VoltMesh’s Application Security is an integrated application security and AI inference engine in the data-plane providing the capability to perform intrusion and anomaly detection based on models that are computed and distributed from our SaaS-based service. The solution uses a combination of algorithmic, signature-based, reputation database, and machine learning techniques to identify application and API level attacks and provide a holistic next-generation application firewall. The machine learning engine automatically determines all the API endpoints that are being accessed for any virtual service and that can be used to define policies for application micro-segmentation. Volterra also provides the capability of managed PKI identities to applications that can be used for application to application and developer to application authentication and policy-based authorization. It is “out-of-the-box” ready and accessible when Volterra Node or Cluster is deployed.
If you are interested in further details of how the features described in this guide work, read more below in Concepts.
Intro to VoltMesh Application Security
With all Volterra Node or Cluster deployments, you have the ability to leverage additional VoltMesh and VoltStack services as a simple add-on. This section discusses specifically the VoltMesh Application Security features.
VoltMesh Application Security Features
Simplified WAF rules creation with automated include and exclusion of rules to limit the risk of false positives. VoltMesh currently supports OWASP core rule set (CRS) and Volterra rule set (VRS). Rules can be enabled using Implicit or Explicit modes. Implicit mode takes various inputs of technologies used on the virtual host. Volterra’s AI-powered algorithmic engine will use this to automatically create rules. Explicit rules allow users to explicit configure rules to exclude. In addition to configuring, the actions supported are monitoring and blocking mode. Monitoring generates security event alerts only while blocking mode and will drop matched rules.
Application DoS & BOT Detection
Denial of service attacks can be detected on Applications and APIs using alerts from rules-based WAF as well as anomaly alerts from our behavioral analysis. These alerts can be used to generate service policies at the application level as well as the network level. Since applications are always protected using distributed proxies and VoltMesh global infrastructure, any network-level DOS attacks affect only the data-plane. The data-plane is able to handle various resource exhaustion attacks (e.g. flow table using syn flood), fragmentation buffer, NAT pool etc. In addition, the data-plane provides fast ACLs to protect against application-level attacks from clients or BOTs.
Application Anomaly Detection
If a tenant configures application security, a behavior firewall is enabled. Machine learning is centrally done in our control plane using inputs from logs and metrics from all distributed proxes for that tenant. AI models are then created to baseline different types of requests. This model then used for inference in the proxy’s request path to flag requests that deviate from the learned models. Request behavior is characterized by metrics such as request size, response size, and request to response latency.
Time-series Anomaly Detection
Time-series metrics for request rate, errors, latency, and throughput are used to detect anomalies using statistical algorithms.
API Endpoint Markup, Behavioral Analysis & Anomalies
Business markup using client/server logs and metrics from the VirtualHost to provide API endpoint markup. This includes identifying and tokenizing dynamic components in the URL which makes up the web application being accessed. Behavioral analysis generates API endpoint behavior models allowing for per request anomaly detection.