Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 29 of 53

that any given IP address can pass downstream, based upon time. Finally, reverse proxies can also protect websites and applications by enabling bot management and web application firewall plug-ins and components. Simply put, reverse proxies are a critical layer in the modern DiD approach for web applications. Defensive Line 5: Bot Management Positioning bot management as the next line of defense is justified because comprehensive, cloud-based bot management solutions integrated into the reverse proxies already exists. When traffic from a suspected malicious bot is received, there is no reason to allow this traffic to pass downstream. Therefore, bot management operates well as the next line of defense. When incoming traffic to publicly exposed web applications adheres to the policy enablement and enforcement provided by the first four lines of defense, does this mean that the traffic is considered harm‐ less? Absolutely not. Today, much of the traffic finding its way to an organization's web applications is not coming from innocuous human visitors. Instead, much of the traffic that organizations receive from the internet is coming from infected, consumer-based IoT devices—commonly called bots. Although there is a tremendous need for good bots to visit, catalog, and store information about an organization's websites and applica‐ tions, there is no reason to allow unwanted visitors in the form of bad bots to orchestrate malicious interactions with these sites and applications. Most malicious bots probe, prod, and peruse sites and applications looking for unintended vulnerabilities, taking advan‐ tage of them wherever possible. Other bots continually attempt to commit fraud, consume resources, and perform a host of other unwanted activities. To put it succinctly, if organizations have no oversight of their malicious bot problem by way of a bot manage‐ ment line of defense, it's only a matter of time before impact can be expected. Is there any reason to allow traffic derived from these bots to ever find its way to the lower layers of the DiD approach or even to the exposed websites and applications? Absolutely not. The best place to defeat malicious bots is at the fifth defensive line. This defensive line's sole intention is to detect and eliminate malicious bot traffic. But how is that done best today? 20 | Chapter 3: Cloud-Based Lines of Defense for Web Application Security

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth