Endpoint Security vs Cloud Security and Why you Need a serve-side WAF instead of a Thrid-Party WAF ::
If you were a security guard at the entrance to a high security facility. You would need to check out and evaluate each person who wants to gain entry into the facility, in order to ensure they are allowed access, right? Thus, you would need to use the information about each person to make your decision. Now, you might want to use information, such as.. what they said, whether or not they are carrying a handbag, or if they are carrying a gun, a knife, a sword, I think you get the idea. 🙂
The most important item of information you’ll use in your decision-making is who they are and what access level they have. In other words, their identity. If you don’t have this identity information, you are going to have a very difficult time making a decision about whether someone should be granted access or not.
In this post, I show you how a cloud WAF like Cloudflare or Sucuri, also known as cloud firewall or rather a Next-Gen Web Application Firewall, actually don’t know who you are, when it comes to your Identity. Thus they don’t even know, if you’re signed in, or not. Thus the result is that they tend to do a much worse job at security, when it comes to deciding on who should be allowed access to a website and who should be blocked and/or banned by their IP address.
This article is about Endpoint vs Cloud WAFs and why they are important to your websites cybersecurity. We have already described the Cloud WAF Bypass Problem, and how an endpoint firewall like Pelstar prevents this bypass ability.
Endpoint Security ::
Pelstar Computer Systems Inc., Knows Who a Visitor Is and their Access Level ::
Endpoint Security, is what all the major security vendors are implementing these days on the server via Htaccess. The “Endpoint” is the target, an attacker or rather, a Hacker, would use in order to try to gain access to your web application. It might be a workstation, a mobile device, or your web application, such as Drupal, Joomla, or the most popular of the three, WordPress.
An endpoint security solution runs directly on the endpoint and protects it, in a a lot of ways you might not have been aware of until now. Pelstar Computer Systems Inc., is an endpoint security solutions provider, because we executes directly on WordPress, which is the endpoint for an attacker targeting your website application via your server, Apache for the most part.
Pelstar Computer Systems Inc., integrates our custom WAF deeply within that of WordPress. One of the items of data we have, is who a visitor to your site actually is, and what access level they need. In cybersecurity industry terms, we refer to this as authentication, and authorization. We know if they have proven their Identity, then, we should know what they have authorization to access and not.
Pelstar Computer Systems Inc., Protecting Your Endpoint ::
Identity information is a imperative of the decision-making security process, that our firewall performs on the server. It creates firewall rules that block, Hackers, Bad Bots, Etc.. and makes sure, that administrators, and other lower-level users, don’t accidentally get blocked by the WAF.
A users identity and access level, is critical to our firewalls decision-making, thus we use the user’s access level, in more than 80% of our firewall rules. It helps us prevent any false positives, when a real user is blocked. It also blocks against more complex attacks than most out-of-the-box WAFs.
By using a users identity and access level in your application, we can create some pretty awesome rules. Combined with a users identity, we can also, use other information to make our decisions, like the path, the URL, the query, the string, the type of request being made, and the http headers included in the request.
Cloud Firewalls Don’t Have Identity Information Do They? ::
A cloud WAF, like that of Cloudflare’s, or GoDaddy’s Sucuri’s WAF, uses servers based out on the Internet, away from the endpoint they’re protecting. Thus, your visitors and any attackers, who come to your website first, will arrive at the cloud WAF first and formeost, before any other request. Thus, the cloud WAF, happily runs the request through a series of rules, first, and then, decides if it’s allowed or not.
A strong Cloud WAF, should run physically, and logically separated from the endpoint on your server. That does not talk with the endpoint API, in order to make their firewall rule decisions, since that is a bad practice.
A Cloud WAF ::
A cloud WAF, might be able to see if a user has a login cookie, but that cookie, can be spoofed easily, thus they can not verify its authenticity, and yet, because is, they do not have access to the endpoint API being used, data and the execution environment, in this case, your server.
As we have explained above, it is mission-critical and imperative, that a web application firewall, knows who a visitor is, and what level of permission, they have, in order to make an effective decision in granting access or blocking access via a deny directive. Cloud WAFs use pattern matching, which means that they analyze, the requesting web request and thus, use patterns in the WAF, in order to try to determine, if it’s an attacker or a privileged user. Thus, this results in a much less effective decision-making. They block a few attacks but miss many others. They also, block against all chromium based browsers, such as, Chrome, Firefox, and Opera browsers. Which, is like blocking 70% of internet users. Which is a little absurd, if you ask me as a security professional.
Cloud WAFs are also known for “false positives”, because they can not identify what is a real user, thus making perfectly legitimate requests being Blocked by Legitimate users and Administrators. The only way to fix this issues, is to loosen up the rule-set, or better yet, make it more robust, yet, don’t just assume, that anyone who uses a Chromium based browser, is a bad actor.
Endpoint Security for WordPress: Local Knowledge, Defense in Depth
Pelstar Computer Systems Inc., provieds an endpoint security solution in tucson, that executes within the WordPress environment, or any CMS enviornment, even if its a static website and not even a dynamically driven web application. Thus, we can make our decisions about who is granted access or not on a granular level. This is one of the main reasons why, the cybersecurity industry, is moving towards endpoint solutions that work behind the scenes, hence, they have way better decision-making abilities.
In order for Pelstar Computer Systems Inc., Firewall to make its decisions, the WordPress and the Apache Web Server, provides us the ability to execute the following:
- If the user is signed in or not.
- If the user’s identity is authentic.
- If the user’s authorization level is that of, a subscriber, an editor, or an administrator.
If we see an authenticated administrator user of a Web Application, is trying to request some sort of access or asset, that resembles a common threat, or attack measure, we might allow it to pass if our WAF indicates it is not a bad actor or attacker. However, if we see the same request, coming from that of a subscriber level user, or someone who is not signed in, or privileged, our WAF, will for sure block it from doing anything on your server. Thus, it will get banned, denied, and blocked indefinately from even touching the server or web application.
Protecting Against Bad Bots, and Hacker Attacks ::
Pelstar Computer Systems Inc., WAF, will protect your web application, against the most common yet, most complex cyber attacks and cyber threats, such as a “privilege escalation attack”, or rather an internal attack, where an attacker, that all ready has low-level authenticaion, may use that in order to gain a higher-level of authority.
To protect against internal cyber attacks from within your cms, you need to know if a user is signed in and what access they have. If you don’t have authorization information, you will not be able to know if a subscriber level user, is trying to perform an admin function, or if a real administartor, is making the same request from within the cms itself, such as the admin section, or back-end.
Pelstar Computer Systems Inc., has extensive knowledge, about the systems, we are protecting. Thus, we can easily, make way better WAF decisions, with no Thrid-paties involved, which will make you way more secure in the long run, and there will be no pesky plugins to worry about anymore and no configuration will be needed on your end, since its a Managed Security Service we provide, and also manage for you.
In closing ::
Expert cybersecurity decision making, requires the best WAF, not a pesky vulnerable plugin. Hence, by protecting against cyber attacks at the endpoint level, you can make way better informed decisions, about who should get access to your web appliactaion, or website, and who should be denied access altogether. With better Managed Security, you can also benefit from a more “User Friendly” web application and a faster loading web app and CMS. That is why Pelstar Computer Systems Inc., protects against attacks at the endpoint level and with out any pesky vulnerable plugins.
So whynot, give the experts at Pelstar Computer Systems Inc., a call to Learn More, about how we can help protect your website or web app from pesky hackers, scanners, bots, etc…
