protection Laws & Compliance As Drivers of WAF Adoption appeared first on Cloudbric.

3 Ways to Secure WAF APIs

In a recent cloud WAF hacking, many customers were alarmed when private API keys, salted passwords, and SSL certificates were revealed to have been compromised.

It’s clear from this specific hacking incident that the appropriate steps were not taken to protect customers’ data. One proper security measure that was overlooked was API security.

API security is concerned with the transfer of data connected to the internet, which means broken, exposed, or hacked APIs can lead to breaches. 

For a cloud WAF, they are essential for the integration of the WAF service into the client’s servers. This blog post will delve deeper into what API security means for cloud WAFs and how you can secure your APIs for WAFs.

Encrypt your API keys.

Keys are central to API security. API keys are essentially long strings that uniquely identify an application and allow two applications to communicate over the internet. 

For WAF vendors and customers, securing these keys can mitigate threats such as man-in-the-middle (MITM) attacks (which alter communications of API messages between two parties) by preventing the interception of site traffic. 

However, this can be protected with SSL. By securing all of your webpages using SSL (which encrypts transmitted data) your data sent via web APIs will also be encrypted. 

This is crucial because APIs sometimes contain sensitive information (e.g. email, card information); with encryption, you can thwart off hackers who are trying to intercept your communications. 

Authenticate users that utilize the API keys.

If an API key is not authenticated, there’s no guarantee that the user “calling” the API is the one you intended to issue the WAF API key. By determining the identity of the user, authentication can help reduce the misuse of the system by preventing too many API requests from one user.

While basic authentication can be implemented using SSL, there are more secure alternatives to authenticate users when using WAF APIs. 

These include OAuth 2 and OpenID Connect, two popular industry standards for authentication.

Some WAFs also offer API tokens that support two-factor authentication. For example, a one-time password can be generated to quickly identify your intended recipient. 

Consider using a secure API Gateway.

If properly secured, API gateways can add an added layer of protection. However, many API gateway technologies are designed for integration, and not necessarily designed with security in mind.

These API products simply provide access control, which is not enough to properly APIs from external threats.

However, API security is much more than access control. Because API gateways also handle traffic management, you might be concerned about data leakage and data integrity.

Luckily, WAFs are commonly used to secure API platforms, as they are able to prevent common web exploits misuse and exploitation. A WAF can also help mitigate application-layer DDoS attacks.

Conclusion

Threats posed by vulnerable APIs, including those affecting WAFs, are ever-growing. In fact, 9 of the top 10 vulnerabilities mentioned by the latest OWASP Top 10 now note APIs.

Yet, API security remains overlooked in information security today. This is because API vulnerabilities are not easy to detect without specialized technology.

WAFs are one way to make sure API platforms are secured, and for securing the actual WAF API keys, encryption and authentication will come in handy. 

As threats evolve and organizations become more aware of the threats that vulnerable APIs pose, it’s clear API security will gain more traction in not just the WAF arena but other cloud services as well.

The post 3 Ways to Secure WAF APIs appeared first on Cloudbric.

What Types of Threat Detection Technologies Are There for WAF (Web Application Firewall) Solutions?

Threat detection is at the core of a WAF’s capabilities to accurately identify and block incoming attacks. However, not all threat engines are built the same.

Many WAF vendors use ModSecurity’s engine, an open-source web application firewall, for their core ruleset. 

This core rule set contains a set of generic attack detection rules that provide protection against many common attack categories, including SQL Injection (SQLi), Cross Site Scripting (XSS), Local File Inclusion (LFI), Remote File Inclusion (RFI), and more. 

As mentioned, ModSecurity’s threat detection engine is a free-to-use, open software that forms the basis of many WAF engines. 

However, there are some WAF vendors using their own proprietary technology that doesn’t just rely on ModSecurity’s core rule set to protect web applications against zero-day type attacks and other sophisticated web attacks.  

Some of these techniques and methods include using signatures, application learning, and AI.

Take a look below at some of the threat detection techniques that are being applied for WAFs and decide for yourself what kind of WAF might be able to withstand today’s evolving threat landscape. 

Signature-based threat detection

Signature-based (or pattern-matching) models are mostly associated with traditional WAFs. 

A signature represents a pattern containing pieces of code that make up a known attack on an operating system, web server, or website.

A signature-based WAF will take a string of suspicious code and run it against its signatures. And if it matches a signature, it is subsequently blocked. 

Sounds simple enough. 

However, this may create problems such as false positives and false negatives. This can also possibly block actual users from getting access to the web application (i.e. website). Furthermore, if a malicious string of code is not recognized because no signature for it exists, then it also goes undetected and does not get blocked by the threat detection engine. 

Hackers can easily add code to the string that does not match any of the signatures, thereby bypassing the firewall and accessing the web application. 

As a result, signature-based WAFs are only able to protect applications from known vulnerabilities and cannot effectively protect against new web attacks.

Signature-free/signature-less threat detection

In general, third-generation WAFs will want to use both signature (pattern matching) techniques and “signature-less” techniques for threat detection.

A signature-less or signature-free WAF simply means that the WAF’s threat engine does rely on signatures to identify and block attacks. 

Instead the WAF uses its own rulesets (either combined with ModSecurity’s core rule set or rule set developed in-house) to intelligently identify the characteristics of an attack that does not rely on signatures. 

This type of WAF threat engine can detect while blocking unknown vulnerabilities, protecting applications from never-before-seen threats.

This is not to say that signature-based models are not useful. However, unless there are regular updates to the signatures, those not updated become less useful over time. Updates may also incur additional costs. 

With signature-free techniques, signature updates are not required. For WAF customers, this means more cost savings.

Application learning/behavior-based threat detection

The parameter of an application includes value ranges for form fields, HTTP methods, cookies, etc. 

An application learning model develops a “profile” by looking at data entries and other facets of the behaviors of users as it relates to each of these parameters. 

A behavior-based WAF can detect whether or not an application is behaving the way it should through these parameters. User actions are compared against expected behaviors to recognize anomalies and then trigger alerts. 

Over time, as the WAF’s threat engine updates these profiles by gathering more data on user behavior, the application-learning technology monitors responses to certain data inputs to learn what responses to expect in the future. 

Behavior not within this profile scope and previously unobserved by the WAF threat engine triggers an alert to the security team.

Behaviors that trigger an alert even though it’s not malicious might cause incoming web application traffic to be blocked entirely. So when a new trend emerges, it may be blocked until an actual person can review the trend and decide whether it’s truly a threat or not. 

This creates several problems. First, this means more resources (i.e. people) are required to manage the WAF engine due to the manual checkups. Second, it can increase the false positive rate.

While these setbacks are also associated with conventional WAFs, a behavior-based WAF is still a significant improvement. 

As the WAF’s threat engine gathers more information on user behavior, the profile gets updated to learn what types of responses (i.e grant or block access) to give. 

Artificial intelligence (AI)/machine learning-based threat detection

Reducing the high resource requirements sometimes needed in managing a WAF is something most companies seek to avoid.  

To combat the human resource issue, machine learning powered-automated tasks can be created to constantly learn the newest data (threat data or otherwise) without human intervention.

Machine learning enables the WAF engine to classify files and data sources much more accurately and distinguish between legitimate and illegitimate threats. 

Very few WAFs have incorporated this type of machine learning that uses an “automated calculation of the probability that a user or application behavior represents a threat requiring a security response.” 

The WAF in turn, uses these predefined rules that ultimately determine the likelihood of the threat to respond to any behavior anomalies. 

This significantly reduces false positives as compared to application learning and also reduces the need to allocate valuable staff resources to resolve false positives issues.

Machine learning can build predictive models to detect similarities between attack patterns and discover unknown patterns.

Deep learning-based threat detection

As a subset of machine learning, deep learning for WAF threat detection is just beginning to be explored. 

Deep learning methods are already being used for Intrusion Detection Systems (IDS) in the cybersecurity arena.

One way deep learning is being used to detect web attacks is through the usage of a CNN (Convolutional Neural Network), which can be used specifically to analyze HTTP request packets. This makes it possible to also analyze a diverse set of attack inputs and data.

CNN is widely used in computer vision area and image-related tasks. In one example, deep learning capabilities are being used to convert web attacks into in UTF-8 hexadecimal format. 

It is then turned into an image and is fed into a deep learning machine.  With this, the machine will be able to recognize web traffic and learn as more data is fed through it. Read more. 

Combined with core WAF capabilities, deep learning can enhance the threat detection of any WAF to more intelligently find new types of web attacks and also accurately distinguish legitimate users and illegitimate users.

Conclusion

WAF technologies are now evolving to meet the new and more sophisticated types of web threats that are arising across organizations. 

Some of the ways in which WAFs are evolving is the incorporation of new technologies to their threat engines as they move away from traditional signatures to include application learning/behavioral analysis methods, signature-free methods, and AI. 

Furthermore, big data is also making its way into WAF threat engines. One way it is being used is through the analysis of global threats across individual clients’ WAFs to be a block one kind of attack and apply it rapidly to other clients. 

Now that the threat landscape calls for more precise detection of both known and unknown attacks, it seems like organizations will also seek to deploy WAFs that hold greater capabilities than their predecessors. 

The post What Types of Threat Detection Technologies Are There for WAF (Web Application Firewall) Solutions? appeared first on Cloudbric.

What Are Some Barriers That Web Hosting Providers Face in Deploying a WAF?

Website owners rely on web hosting providers to get their websites up and running online. 

But here’s the thing that may stumble some website owners: Hosting providers are only responsible for protecting the server in which websites are hosted, but customers will need to protect their own websites within the server. 

Bottom line: Web hosting providers are not responsible for the security of websites themselves.

What some web hosting providers may not realize is that the level of security that a web hosting service offers is extremely important to a prospective customer.

Depending on their needs, customers may be looking to see whether a web hosting provider offers SSL, backups, DDoS mitigation, firewalls, and more. 

Web hosting providers may choose instead to focus on offering content management systems (WordPress, Drupal, Joomla etc.) rather than any web security tools. 

This blog post will discuss some of the concerns web hosting providers may have in partnering with a security vendor specifically to offer a WAF (Web Application Firewall). What are some barriers to entry and how can Cloudbric make the transition smoother compared to other WAF vendors?

1) Extremely long learning curve 

First, web hosting providers may be worried about the deployment and management requirements that come with installing and utilizing a WAF. 

Before they can extend security to their customers, web hosters are faced with a slight learning curve when configuring a WAF for the first time or when creating custom policy rules that fit their security needs.

Regardless of the WAF vendor that a web hoster ultimately partners with, there will be some kind of learning curve. Luckily WAF security vendors like Cloudbric seek to minimize management requirements by providing flexible deployment models.

With API integrations available for web hosting providers, these web hosting companies can easily integrate Cloudbric’s APIs into their WAF service sign up process to offer WAF as an add-on security service into their hosting plans. 

2) Perceived need for multiple security personnel needed to deploy and maintain WAF

The primary business model that web hosting providers profit the most is from hosting websites on their servers. They have thousands of clients they manage and must keep happy.

Some of their responsibilities include guaranteeing high reliability/uptime in addition to providing technical support. 

Depending on the size of the web hosting firm, web hosters may feel like they need a big security team to deploy and maintain WAF. However, there are many security vendors out there that offer fully managed WAFs such as Cloudbric. 

The management of WAF can be very low which allows IT personnel to just “set it and forget it.” This means web hosters do only the minimal work but at the same time still benefit from having an additional source of monthly revenue by extending web application security to their customers.


3) Complex UI/UX

UI/UX is extremely important to almost every software user out there. For WAFs, it’s no different. Most web hosting providers want a seamless experience when using a WAF console in order to manage customers and disseminate threat information easily. 

Furthermore, end users themselves should be able to login to their own dashboards and understand their web attacks and perform basic security settings such as IP blocking.

One added benefit for web hosting providers is expending far fewer resources to reach those insights.

Cloudbric’s user-friendly WAF console makes it easy for web hosting providers to manage all client websites.

Learn more by requesting a demo with Cloudbric. 

4) Upkeep costs

For web hosters, there is always the fear of additional upkeep costs, upgrades, and other “hidden” costs.

Most web hosters are interested in making a return on investment (ROI) but will need to consider the total cost of ownership should they choose to provide WAF to their customers as an add-on security service. 

(Contact us to get a quote and see for yourself  how Cloudbric offers the cheapest WAF compared to other vendors.)

The total cost of ownership includes more than just the product purchase. For WAFs, there might be installation fees and upkeep fees to worry about. Upkeep costs may include hardware or software updates. 

Fortunately, with cloud-based options like Cloudbric, there is zero hardware required to install or maintain an exclusive WAF. 

Furthermore, there is no need to worry about management costs such as day-to-day tasks including any configurations, policy updates etc. Cloudbric’s security team of experts can handle all of this for web hosting providers. 

Finally, signature updates for the WAF technology itself are also not necessary because Cloudbric uses signature-free and AI techniques to detect threats.

Conclusion

For web hosting companies with a low-profit margin, adding complementary security services to their paid hosting plans can create new streams of revenue. 

Web hosting companies may be interested in distributing WAF to their customers but are hesitant to do so due to perceived barriers to entry. 

However, as we explored in this blog post, these barriers such as a need for a specialized security team, complex UI/UX, and upkeep costs, can all be addressed with the right WAF vendor.

If you’re a web hosting service provider, and if you’d like to talk to one of our security experts in more detail,  fill out the form below! No commitments whatsoever. 

[contact-form-7]

The post What Are Some Barriers That Web Hosting Providers Face in Deploying a WAF? appeared first on Cloudbric.

My Cloud WAF Service Provider Suffered a Data Breach…How Can I Protect Myself?

In the age of information, data is everything. Since the implementation of GDPR in the EU, businesses around the world have grown more “data conscious;” in turn, people, too, know that their data is valuable.

It’s also common knowledge at this point that data breaches are costly. For example, Equifax, the company behind the largest-ever data breach, is expected to pay at least $650 million in settlement fees.

And that’s just the anticipated legal costs associated with the hacking. The company is spending hundreds of millions of dollars in upgrading its systems to avert any future incidents. 

In the cloud WAF arena, data breaches are no strangers. Having powerful threat detection capabilities behind your cloud WAF service provider, while important, is not the only thing to rely on for data breach prevention. 

API security and secure SSL certificate management are just as important. 

So, what are some ways hackers can cause damage as it relates to cloud WAF customers? And how can you protect yourself if you are using a cloud WAF service?

The topics covered in this blog will answer the following:

  • What can hackers do with stolen emails?
  • What can hackers do with salted passwords?
  • What can hackers do with API keys?
  • What can hackers do with compromised SSL certificates?
  • What can I do to protect myself if I am using a cloud WAF?


► What can hackers do with stolen emails?

When you sign up for a cloud WAF service, your email is automatically stored in the WAF vendor’s database so long as you use their service. 

In case of a data breach, if emails alone are compromised, then phishing emails and spam are probably your main concern. Phishing emails are so common we often sometimes we forget how dangerous they are. 

For example, if a hacker has access to your email, they have many ways they can impersonate a legal entity (e.g. by purchasing a similar company domain) and send unsolicited emails to your inbox.

 

► What can hackers do with salted passwords?

Cloud WAF vendors that store passwords in their database without any hashing or salting are putting their customers at risk if there is a breach, and even more so if hackers already have email addresses. 

In this scenario, hackers can quickly take over your account or sell your login credentials online. But what if the WAF vendors salted the passwords? Hashing passwords can certainly protect against some hacker intrusions.

In the event of a password breach without salting/hashing, a hacker can get your website to validate your password when the website compares and matches the stored hash to the hash in the database.

This is where salting the hash can help defeat this particular attack, but it won’t guarantee protection against hash collision attacks (a type of attack on a cryptographic hash that tries to find two inputs that produce the same hash value).

In this scenario, systems with weak hashing algorithms can allow hackers access to your account even if the actual password is wrong because whether they insert different inputs (actual password and some other string of characters for example), the output is the same.

► What can hackers do with API keys?

Cloud WAF vendors that use or provide APIs to allow third-party access must place extra attention to API security to protect their customers. 

APIs are connected to the internet and transfer data and allows many cloud WAFs work to implement load balancers among other things via APIs. 

If API keys are not using HTTPS or API requests not being authenticated, then there is a risk for hackers to take over the accounts of developers. 

If a cloud WAF vendor is using a public API but did not register for an authorized account to gain access to the API, hackers can exploit this situation to send repeated API requests. Had the APIs been registered, then the API key can be tracked if it’s being used for too many suspicious requests. 

Beyond securing API keys, developers must also secure their cloud credentials. If a hacker gains access to this then they are able to possibly take down servers, completely mess up DNS information, and more. 

API security is not only a concern for developers but also for end users using APIs for their cloud WAF service as you’ll see in the next section. 

► What can hackers do with compromised SSL certificates?

Next, what happens if the SSL certificates WAF customers provided ends up in the hands of hackers? 

Let’s assume the hacker has both the API keys and SSL certificates. In this scenario, hackers can affect the security of the incoming and outgoing traffic for customer websites.

With the API keys, hackers can whitelist their own websites from the cloud WAF’s settings, allowing their websites to bypass detection. This allows them to attack sites freely.

Additionally, hackers could modify the traffic of a customer website to divert traffic to their own sites for malicious purposes. Because the hackers also have the SSL certificates then they can expose this traffic as well and put you at risk for exploits and other vulnerabilities.

 

► What can I do to protect myself if I am using a cloud WAF?

First, understand that your data is never 100% safe. If a company claims that your data is 100% safe, then you should be wary. No company can guarantee that your data will always be safe with them. 

When there is a data breach, however, cloud WAF customers are strongly encouraged to change their passwords, enable 2FA, upload new SSL certificates, and reset their API keys. 

Only two of these are realistic preventive measures (changing your passwords frequently and using 2FA), but it’s unlikely that you, as a customer, will frequently upload new SSL certificates and change your API keys. 

Thus, we recommend that you ask your WAF vendors about the security of not just the WAF technology itself but also how they deal with API security and how they store SSL certificates for their customers.

If you’d like to chat with one of our security experts and see how our cloud WAF works, submit the form below!

[contact-form-7]

The post My Cloud WAF Service Provider Suffered a Data Breach…How Can I Protect Myself? appeared first on Cloudbric.

Top 6 Plesk Security Extensions You Should Consider for Website Security

As one of the most popular hosting platforms alongside cPanel, Plesk provides a variety of security extensions for its users. Each Plesk security extension boosts their own unique features, meant to fully protect your website, server, email, and network from potential threats.

Some extensions on Plesk require advanced system administration, so it’s important that you choose the right security tools based on your knowledge and experience — as not all security extensions are created equal. 

While Plesk offers a range of security tools such as malware scanners or ransomware protection software, this blog post will focus on security extensions that are available on Plesk that provide protection against web application attacks and DoS and DDoS attacks. 

These types of web threats directly affect web applications and can result in your websites going offline. In this case, customers and visitors are denied access to your information and commercial services, which will negatively impact your business’s bottom line.

Take a look below at some of the most popular security extensions available on Plesk and how they can help prevent web attacks as well as their potential shortcomings. 

BitNinja

BitNinja specializes in server security; their Plesk security extension is designed to effectively eliminate threats from your Linux servers. The security extension is also meant to save you from having to perform any configurations and spend long hours of troubleshooting.

Because BitNinja’s security extension is equipped with DoS mitigation and a WAF (web application firewall), they protect against web application and DDoS attacks. Their DDoS mitigation works based on TCP based protocols, but instead of permanently blocking the IP source they “greylist” the attacker IP.

On the WAF side, they analyze incoming traffic to your server based on different factors and stops attacks against the applications running on your server. They utilize the same WAF model used by Cloudflare and Incapsula. More specifically, for their reverse proxy engine, they use Nginx, WAF engine by ModSecurity, and a ruleset from the OWASP. One downside to BitNinja is that they are unable to constantly update and finetune the WAF ruleset or implement other rulesets in real time. 

Variti DDoS

The Variti DDoS security extension focuses on protection against DoS and DDoS attacks. They do this by allowing incoming web traffic to pass through a distributed network of filtering nodes. Then, traffic is analyzed in real time and classified as either legitimate or illegitimate. Upon detection of a threat, their Active Bot Protection (ABP) technology immediately blocks this malicious traffic with a response time of less than 50 ms.

Because of this bot protection technology, Variti is able to distinguish traffic between real users and bots, including those coming from the same IP address. Thus, they can also protect against both network and application layer DDoS attacks.  Though it doesn’t offer a WAF, Variti is one of the few DDoS protection tools that are available on Plesk. 

ModSecurity

ModSecurity is arguably one of the most well-known WAFs. They support web servers such as Apache on Linux or IIS on Windows, to protect web applications from malicious attacks. ModSecurity works by checking incoming HTTP requests and based on the set of rules applied, ModSecurity either allows the HTTP request to enter the website or blocks it. 

The ModSecurity security extension on Plesk offers both free and paid sets of rules. It includes regular expressions that are used for HTTP requests filtering, but you can also apply custom rulesets. This may require extensive knowledge on WAF rules by the system administrator. For example, you may need to manually switch off certain security rules so maintenance of the rulesets can be a setback for those who are looking for a more hands-off WAF.

Furthermore, there have also been cases where customers experience ModSecurity blocking legitimate requests too when too many rules are applied. 

Cloudflare Servershield 

The Cloudflare Servershield security extension is intended to protect and secure your servers, applications and APIs against DoS/DDoS and other web attacks. While the security extension is primarily used to speed up websites, Cloudflare Servershield also offers WAF and DDoS protection.

Cloudflare’s WAF option and its rulesets can only be enabled on their paid plans – more specifically the Cloudflare Servershield Advanced extension on Plesk. Cloudflare’s WAF uses the OWASP Modsecurity Core Rule Set to inspect web traffic and block illegitimate requests. These OWASP rules are supplemented by Cloudflare’s built-in rules that you can apply with the click of a button. 

As part of their free plan, Cloudflare provides unlimited and unmetered mitigation of DDoS attacks, regardless of the size of an attack.

Imunify360

Imunify360 takes a multi-layered approach when it comes to server security. This security extension combines an advanced firewall, WAF, IDS/IPS, and more. Their advanced firewall is also powered by a machine learning engine. They take a proactive defense to preemptively stop all malware and identify potential attacks on your server. 

Their WAF protects web servers from multiple threats, such as DoS attacks, port scans, and distributed brute force attacks. Their WAF also relies on ModSecurity and is automatically installed on certain versions of Imunify360. Because other third-party ModSecurity vendor’s rulesets may be installed (for example, OWASP or Comodo), these rulesets can generate a large number of false-positives and may duplicate Imunify360’s rulesets.

You will need to manually disable other third-party ModSecurity vendors on different hosting panels.

Cloudbric

To simplify the management of website security, Cloudbric’s cloud-based WAF is integrated with the Plesk platform. The Cloudbric WAF extension also includes DDoS protection and SSL certificate renewal automation at no extra cost. 

Instead of painfully blocking the customer’s IP address individually to keep DDoS attacks under control, Cloudbric blocks these huge amounts of traffic before it reaches the site. Cloudbric’s advanced DDos protection ensures your website stays up and running. 

The Cloudbric WAF is designed to install and work with as little human interaction as possible. We handle the security so that customers don’t have to. Unlike ModSecurity which maintains a library of malicious patterns, known as signatures, Cloudbric takes it up a notch by also implementing signature-less detection techniques into the WAF engine. 

Additionally, unlike the rules of ModSecurity that are updated once per month, Cloudbric’s WAF does not require signature updates. 

This signature-less detection technology can also identify and block modified and new web application attacks. Cloudbric’s WAF engine includes 27 unique pre-set rules and AI capabilities to create an advanced threat detection engine to accurately detect and block attacks. 

If your company is dependent on online traffic for business, then protection against DDoS and web application attacks is a must. 

For Plesk users, there are a variety of security extensions to choose from to make the management of security extremely easy for web managers, designers, system administrators, and other web professionals – it all depends on your security needs and whether you are looking for fully managed services or customization. 

If you need assistance with Cloudbric’s plesk extension email us at support@cloudbric.com.

The post Top 6 Plesk Security Extensions You Should Consider for Website Security appeared first on Cloudbric.

Download Cloudbric’s New Security Extension For Plesk

Cloudbric is proud to announce the release of their much-awaited security extension (inclusive of WAF and DDoS protection) for Plesk, an industry-leading web solution platform.

Plesk is an all-in-one platform that allows developers, system administrators, and resellers to run, manage and secure their domains and servers via their control panel solutions and extensions.

Through this partnership with Plesk, we aim to simplify security for both users and small to mid-size businesses.

With the Cloudbric WAF extension, it’s easier for current Plesk server users, web hosting providers, and web professionals to access our web security services with just one click.

Plesk users can also manage Cloudbric settings and analytics without having to switch between applications.

Furthermore, by registering one of the lowest false-positive rates on the market, Plesk users like web hosting providers can deliver an affordable, high performing web application security solution to their own end users.

Learn more about our security extension and all its features via our product page on Plesk:

https://www.plesk.com/extensions/cloudbric/


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Download Cloudbric’s New Security Extension For Plesk appeared first on Cloudbric.