Providing security in the cloud isn't just about providing IPS-type security that protects the network against attack -- there is also a need to protect against application vulnerabilities, as well.

That's where Akamai's new Web Application Firewall (WAF) service fits in.

The new WAF service is an add-on for users of Akamai's (NASDAQ: AKAM) content delivery network (CDN), the EdgePlatform. As opposed to an IPS, which blocks network-layer attacks, the general idea behind a WAF is that it protects against application-layer attacks.


Because the Akamai WAF is a cloud-based managed service, no additional hardware is required for the WAF for client usage, and company officials said the WAF doesn't introduce additional latency to client applications and Web sites.

"This service extends our security portfolio to the Layer 7, or application layer," said Neil Cohen, director of product marketing at Akamai Technologies. "It now allows us to protect from application-specific attacks such as SQL injections, cross-site scripts and advanced forms of distributed denial-of-service attacks -- just to name a few."

Cohen added that Akamai already blocks requests at the network and transport level (Layers 3 and 4) and it sees the new WAF service as complementary to an IPS in the datacenter.

The WAF service is based in part on the open source ModSecurity WAF project and the commercial efforts of one that project's lead sponsors, Breach Security.

ModSecurity is already broadly deployed and its users includes the Web Application Security Consortium (WASC) and its Open Proxy Honeypot , which uses it to monitor, identify and report attack traffic. Apache Web servers also often use the ModSecurity WAF to defend against malicious Web traffic by monitoring traffic and applying rules to mitigate application risks.

Cohen noted that Akamai did not have any sort of competitive bake-off in seeking a WAF solutions.

"We chose ModSecurity because it was the largest community of Web application security expertise in an open source format," Cohen said. "We wanted to leverage the knowledge of this community in our product."

Though ModSecurity itself is open source, Akamai is not using the entire ModSecurity open solution to power its new WAF service -- instead, it's relying on the rules by which the WAF can identify potential malicious traffic.

"We leverage the logic from the ModSecurity rule set, but we have translated the language to run on our own Akamai EdgePlatform infrastructure," Cohen said. "We do not run ModSecurity open source code on our servers -- we leverage the knowledge of the rule set. As the community updates the rule set, we update the logic on our EdgePlatform."

However, ModSecurity rules running on Akamai work a bit differently than typical ModSecurity deployments -- in part due to the presence of Akamai's CDN, said Sanjay Mehta, senior vice president at Breach Security.

"Akamai is the only company with the ability to field a distributed, in-the-cloud WAF capability on this scale," said Mehta.

Akamai's Cohen noted that any of its customers can take advantage of the Web Application Firewall services for their Web sites or applications.

Sean Michael Kerner is a senior editor at InternetNews.com, covering Linux and open source, application development and networking.