Cloud Application and Network Security

Cloud Application and Network Security

Cloud Application and Network Security 1

 Contents

Contents
Website Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Cloud Application and Network Security

 Cloud Application and Network Security

Web Protection – Introduction

Imperva’s Web Protection is a 100% cloud based solution for protecting websites and applications from external
threats including: OWASP top 10 threats, hacking attempts, malicious bots, scraping, and DDoS attacks.

At the core of Imperva’s Web Protection are our security reverse proxy and Web Application Firewall (WAF) in the
cloud, which are deployed across our globally distributed CDN network. Organizations using Web Protection route
their website traffic through the Imperva network by performing a simple DNS change. This enables Imperva to
inspect each and every request sent to the website and filter out any kind of malicious activity.
Benefits
• PCI certified Web Application Firewall
• Service is backed by Imperva’s security team for updating and tuning security rules
• Easy and quick implementation - usually no rule tuning is required
• Bot mitigation using Imperva’s advanced client classification technology
• Backdoor Protection to identify and quarantine backdoors planted on your website
• Custom security logic using security rules
• Granular access controls based on IPs, URLs, location and client type
• Seamless implementation of two-factor authentication
• Real-time dashboard for traffic monitoring and event analysis
• REST API and SIEM integration of access and security logs
How Does Web Protection Work?
Imperva’s Web Protection is based on a network of secure reverse proxies deployed on our globally distributed
CDN. Web traffic that is routed through the Imperva network is terminated by those proxies, allowing Imperva to
inspect each and every request to the website and identify and block any malicious activity.

Cloud Application and Network Security 3

 Cloud Application and Network Security

Organizations using Web Protection update their domain DNS to point to a unique hostname (CNAME) provided by
Imperva (e.g., mysite.incapdns.net). This hostname is dynamically resolved for every website visitor, making sure
each visitor is served by the closest Imperva data center.

Web Application Firewall

Imperva’s secure proxy and Web Application Firewall (WAF) inspect every request at three levels: the connection level,
the request format and structure level, and the content level. The WAF matches the HTTP/S requests against a set of
security engines, known attack patterns, heuristic rules, anomaly detection and known "good" patterns. Each visitor
is also profiled and matched against a large set of known client signatures. These components allow Imperva to
automatically filter out bad actors and enable organizations to define their access policy for bots.

Personal Data Protection

Imperva's reverse proxies include over 50 patterns used to recognize personally identifiable information (PII) such as
credit card numbers, email addresses, or phone numbers.

Imperva reverse proxies analyze incoming requests and search for data that matches these patterns. When a match is
found, we immediately perform irreversible masking in memory (RAM), in real-time. Logs generated in the proxy use
the masked data. This mechanism ensures that personal data is never written to disk.

These patterns are fully configurable and can be enhanced per customer, per website. Our customers can expand the
list of patterns as needed to cover additional information that they consider to be sensitive.

The current definition and the ability to add new patterns is configured by Support.

Cloud Application and Network Security 4

 Cloud Application and Network Security

DDoS Mitigation

Websites using Imperva DDoS Protection are protected from any type of DDoS attack, including both network (Layer 3
and 4) and application (Layer 7) attacks. Imperva’s secure HTTP proxy terminates TCP connections, acting as a buffer
between the Internet and the origin server and filtering out any kind of DDoS attack, such as SYN floods and UDP
floods. Only legitimate TCP sessions are forwarded to the origin server.

Layer 7 DDoS attacks are mitigated by a dedicated engine that can distinguish between legitimate visitors and DDoS
bots. This engine leverages Imperva’s client classification technology, as well as unique capabilities to challenge
suspected visitors and verify their authenticity, without impacting the website's normal user experience.

Security Operations Center

Imperva Web Protection is backed up by a team of security experts who are responsible for keeping the Web
Application Firewall and other security engines up to date and accurate. The research team monitors external sources
such as new vulnerability disclosures and analyzes all traffic going through Imperva. Any new attack identified on the
network is automatically analyzed, and new mitigation rules are propagated to all Web Protection customers. All rules
go through a vetting phase in which they are deployed across the network but only generate alerts. Those alerts are
analyzed by the security team and, if required, adjustments are made to make sure that new rules do not create false
positives.

Deployment

Websites that support SSL are required to provision an SSL certificate on Imperva. Imperva maintains two types of
certificates. The first is an Imperva-generated certificate that can be automatically created and integrated using the
new site wizard. Organizations using Web Protection can also upload their own certificate, which will be presented to
SNI-supporting clients instead of the Imperva-generated certificate. See Web Protection - SSL/TLS for more
information.

Web Protection can be deployed as an always-on solution (the most common scenario) or as an on-demand solution
for DDoS mitigation.
Traffic Flow
Understand the behind-the-scenes flow of an end user visit to a website protected by Imperva’s Web Protection.

Before Adding the Domain to Imperva

1. A visitor opens a web browser and types in your website’s URL (for example, http://www.yourdomain.com).
2. The web browser queries its DNS server for the IP address associated with www.yourdomain.com and receives
your origin server IP address.
3. The web browser sends requests to the origin server IP address, which are routed through the Internet to your
ISP or hosting provider.

Cloud Application and Network Security 5

 Cloud Application and Network Security

After Adding the Domain to Imperva

1. A visitor opens a web browser and types in your website’s URL (for example, http://www.yourdomain.com)
2. The web browser queries its DNS server for the IP address associated with www.yourdomain.com and receives
the Imperva CNAME you configured in your DNS (for example, yourdomain.incapdns.net).
3. The web browser queries its DNS server for the IP address associated with yourdomain.incapdns.net and
receives the IP address of the nearest Imperva data center.
4. The web browser sends requests for http://www.yourdomain.com to the IP address of the nearest Imperva data
center.
5. The request is accepted by the Imperva secure proxy and inspected for any security risk.
6. If the request does not pose any threat, it is either responded to directly from Imperva’s cache or forwarded to
the origin server (if the resource is dynamic and cannot be cached).
7. Responses from the origin server are accepted by the Imperva secure proxy and then forwarded back to the
visitor’s web browser.

How To

• Onboarding a Site – Web Protection and CDN

• Account Settings
• Web Protection - Website Settings

Read More

• Web Protection - SSL/TLS

Cloud Application and Network Security 6

 Cloud Application and Network Security

• Upload a Custom Certificate for Your Website on Imperva

• Web Protection - Dedicated Network
• Bot Mitigation
• Extended Mitigation

Last updated: 2022-04-26

Cloud Application and Network Security 7