SOCFortress Integrations — Akamai Web Application Firewall (WAF)

SOCFortress
3 min readSep 27, 2023

--

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of Akamai WAF security events using a single pane of glass.

About Akamai WAF

Akamai Web Application Firewall (WAF) is a cloud-based security solution designed to protect web applications and websites from various online threats and cyberattacks. Akamai is a prominent content delivery network (CDN) and cloud service provider, and their WAF service is one of the many offerings in their security portfolio.

Key aspects of Akamai Web Application Firewall:

  • Cloud-Based Protection: Traffic to your web applications is routed through Akamai’s global network of servers. This allows for near real-time threat detection and mitigation without the need for on-premises hardware or software.
  • Security Policies: Specify rules and configurations for protecting your web applications. These policies can be customized to match the specific needs and vulnerabilities of your applications.
  • Threat Detection: The WAF uses various detection techniques to identify and block a wide range of web application threats, including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other common attack vectors.
  • Rate Limiting and Bot Management: Enforce rate limits to prevent abuse of your web applications, such as limiting the number of requests from a single IP address. It also includes bot management capabilities to distinguish between legitimate bots and malicious ones.
  • Real-Time Updates: Akamai continuously updates its threat intelligence and security rules to adapt to evolving threats. This ensures that your web applications are protected against new and emerging vulnerabilities.
  • Scalability and Performance: Akamai’s global network of servers ensures that the WAF can handle high levels of traffic and provide low-latency protection, even during traffic spikes or distributed denial-of-service (DDoS) attacks.
  • Monitoring and Reporting: The WAF provides real-time monitoring and reporting features, allowing you to track security events, analyze traffic patterns, and gain insights into the security posture of your web applications.
  • Compliance and Regulatory Support: Helps organizations meet various compliance requirements, including those outlined by standards such as PCI DSS (Payment Card Industry Data Security Standard) and GDPR (General Data Protection Regulation).
  • Customization: You can customize the rules and policies to meet the specific security needs of your web applications. This flexibility is essential for fine-tuning security measures.
  • Integration: Akamai WAF can be integrated with other security tools and services, as well as with your existing infrastructure, through APIs and plugins.

Ingesting Akamai WAF logs and events

Reference: https://github.com/akamai/siem-integration-connector-packages

Akamai CEF Connector:

  • Verify Java version (Linux): Use the command “java -version” to verify that your JRE is installed and available. site (Java Platform, Standard Edition) or installed from a software distribution package on Linux.
  • Hardware Requirements: 2 CPU cores, 6GB RAM, 2GB Free Disk Space, Run a Linux Kernel greater than 2.6

Installation Instructions

Retrieve the latest CEFConnector distribution package from the Akamai Support Page and unzip the distribution package anywhere on the file system.
To install a service, create a symbolic link to bin/AkamaiCEFConnector.sh shell script in /etc/init.d.

You can execute the shell script with the following commands (start | stop | status | resetdb). (Resetdb will delete cefconnector.db which contains the last successful offset).

Modify the files “conf/CEFConnector.properties” with Akamai API details:

akamai.data.configs=
akamai.data.accesstoken=
akamai.data.clienttoken=
akamai.data.clientsecret=
akamai.data.baseurl=

Modify “conf/log4j2.xml” with syslog forwarder details:

        <!--
CEF Syslog Configuration

CEFHost: Remote CEF Syslog Server Host (example: 127.0.0.1)
CEFPort: Remote CEF Syslog Server Port (example: 514)
CEFProtocol: Remote CEF Syslog Server Protocol (UDP/TCP)

-->

Visualizations

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).