Hi Community,
Did you know that you can subscribe to our release notes to make sure that you receive all updates directly to your email inbox?
These release notes provide information on changes and enhancements in each release. Unless otherwise specified, the changes described here are rolled out throughout the week and may not be immediately available in all accounts.
You can also view the customer-facing release notes online here.
Cloud Application Security Release Notes June 16. 2024
Heads Up: DNS Protection - Simplified DNS threshold configurations for attacks
In the coming weeks we're introducing a simplified experience for configuring protected DNS zone thresholds used for DDoS detection and mitigation. These changes apply to Protected DNS zones only.
We're retiring the lower threshold parameter and going forward we will no longer pass requests for records that are not in the safe records list to the origin server during a DDoS attack.
With the simplified flow, when the requests per second threshold is breached there is an active attack. Here's how requests are handled during an attack.
- Requests are served from the cache.
- If a request isn't in the cache, only DNS requests for safe records are forwarded to the origin server, up to the rate limit threshold.
We recommend that you keep your safe records up-to-date.
When we make this change, we'll provide documentation and best practices for setting the thresholds, managing safe records, and more. Your existing configurations for upper threshold will be migrated automatically. You won't have to take any action.
For the current configurations and experience, see rate limiting in Add/Edit a Protected DNS Zone.
Customize Website TLS Configuration
In the Cloud Security Console UI, websites supporting only SNI traffic can now select the TLS versions and cipher suites used by Imperva for connectivity between your website visitors and the Imperva service. Sites that also support non-SNI clients can only select supported TLS versions, but not specific ciphers.
This can enable you to opt for enhanced security for these connections and comply with your organization's security requirements.
Previously, this functionality could only be configured using the API.
Rollout:
- This feature is fully supported for new sites onboarded after March 11, 2024.
- Starting in June 2024, we are starting a gradual rollout of the feature to older sites. Rollout is expected to take a few months.
Sites that have not yet been migrated can view but not modify TLS version support settings for SNI-only traffic. If you require a customized list of supported cipher suites, contact Imperva Support.
If a custom list of supported ciphers has been configured for your account by Support, your account will not be migrated at this time. Therefore, you can view but not modify TLS version support settings for SNI-only traffic. We are working to cover this gap. New sites in your account will continue to be created with the account’s custom configuration.
What changed:
The option to support only SNI clients was added to the new TLS Configuration page. (Previously, you could set the option to support only SNI clients on the Delivery Settings page, by disabling the Support Non-SNI Clients option.)
If you choose the recommended SNI only option, you can override default TLS settings and select one of the following options:
- Enhanced security: Use only strong ciphers, in compliance with Qualys SSL Labs.
- Custom configuration: Select the cipher suites you want Imperva to support for connecting clients.
These options are not available if you are also supporting non-SNI clients.
Where it’s located: On the TLS Configuration page in website settings.
In addition, the following options were moved to the new TLS Configuration page:
- Enable HSTS (previously located on the Website Settings > General page)
- Support all TLS versions (previously located on the Origin and Network > General settings page)
For full details on website TLS configuration, see:
View all configured SIEM log connections on a single page
You can now see your Cloud WAF and Attack Analytics log connections listed on the SIEM Logs configuration page, together with logs configured for all other services in your account.
This change is the next step in ongoing development toward a unified SIEM log UI for all services.
At this stage, the Cloud WAF and Attack Analytics connection details are read-only on the SIEM Logs page, with one exception. For Cloud WAF logs, you can set the default log type to use for new sites that are added to your account in the future.
For details on editing the default log types, see Configure the SIEM Log Integration.
All other setup or editing of Cloud WAF and Attack Analytics logs must still be done on the previous pages. For details, see:
Recently mitigated CVEs
Mitigation for new Common Vulnerabilities and Exposures (CVEs) is added weekly by Imperva Research Labs.
To view the latest CVEs for which coverage was added, see Recently Mitigated CVEs.
If you have questions regarding any of the topics above or regarding our release notes in general, please comment below.
#APISecurity#AttackAnalytics#CloudWAF(formerlyIncapsula)