Recently having joined Check Point as a Cloud Product Manager, I thought it was about time I started to eat my own Dog Food. For those who have followed me, or read my blog over the years, know I am a big believer in eating my own dog food. Not only is it a good way to learn the products you are working with, but it is a great way to understand the capabilities (and pain points) when you use it with your own services. So with that in mind, I decided to try out Check Point Web Application Firewall as a Service (WAFaaS) offering, and use it to provide better protection for my WordPress blog. So if your successfully reading this article, it clearly works 😀
Lets start by understand what the Check Point WAFaaS is, and why it is a good offering for my WordPress deployment.
What Does WAF as a Service Do?
WAFaaS acts as an intermediary between web applications and their advanced users. It inspects inbound HTTP requests to the web application and can identify and block various types of malicious traffic before they reach a potentially vulnerable web application.
WAFaaS differs from other WAFs because it is offered as a service rather than a standalone solution.
This enables an organization to subscribe to the level of protection it needs and adapt quickly as business and security needs change.
Types of Attacks Web Application Firewall Protect Against
WAF as a Service solutions can protect against a wide variety of cyberattacks against web applications, including:
- SQL Injection (SQLi).
- Cross-Site Scripting (XSS).
- Malicious bots.
- Distributed Denial of Service (DDoS) attacks.
- Brute force password guessing attacks.
You can read more about the benefits, and capabilities on WAFaaS by following this link:
Challenges with WordPress
Now anyone who has used WordPress before, knows it has its security flaws. Most people who host and manage their own WordPress offering have experienced some issue in the past before. Whether it is a direct hack (which has happened to me) or DDoS attacks, these are regular issues for self hosted wordpress sites.
The main types of security threats WordPress sites face
- Malware and virus infections
- SQL injection attacks
- Cross-Site Scripting (XSS) attacks
- Cross-Site Request Forgery (CSRF) attacks
- Brute force attacks
- DDoS attacks
- Malicious redirects
- File inclusion attacks
Now if we compare that list with the list above, that shows what a basic Web Application Firewall does, we can see why using one would benefit a WordPress deployment. There are typically two types of WordPress deployment, and these are Hosted or Self-Hosted. I typically use self-hosted, using Amazon Lightsail to manage and deploy my own WordPress instances. Its a real simple and easy to use offering from AWS. Click a button, enter some details, and you have a WordPress instance ready to go.
WordPress instances in AWS
With Amazon Lightsail, you typically protect your instances using a traditional IPv4 or IPv6 firewall, blocking IP ports, and restricting to source IP addresses. For a web application like WordPress, this isn’t really enough. You have your usual HTTPS/443 port open to everywhere, otherwise what is the point of a blog site. This doesn’t keep your instance safe from custom injections or other bad activities that can occur.
Amazon Lightsail Networking & Security
Getting started with Check Point WAFaaS
The first step to deploy Check Point WAFaaS is to create an account using Check Point’s Infinity Portal (portal.checkpoint.com)
Checkpoint infinity portal
Now it is really easy to setup and deploy WAFaaS and I am not going to go into every step here, this is not a user guide, but you can start by clicking the Protect a Web Application, Select New Asset, and choose SaaS as the offering. You are given a 6 step wizard to complete everything you need to setup a WAF for your application.
Choose WAF – Web Application & API Security
Select – Protect a Web Application
Choose New Asset
Follow the 6 steps in the Wizard
Configuring your WAF to suit your application
Configure your Asset
Once you have your assets configured. You can make sure that all the policies are configured as required.
You have a number of options to configure, around Remote Code Execution, SQL Injection, Authentication and Authorization attacks, plus many more. You can of course just leave the defaults have very secure protection, but you may also want to add some custom rules and exceptions to the standard Threat Prevention.
For example, I know my Home IP is a trusted source IP, and I want to be able to do anything on my WordPress instance without blocking or protection in place. I trust myself, and if I am trying to destroy my own WordPress instance, then I guess I have a good reason for it :-). So I can add a condition to trust my source IP and accept everything from that IP.
Custom Rules and Exceptions
My favorite part of the WAFaaS offering is the ability to monitor my site, in granular details and find out what is attacking it. I was shocked when I first set this up, to discover just how many attempts are made on my site everyday. It is a wonder and amazing to consider it has survived this long without any threat prevention in place.
Monitoring and Threat Prevention statistics
Of course, you can drill down into these and discover in greater detail what is trying to attack your site, and what the Check Point WAF has done, whether that be monitor or prevent the event.
Threat prevention deep dive
Summary
Web Application Firewalls really do provide a next layer step in protecting WordPress deployments. People may think it is overkill, but believe me, the last thing anyone wants is their own blog to be hacked, or brought down by malicious hackers, or worse, the site be used for criminal activity without your knowledge.
Check Point has a lot of great content on how to protect assets using Web Application Firewalls, I would recommend you check it out, or even better, try out the Free Trial for 30 days and see how many threats and attacks are prevented on your site.
https://www.checkpoint.com/cyber-hub/cloud-security/what-is-web-application-firewall/
No comments yet.