In today’s business landscape, enterprises are relying more and more on cloud-based web applications to offer 24/7 serviceability, enhance competitiveness and expand user bases. Whether these web applications are deployed on –premises with private cloud settings or in cloud infrastructure with large data center, they have become frequently exposed to cyber criminals and suffered from web service outages caused by advanced cyber attacks, such as DDoS, spear-phishing, and SQL injection. According to Q3, 2016 State of Internet Security released by Akamai, in the Web Application Attack Frequency, SQLi accounted for nearly 50% of observed web attacks.
To ensure the service uptime and protect valuable data for customer, it has become a necessity to build up enterprise cyber security with open-architecture, robust web application firewalls (WAF) driven by high-performance and high-throughput platforms.
Requirements for Web Application Firewall
To protect mission-critical web applications from cyber threats, the simple and cost-effective approach is to implement WAFs empowered by high performance hardware. Nowadays, WAF is used to protect web applications from cross-site scripting and SQL injection. WAF can monitor the encrypted/decrypted inbound traffic and detect attack types. In addition, WAF is commonly integrated with other software-based technologies such as web scanner, DDoS protection, behavior analysis and web fraud detection.
The challenge is to select the right WAF hardware system to run software-based security mechanisms effectively. In other words, the most practical way to protect enterprise data center is to implement software-hardware hybrid solution in order to protect networks from cyber criminals.
There are several requirements in the making of web application firewall:
SSL is critical to WAF as a CPU offloading method for the heavy-duty public key encryption. For optimal performance, it is recommended to have a hardware accelerator.
Since the WAF is deployed between the enterprise server and the users, one of the major missions of the WAF is to monitor the traffic and block the malicious attempts. This requires an efficient DPI (Deep Packet Inspection) backed up by powerful hardware.
High-performance and high-throughput
As DPI and SSL are both CPU-intensive, the required hardware architecture for WAF deployments must offer dedicated processing capability to run software securities.
WAF runs on a 24/7 basis and therefore, high-availability regarding power supply is critical to the optimization of WAF.
Since web application services may expand as customer base grows, enterprise WAFs must be scaled up by hardware means in order to boost performance and accelerate critical applications in the simplest way.
Lanner’s Solution for WAF
A leading web application and firewall solution provider contacted Lanner for a 1U rackmount, high-performance network appliance that can fulfill the requirements above. The selected solution was FW-8759, an Intel open-architecture web application firewall empowered by 4th Generation Intel ® Xeon ® E3 v3 or Core™ i7/i5/i3 processor.
FW-8759 provides eight Ethernet ports and a NIC module slot that may be installed with a 8-port Ethernet module to offer a total of 16 GbE ports. Together with high-performance Intel ® processor, FW-8759 is capable of multi-gigabit throughput and thousands of transactions per second with low latency.
Given the importance of scalability, FW-8759 provides a NIC module slot and an optional rear-end PCIe slot for riser card installation. The NIC module slot is compatible with a wide range of Ethernet modules from 1 GbE to 40 GbE copper/fiber configurations to boost performance, throughput and bandwidth. The optional rear-end PCIe slot is installable with SSL crypto acceleration card, such as Lanner’s AV-ICE04, to upgrade CPU offloading.
As stated previously, WAF runs on 24/7 basis so that fault-tolerance design and high-availability are critical to the optimization of WAF. To fulfill the requirements, FW-8759 provides redundant power supply and advanced LAN Bypass.
Hardwar acceleration also plays a key factor for WAF. FW-8759 is built in with hardware-assisted crypto-acceleration card supporting Intel ® AES-NI instructions. As crypto encryption/decryption consumes loads of processor resource, the built-in hardware accelerator will effectively boost the WAF performance.