Access to Applications Based on a « Driving License » Model
More and more countries are modifying their policies with a new “driving license” model.
With a classic license model, drivers can be caught frequently; they just have to pay a huge amount of money to the police each time.
Since this model has lot of limitations, it was changed to a “point-based model.” Either you begin with 0 points (and you increase it based on your “mistakes”) or your points decrease. Regardless of how the model works, you’re still allowed to drive if you have below a certain number of points on your license.
After being “bad” too many times, police will keep your driving license for a certain period. If this model is good for the security on roads, why wouldn’t we apply it to our application accesses?
[You might also like: WAFs Should Do A Lot More Against Current Threats Than Covering OWASP Top 10]
Accessing applications while sending attacks
Processing traffic (either good or bad) needs resources on all levels. One of the main problems faced by CISOs is detecting attacks without impacting legitimate clients. Of course, another aspect of the job responsibilities is to adapt the solution to the need (avoiding oversizing any security solution).
As security solutions have to handle both kinds of traffic, they have to be robust and sized for everything.
A problem can appear when you have a peak in traffic, and your bad traffic increases too. Hackers will try to identify the right moment to send bad traffic to you (usually during this peak), permitting them to be hidden in an easier way (as you have so much traffic, you can’t detect such small portion).
And also, some security solutions will bypass traffic when they’re full. So if by any chance you send an attack while a device is full, you will target the backend application directly without protection.
Going to the next step with a “score-based” license
As discussed previously, detecting and blocking attacks one by one can be very hard to handle and would consume a lot of resources. Instead of thinking that all clients are good even if they send attacks, the ideal WAF solution can adapt the “point-based driving license” to the application’s protection.
[You might also like: Security Impacting Humans: Fingerprinting vs. CAPTCHA]
By default, everyone will be seen as legitimate, but when hackers or bots send bad traffic, they will score points. Of course, in the meantime their requests will be blocked, but that can’t be enough.
After reaching a certain amount of points, these bad clients will be completely blocked for a short period. After that period, they will be allowed back but will keep their points. Then with only few requests, they will be blocked once more but for a longer period. That means even during a peak of traffic, they will not be allowed to impact your application as they will be blocked even before analyzing the HTTP request deeply.
A WAF has to be deployed as close as possible from the backend application, so we defined a mechanism called “Defense Messaging” which permits our solution to exchange information about bad clients and block them at the perimeter of your network.
Stay tuned to our next blog in this series, “Why would you let hackers consume your resources?”
