Imperva has modified the default behavior for new cloud WAF sites, now enforcing Server Name Indication (SNI)-only traffic by default. This shift is aimed at optimizing the utilization of TLS-related features, both those currently in place and those slated for the future roadmap.
This blog post will show why SNI-only mode is not just beneficial, but crucial, for harnessing the full potential of these features, along with sharing key insights from our comprehensive research on SNI traffic.
SNI is an extension of the TLS protocol within HTTPS. It empowers the client to specify the desired hostname during the TLS handshake, enabling servers to differentiate between multiple domains sharing the same IP address. SNI became an important foundation for modern web security, especially in the context of hosting services, load balancers, and CDN architectures.
When the server gets the hostname from the client in the SNI extension, it can customize the TLS handshake to the needs of this hostname. For example, it can provide the right certificate, negotiate the cipher suite according to the cipher selection template, and use mTLS if configured to do so.
When using Imperva Cloud WAF to safeguard your website, the platform assumes the role of the server for end-user interactions, culminating in the termination of HTTPS/TLS connections. Each website within Cloud WAF is configured as a discrete "web site" associated with a unique CNAME. Notably, multiple site CNAMEs resolve to a common IP address, forming what we term a "site group." It’s important to understand the impact of not configuring a site in SNI-only mode. For certain HTTP clients, connecting to its IP address via TLS will be treated uniformly:
When a cloud WAF site is not configured to be in SNI-only mode, some TLS features may not work, or will work in an inconsistent way (e.g., their behavior on SNI connection will be different than the behavior in non-SNI connection). This was our motivation for changing the default policy for the site to support SNI-only traffic.
×
Mar 20 Upcoming Webinar
Register Now
×
Enabling "SNI only" mode is crucial for the optimal functioning of several TLS-related features, including:
By now, we hope you understand the benefits of configuring cloud WAF sites to run in SNI-only mode. As we said at the beginning, this has become the default mode for newly created sites. If you want to change this mode for existing cloud WAF sites, you can do this via the UI by going to the delivery screen under the “CDN” tab in the console navigation bar. Make sure the checkbox labeled “Support Non-SNI Clients” is disabled (see visual below)
Before making this change, you may wonder if moving to SNI-only mode will block some of your end users. For this reason we’ve done extensive research. Below are the highlights.
At Imperva, our commitment extends beyond the present, with ongoing investments geared toward enhancing TLS and cryptography supportability. These new capabilities rely on the fact the site is configured to support SNI only traffic. Upcoming features in our roadmap include:
Embracing SNI-only mode within Imperva Cloud WAF is not merely an operational choice; it's a strategic imperative for unlocking the full spectrum of TLS-related features. The negligible impact on legitimate users, coupled with our commitment to an evolving roadmap for enhanced supportability, underscores our dedication to empowering your digital future securely. In an era where web security is not an option, SNI-only mode stands as a cornerstone in fortifying your online assets.
Contact a security expert today to learn more about how you can protect yourself with Imperva Cloud WAF today!
The post The Added Value of SNI-Only Mode in Imperva Cloud WAF appeared first on Blog.