Airlock WAF 7.3
Airlock WAF 7.3 brings bot detection and management functionality, advanced API gateway features, and better cloud support. In addition, an independent security level for logging has been introduced, which greatly simplifies the integration of deny rules.
Bot Detection and Blacklisting
Malicious bots can now be detected and blocked in two different ways based on their behavior.
First, Airlock maintains an internal dynamic IP blacklist. IP addresses are blacklisted if too much malicious activity emanates from them within a configurable time window. The IPs remain on the blacklist for a certain time and are blocked accordingly. This is slowing down automated tools such as sqlmap and renders them unusable in practice.
Second, HTTP clients may be required to support cookie handling. This excludes many automated scripts and botnet clients that are large-scale scanners for vulnerabilities on the Internet. Of course you want to allow good bots, such as search engines. Good bots can be recognized by their user agent and, via IP reverse lookup, also by their network domain.
These features complement the Webroot Threat Intelligence feeds introduced in 7.2, which allow globally active and known botnet clients to be blocked based on their IP addresses.
The Airlock API Gateway extracts IDs from technical API clients, such as mobile apps or SPAs, from JSON Web Tokens (JWT). These client IDs are written to the log for all relevant actions, allowing extensive analysis and dynamic visualization of API client statistics and API usage. Security relevant events can be traced back to the corresponding clients.
Furthermore, deny rule support for path parameters has been improved. REST APIs often use individual path segments to receive parameters. Instead of checking the entire path as before, Airlock now treats each path segment as a single parameter. This improves the accuracy of deny rules for REST APIs.
Airlock's cloud support has been significantly enhanced. The Airlock Cloud Image is now compatible with Azure in addition to AWS and Google GCP. An official Airlock WAF 7.3 image will be available in the GCP marketplace shortly. This allows instanziation of Airlock in a public cloud with just a few clicks. Existing licenses can be used for operation in the Google cloud (BYOL).
In addition, Airlock's REST API has been extended by various endpoints for simpler cloud operation. New endpoints are available for the administration of nodes, routes, network services, licenses and session settings. The status of back-end hosts is accessible via REST API as well.
Simplified Security Level Integration
The security levels basic, standard and strict allow an easy and fast selection of the desired security settings. Two levels are now available for each deny rule group: one level is used for enforcement, i.e., requests are actually blocked when the rules hit. Another level is available for additional logging. This allows a security level to be tested and integrated with policy learning before it is used for enforcement. A typical use case is the replacement of old legacy rules by the new security levels. Also, a possible upgrade from basic or standard to strict can now be easily tested and prepared without affecting the running application.
There are many other improvements in the new release, such as support for SNMPv3, easy configuration of HTTP and JSON limits in the GUI, mapping templates for Exchange 2019 and Sharepoint 2019, support for Kerberos cross-domain scenarios and a major upgrade of Elasticsearch and Kibana.