A study by the SMB Group in 2017 showed that more than 85 percent of small- and medium-sized (SMB) businesses and mid-tier enterprises are adopting digital transformation. This is changing the role of the traditional website from a “static set of HTML pages” to a highly dynamic online experience platform. The website is now the custodian of the organization’s digital brand.
But, as once said by Ben Parker (yes, Spiderman’s late uncle), “With great power comes great responsibility.”
IT executives now have to protect users — and their data used by the website — from a larger spectrum of web application threats. The recent Whitehat Security’s 2018 Application Security Report highlighted these concerns:
- About 50 percent of vulnerabilities discovered on a website are Serious; remediation rates are less than 50 percent
- The average time to fix a vulnerability ranges from 139 to 216 days
- More than 30 percent of websites are still showing poor developer cybersecurity skills (e.g., information leakage, cross-site scripting and SQL injection)
- SSL/TLS is not adopted well enough; 23 percent of those are weak and riddled with vulnerabilities
SonicWall WAF 2.0 was launched in April 2018 as a standalone virtual appliance deployable in public and private cloud environments. SonicWall WAF delivers an award-winning web application firewall technology that works alongside SonicWall next-generational firewalls (NGFW) to protect businesses and their digital brands.
In fact, when the attacks associated with British Airways and Drupalgeddon came out, the SonicWall WAF was able to protect customers without any updates. With the SonicWall WAF, administrators can protect their websites from the wide spectrum of web threats including those targeting the vulnerabilities called out in the OWASP Top 10.
Five New Enhancements to SonicWall WAF 2.2
The next evolution of the product, SonicWall WAF 2.2 gains five significant new features and enhancements, including a new licensing model.
Real-Time Website Malware Prevention with Capture ATP Integration
Malware is injected into websites through the use of vulnerable plugins or by using file-upload facilities available with many websites. SonicWall WAF now integrates with the Capture Advanced Threat Protection (ATP) sandbox service. It detects malware embedded in traffic streams by leveraging the industry-leading, multi-engine malware analysis platform, including Real-Time Deep Memory Inspection (RTDMI). Any attempts to inject or upload malicious files to a website would be inspected in-line (as opposed to after the fact) while maintaining an optimal user experience.
Simplifying Transport Layer Security, SSL Certificate Management with ‘Let’s Encrypt’
The biggest challenge for securing website communication is the need for legitimate SSL/TLS certificates for encryption and decryption. Legitimate certificates are expensive to purchase, manager, monitor and renew.
But with SonicWall WAF 2.2, organizations can take advantage of the Let’s Encrypt service through a built-in integration that not only offers free certificates, but will also automatically monitor and renew digital certificates.
This eliminates the administrative effort to enable SSL/TLS required on the website to turn on support for SSL/TLS.
By combining Let’s Encrypt integration, Perfect Forward Secrecy (PFS) and HTTP Strict Transport Security (HSTS), the SonicWall WAF ensures that websites are only accessible via a secured and encrypted channel, which also improves search engine visibility and ranking.
Seamless Multifactor Authentication Controls Access to Sensitive Content, Workflows
The most common cause of information leakage from websites stems from improper access control on websites, sometimes via unauthenticated pages and others because of the lack of strong authentication controls (remember the Equifax attack?).
With SonicWall WAF 2.2, administrators can redirect users to an authentication page for any part of the web application by leveraging an existing authentication page or with a WAF-delivered login page.
Administrators can also enforce second-factor authentication using client certificates or one-time passwords (OTPs) to validate users trying to log in to the web application are, indeed, genuine users.
API Support for Managed Cloud Service Providers
Cloud service providers often manage and host websites for their customers. In many cases, they leverage DevOps and programmable infrastructure using APIs to launch hosting environments, web application platforms and ready-to-use infrastructure. But if security is not embedded into these DevOps workflows, they leave gaping holes and become liable for website security.
With SonicWall WAF 2.2, administrators can automatically launch WAF virtual appliances and programmatically provision security for websites using scripts in DevOps workflows. This includes creating a web application to be protected, enabling exploit prevention, enabling Let’s Encrypt Integration for free SSL/TLS support and enabling Capture ATP integration for malware prevention.
New Utility-based Licensing Model, An innovation for WAF Virtual Appliances
With SonicWall WAF 2.2, organizations may purchase protection on a per-website basis. This helps reduce the total cost of ownership (TCO) by purchasing only what they need. Four types of websites are currently supported based on the amount of data that is transferred to/from the website per month.
|Pro Website||10 GB per Month|
|Small Website||50 GB per Month|
|Medium Website||200 GB per Month|
|Large Website||500 GB per Month|
A sizing calculator will recommend the compute requirements for the WAF virtual appliance and will provide guidance to website administrators on what type of license they need to buy based on a variety of metrics like sustained/peak throughput, average visits per day etc.
SonicWall WAF helps administrators secure their websites and their digital environment, thereby establishing trust in their digital brand.
The SonicWall Web Application Firewall (WAF) now integrates with the award-wining SonicWall Capture Advanced Threat Protection (ATP) sandbox service and Real-Time Deep Memory Inspection (RTDMI) technology. Explore how this innovative product can defend your websites and applications from both known and unknown cyber threats.