WAF 2.0 by BitNinja: Ultimate Web Application Firewall for your Compute Security

April 1, 2021

With the deployment of a strong web application firewall, one can run secured and critical web applications wherever they reside such as in a public cloud, or on-premise data centre. A powerful WAF solution protects organizations against OWASP top ten threats, various application vulnerabilities, and zero-day attacks.

In today’s world, enterprises are exploring their businesses with the usage of more web-based Cloud-hosted applications, so a more powerful web application firewall (WAF) isn’t a luxury—it’s a requirement, a need of the hour for the cloud infrastructure. A powerful WAF also allows compliance with some key regulatory standards like PCI DSS.

Let’s take a look at why having a WAF is so important, how it works, and the options you have to protect your server, from open source solutions to the WAF designed at BitNinja.

Web application attacks are the biggest threat in today’s World

The main security challenge that you face as a sysadmin is the increasing number of web applications, plugins and other software running on your servers. Customers demand the latest platforms, CMS and server management tools, and you’ve got to provide these features to keep their business.

Attacks on servers have become more and more complex. Rather than targeting brute force or other “typical” methods of attack, hackers are now exploiting vulnerabilities in out-of-date and insecure plugins and web apps.

You can create a basic firewall with IPTables and monitor bandwidth for IPs, but you’ll never be completely secure until you’ve locked down your web apps. In fact, a recent study found that 73% of all security exploits are directed against web applications.

With more than two-thirds of attacks directed towards web apps, it’s clear they pose the biggest threat to server security. And you can’t simply block these apps. You’ve got to allow access to keep your customers happy, and you’ve got to keep the bad guys out. The solution is to implement a web application firewall which selectively blocks exploits, and you’ve got a few options when choosing a WAF.

Consideration for choosing a suitable Web Application Firewall

When you start looking for a WAF for your server, you’ll see a lot of open source options in the search results. This is a good place to start because open source projects provide a clear picture of what’s needed in a web application firewall, and how they work.

Perhaps the most well-known resource on WAF’s is the Open Web Application Security Project (OWASP), a worldwide non-profit organization dedicated to making software and server security “visible so that individuals and organizations are able to make informed decisions”.

On Wiki, you can read about the top 10 web application security problems. The “OWASP Top 10” highlights the primary security concerns when creating or implementing a WAF on your server. These are the main attacks that a WAF is designed to stop, and the list also tells you a bit about how a WAF works to secure your server.

The OWASP Top 10 Web Application Security Risks

Here’s the latest including a brief description of the types of exploits a WAF is designed to stop:

ModSecurity – Open Source WAF based on OWASP

When it comes to open source web application firewalls, ModSecurity is at the top of the list. In some ways, it’s the only open-source WAF, because other open source solutions are targeted for specific frameworks, for example, NAXSI which is just for NGINX, and Webknight which is for Microsoft servers.

ModSecurity, which is an OWASP project, covers Apache, NGINX and Microsoft web servers and is highly based upon the Top 10 list and providing a base level of protection for every server. The primary drawbacks are that ModSecurity is a command-line only tool and is “help yourself” when it comes to support.

For DIY solutions, ModSecurity is a great place to start. If you’re willing to roll up your sleeves and do some hand-coding, it can provide reasonable protection. Things to look out for along the way are keeping up-to-date with the latest versions and making sure ModSecurity doesn’t interfere with the applications when they are running, especially when you begin modifying the rules for your specific needs.

Why Choose BitNinja WAF 2.0 for your server?

1. Industry Standards and Compatibility

BitNinja WAF 2.0 built on the backbone of ModSecurity. It’s the industry standard and compatible across a wide range of platforms. Using ModSecurity as the base for our platform ensures that our WAF is always up-to-date with the latest best practices according to OWASP and the worldwide security community.

2. Less Configuration, More Protection

While ModSecurity provides adequate protection for web servers, BitNinja wanted to go a step further and create a WAF that would protect against vulnerabilities before they were discovered.

The command line interface also presents a big roadblock for using ModSecurity “out of the box”. With BitNinja WAF 2.0 our goal was to create a WAF that was easy to use and didn’t require constant configuration. We wanted to be able to make changes with a few clicks.

3. Easy-to-Use Dashboard

Here’s a screenshot of the BitNinja WAF 2.0 dashboard in action. You can enable/disable the firewall or activate/deactivate a pattern or ruleset for all your servers, all in one place:

4. Pre-defined rulesets for low false positives

One of the primary challenges as you add layers of security to ModSecurity is preventing the WAF from blocking web apps. Often you’ll implement one rule to protect an app, only to find that it blocks access to another app.

BitNinja developed and continually refined a default rule set for all the websites hosted on your server. This ruleset is rigorously tested to ensure the lowest false positive rates and constantly updated with safety rules that protect your server while allowing access to all your web apps.

For those who want a greater level of control, it also gives you the option to change the rules one-by-one or manage them by categories.

5. Domain-based WAF controls to keep users happy

The primary goal for any server admin is to keep their customers and users happy. Every website has its own specific needs, and there are often individual requests from users and site owners.

To make day-to-day life easier, BitNinja created a built-in option in our WAF that allows you to add custom patterns and rulesets for each domain. You can also disable the WAF entirely for only a subdomain if necessary. This is a great way to keep your customers satisfied and still provide great protection.

6. Lock-down feature for emergency situations

When disaster strikes, it helps to be prepared. BitNinja WAF 2.0 includes a handy lock-down feature that immediately disables POST requests (registrations, logins, posting, etc) and converts the site to read-only mode. This restricted mode leaves the site available for visitors while preventing further hacking attempts as the situation is mitigated. It’s a win-win situation that allows you to calmly address sudden increases in attacks from botnets and other distributed types of attacks.

7. Log-only or Active Protection

To provide a way to monitor activity without blocking it. Sometimes, you need to troubleshoot the configuration of a web app, and you need to rule out the possibility of the WAF interfering.

In Log-only mode, you can see all the logged (but not blocked) incidents using the Dashboard. In this case, connections are not interrupted by the WAF. This allows you to monitor any incidents and manually block the IPs if you find positive hits, as well as implement web apps with complex configuration before turning the switch to the firewall “on”.

To keep your other sites and servers protected while you monitor traffic or install an app, you can choose between Log-only mode and Active Protection by the server and even by domain.

WAF 2.0 is completely integrated with the BitNinja Security Suite

At BitNinja, take a holistic approach to cybersecurity. Different types of attacks require different types of defence for a server. It is like security at a castle Vs an airport. With a castle, you put all your defences in one place, leaving you vulnerable to multiple attacks. However, in the case of an airport, you have multiple checkpoints for defence protecting you by closing all the security loopholes.

In addition to WAF 2.0, BitNinja’s Security Suite includes 8 other security modules: IP Reputation, Port Honeypot, Web Honeypot, DoS Detection, Log Analysis, Malware Detection, Outbound WAF and Protection for HTTPS. Each of these modules works together to provide multiple points of defence for your servers against a wide range of attacks, from hackers, botnets and whatever’s next on the horizon.

Try  WAF 2.0 and the BitNinja Server Security Suite with E2E Networks compute in one click during the launch of an instance or enable with your running instances without any obligation.

Latest Blogs
This is a decorative image for: A Complete Guide To Customer Acquisition For Startups
October 18, 2022

A Complete Guide To Customer Acquisition For Startups

Any business is enlivened by its customers. Therefore, a strategy to constantly bring in new clients is an ongoing requirement. In this regard, having a proper customer acquisition strategy can be of great importance.

So, if you are just starting your business, or planning to expand it, read on to learn more about this concept.

The problem with customer acquisition

As an organization, when working in a diverse and competitive market like India, you need to have a well-defined customer acquisition strategy to attain success. However, this is where most startups struggle. Now, you may have a great product or service, but if you are not in the right place targeting the right demographic, you are not likely to get the results you want.

To resolve this, typically, companies invest, but if that is not channelized properly, it will be futile.

So, the best way out of this dilemma is to have a clear customer acquisition strategy in place.

How can you create the ideal customer acquisition strategy for your business?

  • Define what your goals are

You need to define your goals so that you can meet the revenue expectations you have for the current fiscal year. You need to find a value for the metrics –

  • MRR – Monthly recurring revenue, which tells you all the income that can be generated from all your income channels.
  • CLV – Customer lifetime value tells you how much a customer is willing to spend on your business during your mutual relationship duration.  
  • CAC – Customer acquisition costs, which tells how much your organization needs to spend to acquire customers constantly.
  • Churn rate – It tells you the rate at which customers stop doing business.

All these metrics tell you how well you will be able to grow your business and revenue.

  • Identify your ideal customers

You need to understand who your current customers are and who your target customers are. Once you are aware of your customer base, you can focus your energies in that direction and get the maximum sale of your products or services. You can also understand what your customers require through various analytics and markers and address them to leverage your products/services towards them.

  • Choose your channels for customer acquisition

How will you acquire customers who will eventually tell at what scale and at what rate you need to expand your business? You could market and sell your products on social media channels like Instagram, Facebook and YouTube, or invest in paid marketing like Google Ads. You need to develop a unique strategy for each of these channels. 

  • Communicate with your customers

If you know exactly what your customers have in mind, then you will be able to develop your customer strategy with a clear perspective in mind. You can do it through surveys or customer opinion forms, email contact forms, blog posts and social media posts. After that, you just need to measure the analytics, clearly understand the insights, and improve your strategy accordingly.

Combining these strategies with your long-term business plan will bring results. However, there will be challenges on the way, where you need to adapt as per the requirements to make the most of it. At the same time, introducing new technologies like AI and ML can also solve such issues easily. To learn more about the use of AI and ML and how they are transforming businesses, keep referring to the blog section of E2E Networks.

Reference Links

https://www.helpscout.com/customer-acquisition/

https://www.cloudways.com/blog/customer-acquisition-strategy-for-startups/

https://blog.hubspot.com/service/customer-acquisition

This is a decorative image for: Constructing 3D objects through Deep Learning
October 18, 2022

Image-based 3D Object Reconstruction State-of-the-Art and trends in the Deep Learning Era

3D reconstruction is one of the most complex issues of deep learning systems. There have been multiple types of research in this field, and almost everything has been tried on it — computer vision, computer graphics and machine learning, but to no avail. However, that has resulted in CNN or convolutional neural networks foraying into this field, which has yielded some success.

The Main Objective of the 3D Object Reconstruction

Developing this deep learning technology aims to infer the shape of 3D objects from 2D images. So, to conduct the experiment, you need the following:

  • Highly calibrated cameras that take a photograph of the image from various angles.
  • Large training datasets can predict the geometry of the object whose 3D image reconstruction needs to be done. These datasets can be collected from a database of images, or they can be collected and sampled from a video.

By using the apparatus and datasets, you will be able to proceed with the 3D reconstruction from 2D datasets.

State-of-the-art Technology Used by the Datasets for the Reconstruction of 3D Objects

The technology used for this purpose needs to stick to the following parameters:

  • Input

Training with the help of one or multiple RGB images, where the segmentation of the 3D ground truth needs to be done. It could be one image, multiple images or even a video stream.

The testing will also be done on the same parameters, which will also help to create a uniform, cluttered background, or both.

  • Output

The volumetric output will be done in both high and low resolution, and the surface output will be generated through parameterisation, template deformation and point cloud. Moreover, the direct and intermediate outputs will be calculated this way.

  • Network architecture used

The architecture used in training is 3D-VAE-GAN, which has an encoder and a decoder, with TL-Net and conditional GAN. At the same time, the testing architecture is 3D-VAE, which has an encoder and a decoder.

  • Training used

The degree of supervision used in 2D vs 3D supervision, weak supervision along with loss functions have to be included in this system. The training procedure is adversarial training with joint 2D and 3D embeddings. Also, the network architecture is extremely important for the speed and processing quality of the output images.

  • Practical applications and use cases

Volumetric representations and surface representations can do the reconstruction. Powerful computer systems need to be used for reconstruction.

Given below are some of the places where 3D Object Reconstruction Deep Learning Systems are used:

  • 3D reconstruction technology can be used in the Police Department for drawing the faces of criminals whose images have been procured from a crime site where their faces are not completely revealed.
  • It can be used for re-modelling ruins at ancient architectural sites. The rubble or the debris stubs of structures can be used to recreate the entire building structure and get an idea of how it looked in the past.
  • They can be used in plastic surgery where the organs, face, limbs or any other portion of the body has been damaged and needs to be rebuilt.
  • It can be used in airport security, where concealed shapes can be used for guessing whether a person is armed or is carrying explosives or not.
  • It can also help in completing DNA sequences.

So, if you are planning to implement this technology, then you can rent the required infrastructure from E2E Networks and avoid investing in it. And if you plan to learn more about such topics, then keep a tab on the blog section of the website

Reference Links

https://tongtianta.site/paper/68922

https://github.com/natowi/3D-Reconstruction-with-Deep-Learning-Methods

This is a decorative image for: Comprehensive Guide to Deep Q-Learning for Data Science Enthusiasts
October 18, 2022

A Comprehensive Guide To Deep Q-Learning For Data Science Enthusiasts

For all data science enthusiasts who would love to dig deep, we have composed a write-up about Q-Learning specifically for you all. Deep Q-Learning and Reinforcement learning (RL) are extremely popular these days. These two data science methodologies use Python libraries like TensorFlow 2 and openAI’s Gym environment.

So, read on to know more.

What is Deep Q-Learning?

Deep Q-Learning utilizes the principles of Q-learning, but instead of using the Q-table, it uses the neural network. The algorithm of deep Q-Learning uses the states as input and the optimal Q-value of every action possible as the output. The agent gathers and stores all the previous experiences in the memory of the trained tuple in the following order:

State> Next state> Action> Reward

The neural network training stability increases using a random batch of previous data by using the experience replay. Experience replay also means the previous experiences stocking, and the target network uses it for training and calculation of the Q-network and the predicted Q-Value. This neural network uses openAI Gym, which is provided by taxi-v3 environments.

Now, any understanding of Deep Q-Learning   is incomplete without talking about Reinforcement Learning.

What is Reinforcement Learning?

Reinforcement is a subsection of ML. This part of ML is related to the action in which an environmental agent participates in a reward-based system and uses Reinforcement Learning to maximize the rewards. Reinforcement Learning is a different technique from unsupervised learning or supervised learning because it does not require a supervised input/output pair. The number of corrections is also less, so it is a highly efficient technique.

Now, the understanding of reinforcement learning is incomplete without knowing about Markov Decision Process (MDP). MDP is involved with each state that has been presented in the results of the environment, derived from the state previously there. The information which composes both states is gathered and transferred to the decision process. The task of the chosen agent is to maximize the awards. The MDP optimizes the actions and helps construct the optimal policy.

For developing the MDP, you need to follow the Q-Learning Algorithm, which is an extremely important part of data science and machine learning.

What is Q-Learning Algorithm?

The process of Q-Learning is important for understanding the data from scratch. It involves defining the parameters, choosing the actions from the current state and also choosing the actions from the previous state and then developing a Q-table for maximizing the results or output rewards.

The 4 steps that are involved in Q-Learning:

  1. Initializing parameters – The RL (reinforcement learning) model learns the set of actions that the agent requires in the state, environment and time.
  2. Identifying current state – The model stores the prior records for optimal action definition for maximizing the results. For acting in the present state, the state needs to be identified and perform an action combination for it.
  3. Choosing the optimal action set and gaining the relevant experience – A Q-table is generated from the data with a set of specific states and actions, and the weight of this data is calculated for updating the Q-Table to the following step.
  4. Updating Q-table rewards and next state determination – After the relevant experience is gained and agents start getting environmental records. The reward amplitude helps to present the subsequent step.  

In case the Q-table size is huge, then the generation of the model is a time-consuming process. This situation requires Deep Q-learning.

Hopefully, this write-up has provided an outline of Deep Q-Learning and its related concepts. If you wish to learn more about such topics, then keep a tab on the blog section of the E2E Networks website.

Reference Links

https://analyticsindiamag.com/comprehensive-guide-to-deep-q-learning-for-data-science-enthusiasts/

https://medium.com/@jereminuerofficial/a-comprehensive-guide-to-deep-q-learning-8aeed632f52f

Build on the most powerful infrastructure cloud

A vector illustration of a tech city using latest cloud technologies & infrastructure