Web Protection – Introduction

Incapsula’s Web Protection is a 100% cloud based solution for protecting websites and applications from external threats including: OWASP top 10 threats, hacking attempts, malicious bots, scraping, and DDoS attacks.

At the core of Incapsula’s Web Protection are our security reverse proxy and Web Application Firewall (WAF) in the cloud, which are deployed across our globally distributed CDN network. Organizations using Web Protection route their website traffic through the Incapsula network by performing a simple DNS change. This enables Incapsula to inspect each and every request sent to the website and filter out any kind of malicious activity.

Benefits

  • PCI certified Web Application Firewall
  • Service is backed by Incapsula’s security team for updating and tuning security rules
  • Easy and quick implementation - usually no rule tuning is required
  • Bot mitigation using Incapsula’s advanced client classification technology
  • Backdoor Protection to identify and quarantine backdoors planted on your website
  • Custom security logic using security rules
  • Granular access controls based on IPs, URLs, location and client type
  • Seamless implementation of two-factor authentication
  • Real-time dashboard for traffic monitoring and event analysis
  • REST API and SIEM integration of access and security logs

How Does Web Protection Work?

Incapsula’s Web Protection is based on a network of secure reverse proxies deployed on our globally distributed CDN. Web traffic that is routed through the Incapsula network is terminated by those proxies, allowing Incapsula to inspect each and every request to the website and identify and block any malicious activity.

Organizations using Web Protection update their domain DNS to point to a unique hostname (CNAME) provided by Incapsula (e.g., mysite.incapdns.net). This hostname is dynamically resolved for every website visitor, making sure each visitor is served by the closest Incapsula data center.

Web Application Firewall

Incapsula’s secure proxy and Web Application Firewall (WAF) inspect every request at three levels: the connection level, the request format and structure level, and the content level. The WAF matches the HTTP/S requests against a set of security engines, known attack patterns, heuristic rules, anomaly detection and known "good" patterns. Each visitor is also profiled and matched against a large set of known client signatures. These components allow Incapsula to automatically filter out bad actors and enable organizations to define their access policy for bots.

Personal Data Protection

Incapsula's reverse proxies include over 50 patterns used to recognize personally identifiable information (PII) such as credit card numbers, email addresses, or phone numbers.

Incapsula reverse proxies analyze incoming requests and search for data that matches these patterns. When a match is found, we immediately perform irreversible masking in memory (RAM), in real-time. Logs generated in the proxy use the masked data. This mechanism ensures that personal data is never written to disk.

These patterns are fully configurable and can be enhanced per customer, per website. Our customers can expand the list of patterns as needed to cover additional information that they consider to be sensitive.

The current definition and the ability to add new patterns is configured by Support and is available to all Enterprise plan customers.

DDoS Mitigation

Websites using Incapsula Web Protection are protected from any type of DDoS attack, including both network (Layer 3 and 4) and application (Layer 7) attacks. Incapsula’s secure HTTP proxy terminates TCP connections, acting as a buffer between the Internet and the origin server and filtering out any kind of DDoS attack, such as SYN floods and UDP floods. Only legitimate TCP sessions are forwarded to the origin server.

Layer 7 DDoS attacks are mitigated by a dedicated engine that can distinguish between legitimate visitors and DDoS bots. This engine leverages Incapsula’s client classification technology, as well as unique capabilities to challenge suspected visitors and verify their authenticity, without impacting the website's normal user experience.

Security Operations Center

Incapsula Web Protection is backed up by a team of security experts who are responsible for keeping the Web Application Firewall and other security engines up to date and accurate. The research team monitors external sources such as new vulnerability disclosures and analyzes all traffic going through Incapsula. Any new attack identified on the network is automatically analyzed, and new mitigation rules are propagated to all Web Protection customers. All rules go through a vetting phase in which they are deployed across the network but only generate alerts. Those alerts are analyzed by the security team and, if required, adjustments are made to make sure that new rules do not create false positives.

Deployment

Websites that support SSL are required to provision an SSL certificate on Incapsula. Incapsula maintains two types of certificates. The first is an Incapsula-generated certificate that can be automatically created and integrated using the new site wizard. Organizations using Web Protection can also upload their own certificate, which will be presented to SNI-supporting clients instead of the Incapsula-generated certificate. See Web Protection - SSL/TLS for more information.

Web Protection can be deployed as an always-on solution (the most common scenario) or as an on-demand solution for DDoS mitigation.

Traffic Flow

Understand the behind-the-scenes flow of an end user visit to a website protected by Incapsula’s Web Protection.

Before Adding the Domain to Incapsula

  1. A visitor opens a web browser and types in your website’s URL (for example, http://www.yourdomain.com).
  2. The web browser queries its DNS server for the IP address associated with www.yourdomain.com and receives your origin server IP address.
  3. The web browser sends requests to the origin server IP address, which are routed through the Internet to your ISP or hosting provider.

After Adding the Domain to Incapsula

  1. A visitor opens a web browser and types in your website’s URL (for example, http://www.yourdomain.com)
  2. The web browser queries its DNS server for the IP address associated with www.yourdomain.com and receives the Incapsula CNAME you configured in your DNS (for example, yourdomain.incapdns.net).
  3. The web browser queries its DNS server for the IP address associated with yourdomain.incapdns.net and receives the IP address of the nearest Incapsula data center.
  4. The web browser sends requests for http://www.yourdomain.com to the IP address of the nearest Incapsula data center.
  5. The request is accepted by the Incapsula secure proxy and inspected for any security risk.
  6. If the request does not pose any threat, it is either responded to directly from Incapsula’s cache or forwarded to the origin server (if the resource is dynamic and cannot be cached).
  7. Responses from the origin server are accepted by the Incapsula secure proxy and then forwarded back to the visitor’s web browser.

How To

Read More