WAF Security on the Edge with appfleet

The appfleet edge platform allows you to easily deploy and host your own cloud WAF on the edge with multiple regions globally. Configure your own WAF rules for a secure website without compromising your performance!

appfleet is an edge platform

We host your dynamic services globally closer to your users

Globally Load-Balanced

Host your service, site or application on multiple locations at the same time. Be closer to your users and improve your performance and uptime.

Any tech-stack

appfleet is a cloud-based container hosting platform that allows you to deploy your code in any language, framework or technology.

Serverless Containers

Run stateless and stateful containers on a fully managed globally distributed infrastructure. No servers or routing to manage.

Why do you need WAF hosting?

A WAF or web application firewall provides layer 7 (i.e. application level)security for your web applications. Thus unlike traditional firewalls that can only operate at layers 3 and 4 through the inspection of IP packet metadata, WAFs protect your web apps from HTTP based attacks, which are already quite prevalent and are bound to become increasingly more so as the global technological infrastructure shifts more towards cloud and web-based services.

By intercepting and inspecting your web app's HTTP traffic, WAFs can prevent common application exploitation attacks such as SQL injection, cross-site scripting (XSS), file inclusion, improper system configuration, and many others; and even some DDoS attacks like the Slowloris, HTTP flood, etc.

With over 70% of all attacks now carried out over the web application level,organizations need all the help they can get in making their systems secure.WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications.It provides protection from a range of attacks against web applications andallows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

Components and Features of WAFs

Although WAFs can be quite varied in their design, features, and usages, they tend to share some common themes.

Conditions

Specify what elements of the incoming HTTP/HTTPS request you want the WAF to monitor; some examples of the conditions WAF can operate on:

  • cookies exploitable by cross-site scripting
  • sizes of various parts of requests, such as the header, HTTP method, query string, query parameter, URI, body
  • database queries vulnerably to potential SQL injection attacks
  • string and regex matching from the requests themselves

Additionally such conditions may also be combined with traditional firewall policies based on source/destination IP addresses, network interface controllers, etc.

Rules & ACLs

  • WAF rules allow one or more conditions such as the examples shown above to be compiled to lists, where they are AND'd to form the complete WAF rules.
  • Access control lists (ACLs) can then specify which rules to apply to which application, service, host, etc. that comprise your actual web application
  • Rule actions are typically: allow, block, drop, limit, forward, log, count, etc.

Databases

Many WAFs also come with or can readily access extensive lists of known risk vectors, providing useful features such as:

  • real-time blacklist lookups
  • compromised credential warnings
  • malware & botnet detections
  • IP reputation

Security Modes

  • Negative security: looks for known bad, malicious requests; effective at blocking a large number of automated attacks, however not the best approach for identifying new attack vectors. And too many negative rules may negatively impact performance.
  • Positive security: only requests that are known to be valid are accepted,with everything else rejected by default. Works best with applications that are heavily used but rarely updated
  • Virtual patching: provide buffer time to fix your application's vulnerabilities by patching "from the outside", i.e. without touching the application source code (and even without any access to it). Equally effective and applicable to securities found in your application's dependencies. Thereby securing your system until a proper upstream or application patch is produced.
  • Extrusion detection: monitor outbound data and identify and block information disclosure issues such as leaking detailed error messages orSocial Security Numbers or Credit Card Numbers

The WAF security model and policies leverage a combination technological approaches and paradigms, such as signatures, validations, behavioral monitoring, databases, various modes, conditions, rules, ACLs and much more to achieve its solid protective effect, providing massive security enhancements in a modest increase in technological complexity.

How to choose the right WAF hosting provider?

While WAFs in general are becoming increasingly indispensable for modern web applications, it also remains equally important to identify the best hosting provider that meets your requirements to host such WAFs for your web applications, especially when it comes to efficiency, usability and features.

Here are the typical environments commonly available for WAF hosting:

Shared Hosting

One of the most popular hosting types due to its low cost and ease of managing services (through the hosting provider). However, due to the lack of dedicated resources, bad performance, lack of automation and integration with developer tools, a shared hosting platform is usually not recommended.

Self-Managed/Self-Hosted

This type is usually deployed as either a virtual private server (VPS) or as part of a dedicated hosting plan. Due to its benefits of offering unrestrictive usage with more resources, platform upgrades and root access, a VPS is usually preferred by those who have specific platform requirements that cannot be served through shared hosting.
Dedicated hosting allows users exclusive use of servers with their own choice of hardware, platforms, and resource allocations. As a result, a user has absolute control to optimize the server based on his requirements to make it highly-scalable, highly-available, and on-demand.
Both deployment options provide greater flexibility than shared hosting plans, but at the cost of a lot more maintenance efforts and zero out of the box conveniences.

Hosted WAF as a service

Another option is to use dedicated WAF-specific hosting services.
This essentially sets up your WAF as a reverse proxy, except instead of acting as a load-balancer for example, it’s set-up to perform firewall duties. For mature businesses whose needs are relatively static, this could be a feasible option.
But for most businesses competing in the increasingly dynamic technological spaces nowadays, being able to easily adapt and quickly pivot as business objectives and product specifications evolve is an important ability.
Not to mention the increased costs that typically involve both charges per request and huge monthly premiums.

Developer Friendly

It is important to check if your hosting provider supports high-availability and zero-downtime deployments, as well as regular software and security policy updates for your WAF.

Ease of integration and deployment

You should check how convenient the hosting provider makes integrating, deploying and maintaining their WAF service as the security gateway to your web application stack.

Scalability

Prefer to go with a hosting provider who provides seamless auto-scaling options and load-balancing during times of high-resource utilization and consumption spike.

Advanced Platform Features

As an added advantage, look for other key aspects which might be critical for your WAF-guarded web application. More importantly, ensure that you opt for the right platform configurations, including:

  • Resources monitoring
  • Logging and console access for easier debugging
  • Other platform features (flexible CPU cores, SSD, DDoS, CDN, Automated Backups, etc.)
  • Costs (many cloud WAF hosting platforms can be quite expensive)

Host your WAF applications on the edge

Deploy a WAF for your web apps to multiple global regions at the same time.
Increase the performance and lower your global latency. This can be performed as easily as spinning up any Docker container that you’d normally use for your core application. Many prebuilt images of industrial grade WAFs such as ModSecurity are readily available from Docker Hub.
Besides the great ease of deployment conferred by hosting WAFs on the edge using Docker containers, this also has the advantage of being comparably much more affordable and economical to users such as yourself. In short, when set-up correctly, this option really does offer the best of all worlds.

With appfleet, developers can deploy a WAF such as ModSecurity globally to multiple regions at the same time with a simple to use UI. This not only results in better security for your web applications, but also ensures superior performance and high-uptime.

appfleet’s WAF hosting features also include:

  • Intuitive and simple to use web UI instead of config files and command line tools
  • Unique Global Multi-Region deployments
  • High-Availability, High-Performance, and Low Latency
  • Logs and console for easier debugging in production
  • Ease of deployment and low costs made possible by Docker
  • Integrated metrics and monitoring
  • Affordable pay-as-you-go plans

Run your own edge WAF

and get a fully automated platform with multiple global POPs, high-availability and low latency

…and other features

appfleet doesn’t end with your product’s deployement

Custom health checks

Configure your own custom health checks per application and we will add them to our own internal checks that we continuously run to ensure your service is alive and well

All languages supported

Node.js, PHP, Golang, Java, Python, everything is supported, thanks to Docker containers. Don't let your technology of choice limit you.

Included HTTPS

For any web service we can automatically install and maintain a LetsEncrypt TLS certificate for free.

Better performance

By using multiple regions at the same time you can lower the latency and easily improve performance for your global audience

Public & private registries

Use any public or private container registry like Docker Cloud, Github Registries, Quay, Google Cloud and more

Console access

Assume direct control of your container by connecting directly to it by using our web console

File Cache

All nodes come with a locally mounted caching filesystem that persists between deployments for improved performance

Logging

We store and process the output and logs of all deployed applications for easier debugging.

Monitoring

All of your instances are constantly monitored. Get historic and real-time CPU, RAM and Disk usage.

Support widget failed to load. Please disable your ad blocker to contact us.