A WAF (Web Application Firewall) is a security device that monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application.

What is a WAF?

A WAF is a security solution that protects web applications from common attacks such as SQL injection, cross-site scripting (XSS), and other web attack vectors.

Types of WAF

Hardware WAF

  • Physical devices: Dedicated hardware
  • High performance: Optimized for heavy traffic
  • Initial cost: High initial investment
  • Maintenance: Requires specialized personnel

Software WAF

  • Applications: Software installed on servers
  • Flexibility: Customizable configuration
  • Cost: More economical than hardware
  • Resources: Consumes server resources

Cloud WAF

  • Managed service: Provider manages infrastructure
  • Scalability: Easy scaling according to needs
  • Maintenance: Reduced for client
  • Operating cost: Subscription model

Main Features

Traffic Filtering

  • Packet analysis: Deep packet inspection
  • Content filtering: HTTP content analysis
  • Behavior filtering: Anomalous pattern detection
  • Geographic filtering: Blocking by geographic location

Attack Protection

  • SQL Injection: Protection against SQL injection
  • XSS: Protection against cross-site scripting
  • CSRF: Protection against cross-site request forgery
  • DDoS: Protection against denial of service attacks

Monitoring and Logging

  • Event logging: Log of all activities
  • Traffic analysis: Traffic statistics
  • Alerts: Suspicious event notifications
  • Reports: Security report generation

Attacks It Protects Against

OWASP Top 10

  1. Injection: SQL, NoSQL, LDAP, OS command injection
  2. Broken Authentication: Authentication bypass
  3. Sensitive Data Exposure: Data protection
  4. XML External Entities: Protection against XXE
  5. Broken Access Control: Authorization bypass
  6. Security Misconfiguration: Insecure configurations
  7. Cross-Site Scripting: Reflected, stored, DOM XSS
  8. Insecure Deserialization: Malicious objects
  9. Vulnerable Components: Vulnerable dependencies
  10. Insufficient Logging and Monitoring: Lack of visibility

Specific Attacks

  • SQL Injection: Injection of malicious SQL code
  • XSS: Injection of malicious scripts
  • CSRF: Request forgery
  • Directory Traversal: Access to system files
  • File Upload: Upload of malicious files
  • Brute Force: Brute force attacks

Enterprise

  • Cloudflare WAF: Cloud service
  • AWS WAF: Amazon service
  • Azure Application Gateway: Microsoft service
  • F5 BIG-IP: Enterprise solution
  • Imperva: Web security platform

Open Source

  • ModSecurity: Open source WAF
  • NAXSI: WAF for Nginx
  • Shadow Daemon: Open source WAF
  • WebKnight: WAF for IIS

Cloud

  • Cloudflare: CDN with integrated WAF
  • AWS Shield: Amazon DDoS protection
  • Azure DDoS Protection: Microsoft protection
  • Google Cloud Armor: Google protection

Basic Configuration

Filtering Rules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# ModSecurity rule example
SecRule ARGS "@detectSQLi" \
    "id:1001,\
    phase:2,\
    block,\
    msg:'SQL Injection Attack Detected',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.0.0',\
    severity:'CRITICAL',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

Nginx Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# Basic WAF configuration
location / {
    # Enable WAF
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
    
    # Configure logging
    modsecurity_audit_log /var/log/nginx/modsec_audit.log;
    
    # Configure rules
    modsecurity_rules '
        SecRuleEngine On
        SecRule REQUEST_URI "@contains /admin" "id:1001,phase:1,block,msg:\"Admin access blocked\""
    ';
}

Implementation

Phase 1: Analysis

  • Application inventory: Identify web applications
  • Traffic analysis: Evaluate traffic patterns
  • Vulnerability identification: Detect existing vulnerabilities
  • Requirements definition: Establish protection needs

Phase 2: Design

  • Architecture: Design WAF solution
  • Tool selection: Choose WAF platform
  • Configuration: Define filtering rules
  • Integration: Plan integration with existing systems

Phase 3: Deployment

  • Installation: Deploy WAF solution
  • Configuration: Configure rules and policies
  • Testing: Validate operation
  • Monitoring: Implement continuous monitoring

Phase 4: Operation

  • Monitoring: Continuous vigilance
  • Maintenance: Updates and patches
  • Optimization: Rule tuning
  • Training: Staff training

Best Practices

Configuration

  • Specific rules: Create specific rules for each application
  • Whitelist: Implement whitelists when possible
  • Tuning: Adjust rules according to behavior
  • Testing: Test rules before implementing

Monitoring

  • Logs: Review logs regularly
  • Alerts: Configure appropriate alerts
  • Metrics: Monitor performance metrics
  • Analysis: Analyze attack patterns

Maintenance

  • Updates: Keep updated
  • Patches: Apply security patches
  • Rules: Update rules regularly
  • Documentation: Keep documentation updated

Metrics and KPIs

Security

  • Blocked attacks: Number of blocked attacks
  • False positives: Percentage of incorrect blocks
  • Detection time: Attack detection speed
  • Coverage: Percentage of protected traffic

Performance

  • Latency: Response time
  • Throughput: Processing capacity
  • Availability: Uptime
  • Resources: System resource usage

Integration with Other Tools

SIEM

  • Logs: Send logs to SIEM
  • Correlation: Correlation with other events
  • Alerts: Integration with alert systems
  • Analysis: Joint event analysis

CDN

  • Distribution: CDN integration
  • Cache: Cache optimization
  • Geolocation: Location filtering
  • Performance: Performance improvement

References