WAF for everyone: protecting the web from high severity vulnerabilities

WAF for everyone: protecting the web from high severity vulnerabilities
WAF for everyone: protecting the web from high severity vulnerabilities

At Cloudflare, we like disruptive ideas. Pair that with our core belief that security is something that should be accessible to everyone and the outcome is a better and safer Internet for all.

This isn’t idle talk. For example, back in 2014, we announced Universal SSL. Overnight, we provided SSL/TLS encryption to over one million Internet properties without anyone having to pay a dime, or configure a certificate. This was good not only for our customers, but also for everyone using the web.

In 2017, we announced unmetered DDoS mitigation. We’ve never asked customers to pay for DDoS bandwidth as it never felt right, but it took us some time to reach the network size where we could offer completely unmetered mitigation for everyone, paying customer or not.

Still, I often get the question: how do we do this? It’s simple really. We do it by building great, efficient technology that scales well—and this allows us to keep costs low.

Today, we’re doing it again, by providing a Cloudflare WAF (Web Application Firewall) Managed Ruleset to all Cloudflare plans, free of charge.

Why are we doing this?

High profile vulnerabilities have a major impact across the Internet affecting organizations of Continue reading

Cloudflare Zaraz supports CSP

Cloudflare Zaraz supports CSP
Cloudflare Zaraz supports CSP

Cloudflare Zaraz can be used to manage and load third-party tools on the cloud, achieving significant speed, privacy and security improvements. Content Security Policy (CSP) configuration prevents malicious content from being run on your website.

If you have Cloudflare Zaraz enabled on your website, you don’t have to ask yourself twice if you should enable CSP because there’s no harmful collision between CSP & Cloudflare Zaraz.

Why would Cloudflare Zaraz collide with CSP?

Cloudflare Zaraz, at its core, injects a <script> block on every page where it runs. If the website enforces CSP rules, the injected script can be automatically blocked if inline scripts are not allowed. To prevent this, at the moment of script injection, Cloudflare Zaraz adds a nonce to the script-src policy in order for everything to work smoothly.

Cloudflare Zaraz supports CSP enabled by using both Content-Security-Policy headers or Content-Security-Policy <meta> blocks.

What is CSP?

Content Security Policy (CSP) is a security standard meant to protect websites from Cross-site scripting (XSS) or Clickjacking by providing the means to list approved origins for scripts, styles, images or other web resources.

Although CSP is a reasonably mature technology with most modern browsers already implementing the standard, less Continue reading

Security for SaaS providers

Security for SaaS providers
Security for SaaS providers

Some of the largest Software-as-a-Service (SaaS) providers use Cloudflare as the underlying infrastructure to provide their customers with fast loading times, unparalleled redundancy, and the strongest security — all through our Cloudflare for SaaS product. Today, we’re excited to give our SaaS providers new tools that will help them enhance the security of their customers’ applications.

For our Enterprise customers, we’re bringing WAF for SaaS — the ability for SaaS providers to easily create and deploy different sets of WAF rules for their customers. This gives SaaS providers the ability to segment customers into different groups based on their security requirements.

For developers who are getting their application off the ground, we’re thrilled to announce a Free tier of Cloudflare for SaaS for the Free, Pro, and Biz plans, giving our customers 100 custom hostnames free of charge to provision and test across their account. In addition to that, we want to make it easier for developers to scale their applications, so we’re happy to announce that we are lowering our custom hostname price from \$2 to \$0.10 a month.

But that’s not all! At Cloudflare, we believe security should be available for all. That’s why we’re extending a Continue reading

Improving the WAF with Machine Learning

Improving the WAF with Machine Learning
Improving the WAF with Machine Learning

Cloudflare handles 32 million HTTP requests per second and is used by more than 22% of all the websites whose web server is known by W3Techs. Cloudflare is in the unique position of protecting traffic for 1 out of 5 Internet properties which allows it to identify threats as they arise and track how these evolve and mutate.

The Web Application Firewall (WAF) sits at the core of Cloudflare's security toolbox and  Managed Rules are a key feature of the WAF. They are a collection of rules created by Cloudflare’s analyst team that block requests when they show patterns of known attacks. These managed rules work extremely well for patterns of established attack vectors, as they have been extensively tested to minimize both false negatives (missing an attack) and false positives (finding an attack when there isn’t one). On the downside, managed rules often miss attack variations (also known as bypasses) as static regex-based rules are intrinsically sensitive to signature variations introduced, for example, by fuzzing techniques.

We witnessed this issue when we released protections for log4j. For a few days, after the vulnerability was made public, we had to constantly update the rules to match variations and mutations as Continue reading

A new WAF experience

A new WAF experience
A new WAF experience

Around three years ago, we brought multiple features into the Firewall tab in our dashboard navigation, with the motivation “to make our products and services intuitive.” With our hard work in expanding capabilities offerings in the past three years, we want to take another opportunity to evaluate the intuitiveness of Cloudflare WAF (Web Application Firewall).

Our customers lead the way to new WAF

The security landscape is moving fast; types of web applications are growing rapidly; and within the industry there are various approaches to what a WAF includes and can offer. Cloudflare not only proxies enterprise applications, but also millions of personal blogs, community sites, and small businesses stores. The diversity of use cases are covered by various products we offer; however, these products are currently scattered and that makes visibility of active protection rules unclear. This pushes us to reflect on how we can best support our customers in getting the most value out of WAF by providing a clearer offering that meets expectations.

A few months ago, we reached out to our customers to answer a simple question: what do you consider to be part of WAF? We employed a range of user research methods including Continue reading

TOP 25 in Cisco IT Blog Awards

It was a year of big changes in every way. I was fortunate enough to be surrounded by great professionals working on huge projects and then even to get the chance to switch to some completely new technologies that I never really worked with before. It was great, it is still very intense and from my perspective, all changes were for the better. But as with all periods with a lot of action, all those draft articles on this blog’s queue didn’t yield as much new material as I wanted. It was a year of almost no writing but a

The post TOP 25 in Cisco IT Blog Awards appeared first on How Does Internet Work.

Marvell’s newest Arm processor integrates 5G hardware accelerators

In the battle between Intel and AMD, it can be easy to overlook Marvell Technology, but you shouldn’t. Through acquisition and organic growth, the company has turned into quite a powerhouse playing in multiple areas.Marvell is the first major vendor to support the Arm on 5G initiative that Arm unveiled last October, when it launched the Arm 5G Solutions Lab. The lab is designed to let hardware and software partners work on 5G-based products running on Arm architecture. Read more: SmartNICs set to infiltrate enterprise networksTo read this article in full, please click here

netsim-tools Release 1.1.4

netsim-tools release 1.1.4 includes a number of seemingly unrelated goodies; here’s the the reasoning (or story) behind some of them:

netlab clab tarball creates a tar package that can be deployed with containerlab without netsim-tools

Julio Perez wanted to create ready-to-use labs running Arista cEOS on containerlab. Requiring the users of his labs to deploy netsim-tools and Ansible just to configure the lab devices is a clear overkill considering the startup-config support in containerlab. What he needed was:

Read more …

Dropping privileges

If you’re writing a tool that takes untrusted input, and you should treat almost all input as untrusted, then it’s a good idea to add a layer of defense against bugs in your code.

What good is a buffer overflow, if the process is fully sandboxed?

This applies to both processes running as root, and as normal users. Though there are some differences.

Standard POSIX

In POSIX you can only sandbox if you are root. The filesystem can be hidden with chroot(), and you can then change user to be non-root using setuid() and setgid().

There have been ways to break out of a chroot() jail, but if you make sure to drop root privileges then chroot() is pretty effective at preventing opening new files and running any new programs.

But which directory? Ideally you want it to be:

  • read-only by the process (after dropping root)
  • empty
  • not shared by any other process that might write to it

The best way no ensure this is probably to create a temporary directory yourself, owned by root.

This is pretty tricky to do, though:

// Return 0 on success.
int do_chroot()
{
  const char* tmpdir = getenv("TMPDIR");
  if (tmpdir == NULL)  Continue reading

COVID, slow endpoint deployment could put the brakes on private 5G growth

The pace of private 5G/LTE growth in the enterprise is likely to drop substantially below earlier estimates, thanks to Covid's aftereffects and slack growth in the development of 5G-equipped endpoints, according to a report issued today by IDC.A December 2020 forecast predicted the size of the annual market for private LTE/5G wireless infrastructure to reach roughly $4.7 billion in 2023, but that figure has been revised downward to about $3.8 billion in the new report. That's still a sharp increase from 2021's $1.8 billion figure, but a substantial change, nonetheless.To read this article in full, please click here

DHCP defined and how it works

If Dynamic Host Configuration Protocol (DHCP) didn’t exist, network administrators would have to manually parcel out IP addresses from the available pool, which would be prohibitively time consuming, inefficient, and error prone. Fortunately, DHCP does exist.What is DHCP and how does it work? DHCP is an under-the-covers mechanism that automates the assignment of IP addresses to fixed and mobile hosts that are connected wired or wirelessly.When a device wants access to a network that’s using DHCP, it sends a request for an IP address that is picked up by a DHCP server. The server responds be delivering an IP address to the device, then monitors the use of the address and takes it back after a specified time or when the device shuts down. The IP address is then returned to the pool of addresses managed by the DHCP server to be reassigned to another device as it seeks access to the network.To read this article in full, please click here

Tech Bytes: Integrating Digital Experience Management And Cloud-Delivered Security (Sponsored)

Today on the Tech Bytes podcast we focus on the intersection of security and digital experience management. With more applications moving to the cloud, IT has to provide secure access while also ensuring a good user experience. Our sponsor Netskope, which provides cloud-based security services, has ideas on how to make this happen.

The post Tech Bytes: Integrating Digital Experience Management And Cloud-Delivered Security (Sponsored) appeared first on Packet Pushers.

BGP Policies (Part 2)

At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.

There are many reasons an operator might want to select which neighboring AS through which to send traffic towards a given reachable destination (for instance, 100::/64). Each of these examples assumes the AS in question has learned multiple paths towards 100::/64, one from each peer, and must choose one of the two available paths to forward along.

In the following network—

From AS65004’s perspective…

Transit providers primarily choose the most optimal exit from their AS to reduce the amount of peering settlement they are paying by using and maintaining settlement-free peering where possible and reducing the amount of time and distance traffic is carried through their network (through hot potato routing, discussed in more detail below).
If, for instance, AS65004 has a paid peering relationship with AS65002, and a contract with AS65003 which Continue reading

#VMwareNSXChat Recap: NSX-T 3.2

In our most recent Twitter chat, we were joined by Vivek Bhandari, Varun Santosh, and Srini Nimmagadda to answer common questions about NSX-T 3.2, its benefits, how it works, and more. Dive in below for the full recap of our NSX-T 3.2 #VMwareNSXChat.

 

Question 1: If you had to describe NSX-T 3.2 to a friend using just one sentence (or using just 280 characters) what would you say? #VMwareNSXChat

Varun: Stronger security, simplified networking, easy operations – what’s not to like #VMwareNSXchat!

Vivek: It’s like going from a flip phone to a touch screen smartphone. Gamechanger! #VMwareNSXChat

 

Question 2: What are the key Networking and Policy enhancements? #VMwareNSXChat

Varun: NSX-T 3.2 simplifies network provisioning thru prescriptive NSX deployment from vCenter, deeper integration with Antrea, Federation support for VM tag replication, enhanced migration coordinator, and enhanced monitoring and troubleshooting. #VMwareNSXChat

 

Question 3: What are the key security enhancements? #VMwareNSXChat

Vivek: NSX-T 3.2 is a quantum leap forward bringing advanced security in a distributed architecture. It now includes network traffic analysis (NTA) and network detection and response (NDR), malware prevention with sandboxing, L7 gateway firewall, and more. #VMwareNSXChat

Vivek: Of Continue reading

1 586 587 588 589 590 3,875