Trusted Knight Cloud DMZ
Cloud-DMZ mitigates layers 3, 4 and 7 DDoS attacks and eliminates application vulnerability exploits. It also serves as a CDN that offloads traffic to the cloud and accelerates the web application.
Conventional DDoS and WAF solutions are not aware of the application’s functionality. Therefore, they frequently block legitimate users, require overwhelming maintenance, and cannot keep up with agile development.
Unlike conventional solutions, Cloud-DMZ actively scans your application, understands its functionality and protects by understanding the context of each incoming request. As a result it can accurately tell apart legitimate traffic from malicious traffic and will not block legitimate users. By replicating web application components to the cloud, Cloud-DMZ removes 99% of the attack surface and dramatically simplifies maintenance. It continuously synchronizes with the application to enable agile and secure application releases and integrate security with DevOps processes.
The Context-Aware Security Lifecycle:
1. Active Learning
An Active Learning Engine rapidly scans the protected web application and learns its functionality by emulating a user. The scan can be completed within hours and eliminates the conventional learning mode required by WAFs and by application-layer DDoS protection solutions, which can take months to complete.
The outcomes of the active learning process are:
- A mapping of the Deterministic Components: responses these can be pre-generated and removed from the attack surface. Cloud-DMZ scanning algorithms can map and pre-generate up to 99% of the application including complex, dynamic content.
- A mapping of Business Logic components, which may include search boxes and login fields. For these, Cloud-DMZ generates a customized security policy, which validates incoming requests according to their legitimate functionality.
2. Replication and Security Policy Creation
Cloud-DMZ generates a cloud-based replica of the Deterministic Components. Incoming traffic will be served by the Replica statically and will not reach the original web application or any back end systems. In other words, security vulnerabilities are automatically eliminated in up to 99% of the application: a 99% reduction in the attack surface. This approach not only eliminates application vulnerabilities, but also CMS vulnerabilities, 3rd party plugin vulnerabilities, and web server vulnerabilities. The remaining Business Logic Component is protected by the contextual security policy, which only requires a handful of rules, as opposed to thousands in a conventional WAF.
3. Context Aware Defense
Requests to the web application are served by the Cloud-DMZ, extending the organization’s secure perimeter to the cloud.
Cloud-DMZ handles each request according to its context:
- Legitimate requests to Deterministic Components (up to 99% of potential requests) are served statically by the Cloud Replica Grid and do not require backend processing or any interaction with the original web servers, CMS or database.
- Malicious requests to Deterministic Components are not served at all, because the Replica Grid only serves requests that have been mapped and pre-generated during the Active Learning phase.
- Requests to Business Logic Components are validated by the customized security policy and by additional security measures . Illegal requests are blocked, and only clean traffic is allowed to reach the original application
CONTINUOUS SECURITY SYNCHRONIZATION
The Active Learning Engine continuously and automatically scans the protected application and updates security policies to reflect changes to the application. Unlike Web Application Firewalls that slow down development and release cycles, the Active Learning approach enables agile development and continuous integration and release. Deployments are dramatically accelerated and teams are free to rapidly innovate.