Security — No laughing matter

You need a clear, comprehensive view of your entire load balancing estate to maintain control and security.

It can sometimes be useful to make load balancing decisions based on the time and date. This allows you to conditionally refuse or redirect connections based on the time they're received.

There are two schools of thought on this: ‘yes, it should’ and ‘no, it shouldn't’. Let's look at the arguments both for and against.

Here's what we learned from crAPI about API security, and how a Web Application Firewall (WAF) can help you take things one step further.

Getting on board with zero trust is the easy part. Actually applying these principles to your architecture is less black and white.

I had the privilege of speaking in Dublin at this year's OWASP Core Rule Set Community Summit before then attending OWASP Global AppSec immediately afterwards.

I thought I would try and cover the basics here by explaining how to create an SSL certificate and the various files that you'll end up with.

We'd all rather prevent a disaster than have to live with the consequences of one.

Sometimes, we need to pass unusually large HTTP requests through our WAF stack.

A while ago I was asked if it would be possible to apply some general rate limiting in HAProxy and the WAF, in order to help prevent DOS-style attacks on a customer's servers.

F5 recently announced a critical security vulnerability, allowing an attacker to bypass its iControl REST authentication, and execute commands such as creating or deleting files and disabling services.

It's a fair question, right? Let's take away the strain of SSL terminations from our application servers and let the load balancers deal with it. After all, why would we want to bog down our nifty application with network-level considerations?

It is understandable that SysAdmins, DevOps, and most in the IT and Security Departments involved want to ensure all load balancers are fully patched and protected, given that our product plays an important role in their topology.

Customers with manually configured, custom client authentication deployments (rare) or using “re-encrypt to backend” to communicate with untrusted third-party servers (very rare) may be impacted.

A local privilege escalation vulnerability was found on polkit's pkexec utility. It is a critical vulnerability because it gives full root privileges to any local user or attacker.

All WAF vendors and services using ModSecurity are affected by this vulnerability (unless they have the vulnerable piece of code disabled, by chance).

Network Security devices such as firewalls, WAF, SWG, IPS etc. are often deployed inline with bridge mode., which has two major problems.

A WAF isn't a magic bullet, but, as part of a defense in depth strategy, a properly configured WAF should catch and stop common, everyday attacks.

The Apache Log4j utility is commonly used for logging requests by millions of Java applications to log error messages. However, recently the critical vulnerability CVE-2021-44228 was discovered in the Apache Log4j library.

On the 4th October 2021, the social media giant Facebook experienced a global outage, affecting not only Facebook, but also Instagram and WhatsApp.

In this example, I’m going to add a new transformation function to ModSecurity to calculate the Scrabble score of a variable. This will allow us to block HTTP requests containing query string parameters with a Scrabble score above a chosen threshold.

I should really say that not every request of this type can be turned around on the same day - but we do try!

In early June 2021, I identified a request body bypass vulnerability in the OWASP ModSecurity Core Rule Set (CRS). Loadbalancer.org appliances themselves are unaffected.

In the world of web application security, it can be invaluable to consider a user's behaviour across the entire duration of their web app session.

Let's look at the best way to use the WAF with as little pain as possible!