Signal Sciences Launches Next-Gen WAF Support for Envoy

Today we’re excited to announce the general availability of support for Envoy. Signal Sciences is the first next-gen WAF to provide Layer 7 protection for Envoy routed microservices architectures, with no code changes required. This new integration further validates our ability to protect our customers’ apps, APIs and microservices, wherever they run them.

Envoy, commonly used as part of a service mesh deployed in Kubernetes, is an open-source edge and service network proxy helping organizations achieve greater scale by moving from monolithic to microservices-based application architectures. Signal Sciences Envoy integration empowers fast-moving development and DevOps teams to continually innovate without introducing new security risks.

With our Envoy integration, Signal Sciences next-gen WAF protects north-south and east-west traffic between microservices against application layer attacks. Now customers have even greater flexibility in how the next-gen WAF can be deployed at the edge or on the workload.

This blog covers how Envoy functions in our integration and the associated benefits.

Flexible deployment to protect apps and microservices with Layer 7 visibility

When acting as a Front Proxy, Envoy load balances public north-south traffic from the Internet—that’s HTTP traffic that needs to be protected against layer seven attacks. Customers can also route east-west traffic between internal services to Envoy to handle traffic between services through this front proxy. Compare this to traditional WAFs that stop at the edge and do not provide east-west Layer 7 protection.

If you’re familiar with Signal Sciences architecture, you’re aware we have a patented module-agent software pair. The module forwards requests to the agent, which performs detection and decisioning on the web requests it inspects. The benefit of this split approach is that Signal Sciences is fail-open, which is important to gain credibility as a security service with DevOps and operations teams.

Our engineering team worked with the Envoy maintainers to build Signal Sciences into the Envoy project so that Envoy acts as the “module” forwarding requests to our agent.

This flexible deployment enables DevOps to instrument web layer protection on microservice workloads of various flavors and technologies, without code changes, unlike competitive RASP solutions that require the extra coding work and associated overhead.

Our Envoy support also provides development and DevOps teams with security and operational insights into their microservice traffic that legacy WAFs weren’t designed to address.

Securing Web Services Running Behind Envoy

By deploying Signal Sciences on Envoy at the edge, all services running behind Envoy are protected. Unlike a traditional WAF that would have to define rulesets for each service, application or API behind the WAF, Signal Sciences SmartParse technology detects malicious payloads dynamically without any rule matching. For further context, you can read our Detection and Blocking white paper on how we do this so that 95% of our customers trust us to run in blocking mode. Our architecture provides scalability that is orders of magnitude greater than individually tuning rulesets for “n” number of services and applications deployed behind the proxy.

We’re excited to see Envoy adoption progresses with our customers—and we’ll be right there with them providing advanced application security.

If you’d like to learn more about how Signal Sciences can enhance the security of your apps, microservices and APIs, request a demo!