Announcement of Airlock WAF 6

The new major release Airlock WAF 6 takes a giant step forward in protection of modern web applications and manageability!

Airlock WAF 6 was published on March 24, 2016 and is available for download on our customer portal Techzone.

Protection of Modern Web Applications

Airlock WAF 6 takes off the gloves when it comes to protection of modern web applications. Firstly, it adds support for the WebSocket protocol and therefore brings the benefits of central upstream authentication and a reverse proxy architecture to applications using WebSockets. Moreover, Airlock WAF 6 revisits successful dynamic whitelisting concepts and adapts them to next generation technologies. Read more below on how the new CSRF tokens protect AJAX applications and how REST APIs are protected by Dynamic Value Endorsement.

Manageability and Ease of Use

Airlock WAF 6 comes with a brand-new learning mode that automatically generates policy suggestions. With a single click, policy changes can be accepted - individually or all at once. In addition, Airlock WAF 6 allows troubleshooting of encrypted connections and completely integrates back-side Kerberos SSO. Installing and maintaining the additional Kerberos Agent component is no longer necessary, which greatly simplifies Kerberos SSO setups.

Policy Learning

The new learning mode of Airlock WAF 6 greatly simplifies integration and operation of applications through Airlock WAF. The WAF analyses blocked requests and automatically generates suggestions for policy changes. In a central dashboard, administrators find an overview of events and suggested configuration modifications. With a single click, policy changes can be accepted individually or all at once, e.g., if the traffic source is trusted.

 

 

WebSocket Support

The WebSocket protocol extends HTTP and allows bidirectional connections between a web server and a web client. Airlock WAF 6 adds support for WebSocket as the protocol is gradually being adopted by modern web frameworks. Applications using WebSocket now profit from the security benefits of a reverse proxy architecture, Airlock WAF's secure session management, and central upstream authentication. 

 

 

CSRF Tokens

Airlock WAF has always offered comprehensive CSRF/XSRF protection by encrypting URLs. However, with the advent of dynamic JavaScript applications, URLs are sometimes assembled dynamically on the web client and missed by URL encryption. The support for JavaScript CSRF tokens added in Airlock WAF 6 complements its CSRF protection features and is designed to work with dynamic AJAX applications.

 

 

Integrated Back-side Kerberos SSO

In Microsoft environments, Kerberos is a popular Single Sign-on technology. In combination with Airlock IAM, Airlock WAF supports transparent generation and propagation of Kerberos tickets on behalf of the user, leading to a seamless access experience. Back-side Kerberos SSO has been completely redesigned in Airlock WAF 6. Instead of relying on a separate Kerberos agent in the Windows domain, Kerberos SSO functionality is now fully integrated in Airlock WAF and is configured easily from the Configuration Center.

 

 

 

Dynamic Value Endorsement (DyVE)

Airlock WAF has a longstanding tradition of promoting dynamic whitelisting technologies, including URL encryption, the cookie store, smart HTML form protection, or ADAPS. The common goal behind these approaches is to infer implicit application APIs and to automatically enforce proper usage by clients, without the need for cumbersome manual WAF configuration.

With the shift towards less standardized technologies, such as JSON or REST, implicit APIs get rare. To overcome these limitations, Airlock WAF 6 offers a new feature called Dynamic Value Endorsement (DyVE). Using DyVE, it is possible to scan JSON objects delivered by back-ends and to dynamically endorse values of selected attributes within a session's scope. Parameters or JSON attributes of subsequent requests (e.g., REST API calls) can then be matched against previously endorsed values. As a simple example, consider online banking transactions. Using DyVE, it is possible for Airlock WAF to enforce the policy that submitted transactions may only debit accounts previously offered by the banking server.

 

 

 

 

 

 

 

 

Troubleshooting Encrypted Connections

Connection issues with SSL/TLS often evade troubleshooting attempts. Since root-cause analysis is impossible on encrypted traffic, encryption must be removed for debugging. This often implies adapting firewall rules or access policies (e.g., if client certificates are used). In addition, removal of SSL/TLS may implicitly resolve the issue under observation as a side effect. Airlock WAF 6 adds on-board tools for debugging encrypted connections both on the client side and towards back-ends.

 

 

 

 

Support for OCSP and OCSP Stapling

The security of SSL/TLS relies on the trustworthiness of certificates. OCSP (Online Certificate Status Protocol) is designed to overcome shortcomings of CRL lists and allows interactive verification of server and client certificates at the issuing CA. With OCSP stapling, the load on PKI infrastructure is reduced by attaching a signed OCSP response directly to the certificate. OCSP is supported by an increasing number of browsers and improves overall security of SSL/TLS.