Fastly Network Learning Exchange

Proactive Meets Preemptive Security

SecurityWeb Application Firewall (WAF)

The Fastly Network Learning Exchange provides proprietary IP reputation intelligence to alert and defend applications, APIs, and microservices from validated malicious actors.

On this page

Every day attackers launch malicious payloads on organizations using the same IP addresses. Fastly’s Network Effect Threat Report highlights that 54% of attack traffic is preemptively flagged by the Network Learning Exchange (NLX). NLX leverages this insight to provide a preemptive layer of security to all Next-Gen WAF customers.

Stop attackers before they strike

Fastly’s NLX proactively flags malicious IP addresses, allowing organizations to take action before damage is done. Our position as a global web application and API protection (WAAP) security provider enables visibility at scale into our customers’ global attack landscape that spans high-tech, financial services, media, entertainment, and numerous other industries. From this vantage, we ingest attack data on a massive scale and can highlight the validated malicious IPs as they traffic to other customers’ applications. The shared attack data fosters a network effect, where the collective intelligence of all customers contributes to strengthened security for each organization.

Creating preemptive security layers

NLX Diagram

NLX is built on the patented approach developed for Fastly’s Next-Gen WAF.

Over 90,000 applications are protected by our Next-Gen WAF, which inspects 4.1 trillion customer requests monthly. The incoming requests are parsed as legitimate or malicious, and anonymized attack data is continuously collected by the Next-Gen WAF’s Cloud Engine.

After attacks from a particular IP reaches a threshold, the IP is added to the NLX feed for future consideration. Any time in the next 24 hours that the IP visits another Fastly Next-Gen WAF customer’s application, the attacker’s client will have a signal (SIGSCI-IP) attached to identify the IP as potentially malicious. When a customer sees the SIGSCI-IP signal, they can apply individual custom rules or combine them with others to block, limit, or monitor the IP before it can strike.

To keep the feed fresh, the SIGSCI-IP signal remains on the IP list for 24 hours. During that time, any request the IP makes will have the SIGSCI-IP Signal in the logs. The IP is removed from NLX after 24 hours and treated as normal until malicious intent is observed again.

Engage emerging threats

Traffic contains varying levels of danger - rulesets can reflect it. Signals are powerful tools that enhance visibility and enable custom rules. When the SIGSCI-IP signal is applied to an IP address, practitioners can create rules to automatically:

  • Block the IP from accessing your service

  • Rate limit the IP to minimize attack opportunity

  • Alert security personnel to monitor the IP from Fastly’s real-time analytics or through integrations with DevOps tools like Elastic, Datadog, Slack, and more

Signals are powerful alone, but when combined, they enable layered rulesets that increase confidence in final decisions. Take initial precautionary measures with NLX signals that are unobtrusive, like monitoring or rate limiting, while creating layers of combined rules that immediately block the IP when met. This capability gives security practitioners flexibility in managing traffic as new information is available. Block IPs classified as malicious by NLX outright, layer their rulesets, or anything in between - the logic is entirely customizable.

Layered rules for blocking

Act on trusted intelligence

Making automated traffic decisions requires confidence in the data provided. NLX utilizes the Next-Gen WAF’s highly accurate SmartParse technology to create insights that don’t require interpretation. Using its contextually-aware detection technology, SmartParse quickly and accurately determines if a request will result in a malicious action. It is so accurate that almost 90% of customers run the Next-Gen WAF in blocking mode.

Traditional IP reputation intelligence tools assign a risk score to an IP that can be difficult to take action against. For example, determining what rules to implement when an IP is tagged with a 40 or 80 score is often a daunting task that requires regular tuning. When NLX signals an IP as malicious, it creates a trusted signal that organizations can use to make impactful decisions faster and save security practitioners time. 

Expedite legitimate traffic

The days of “enriching” detection using outdated intelligence are over. An NLX flags an IP for 24 hours and is removed until malicious activity is observed again to minimize any impact on potentially legitimate traffic. By timeboxing this signal, the NGWAF helps practitioners focus on relevant attacks without blocking previously tagged IPs from making purchases, completing forms, or making any other legitimate request once removed. 

For example, a malicious actor may use a public network where legitimate traffic flows, like a local coffee shop. While you may want to preemptively block that IP from making requests, you’ll want to allow legitimate requests when traffic returns to normal. The dynamic nature of the NLX signal helps organizations protect their brand reputation and give customers a better experience because real customers are less likely to be impacted by the previous actions of bad actors. 

The community model is huge. NLX is innovative in that it gives us additional insights that not a lot of other companies are getting. It helps us show the business that we’re growing more sophisticated in our ability to protect our platform.

Senior Security Operations Manager, Healthcare

The preemptive layer of application security 

Fastly’s NLX provides a preemptive layer of security that complements the Next-Gen WAF’s proactive Layer 7 protection. Included with all Next-Gen WAF packages, NLX enables a modern collective approach to IP reputation intelligence. Contact us to learn more about the Network Learning Exchange and our web application and API protection offerings.

Fastly Next-Gen WAF Datasheet

Learn how our Next-Gen WAF automatically protects against web layer attacks and easily integrates with DevOps tools.

Fastly Next-Gen WAF Architecture and Deployment Overview

Details on the patented architecture of our WAF and deployment options available.

Blog Post
WAF Efficacy Framework

Discover how the WAF efficacy framework helps you measure the effectiveness of your WAF.

Blog Post
How to deploy Fastly's Next-Gen WAF in less than 10 minutes

See how easy it is to get started with Fastly’s Next-Gen WAF

Meet a more powerful global network.

Our network is all about greater efficiency. With our strategically placed points of presence (POPs), you can scale on-demand and deliver seamlessly during major events and traffic spikes. Get the peace of mind that comes with truly reliable performance — wherever users may be browsing, watching, shopping, or doing business.

336 Tbps

Edge network capacity1

150 ms

Mean purge time2

>1.8 trillion

Daily requests served4

~90% of customers

Run Next-Gen WAF in blocking mode3

As of March 31, 2024

As of December 31, 2019

As of March 31, 2021

As of July 31, 2023

Ready to get started?

Get in touch.