If you are thinking, WTF is WAF, read on. If you know that WAF stands for web application firewall, read on. If you already administer WAFs, great! Read on.
WAF isn’t going to solve all of your network security problems, and it has its limitations for sure. But, the Verizon Edgecast Network, the content delivery network for Verizon Digital Media Services programming, uses it and they carry 5% of the total Internet traffic. So, it might be worth considering. Tim Zaw (@TZaw) is an engineer for Verizon Digital Media Services in Los Angeles, where he formerly served as the president of the OWASP Los Angeles Chapter. This isn’t his first rodeo in cybersecurity, and he shared his advice on WAF at the All Day DevOps conference.
Every web application has good users, bad users, and bot users. Security professionals lose sleep at night making sure that bad users and bot users don’t impact or infiltrate the applications so they are available for the good users. For Tin and his cybersecurity team, WAFs are an essential component to protecting Verizon Digital Media’s applications.
WAFs operate at the HTTP layer, inspecting and acting on content that is part of the HTTP transaction, such as GET, POST, etc. They inspect elements and act on them by blocking, reporting, or monitoring. It is useful to address application-level security issues such as the OWASP Top 10, but it can also operate on network level information like IP or geo-IP blocking, anonymous proxies, etc. It is minimally effective in mitigating automated attacks by dumb bots and can be used to enforce policies.
ModSecurity is an open-source WAF and is based on three principles: flexibility; passiveness; and, predictability. It can be used on Apache, IIS, and NGINX. Overall, it can be used for:
- Full HTTP logging
- Attack detection and mitigation
- Virtual patching
- Access control
- Black/whitelisting of URLs/IPs
- Attack surface reduction
- Restricting HTTP versions, verbs
You define rule sets to drive the engine. The Core Rule Set is the standard for WAF rules and is an easy way to get started. Of course, you can customize it to your environment and needs with your own rules.
If you are looking to invest in WAF, keep a few things in mind. Like any open-source tool, free is not free, because it costs you time, money, and CPU resources. There are also some performance considerations. File scans, parsing, external operations, noisy rules, and excessive logging are time-intensive activities. Minimizing false positives, scaling linearly, and quickly propagating configuration changes and events will help minimize the performance impacts. Tin says the “holy grail” is to achieve, “fixed and minimal performance impact per transaction as your traffic grows.”
There are also limitations to WAF. It is not:
- One box to fix ‘em all
- Set it and forget it
- Replacement for other secure development/deployment practices
- Risk free
- Cost free
WAF helps find bugs in your code and config and in other people’s code you use. It can also stop your adversary attacking you or abusing your legitimate features. It can be an important tool in your DevOps toolchain, sitting primarily in operations, but providing feedback to development to help them improve the software.
Before you deploy WAF, make sure to set expectations:
- Know yourself - your software, regulations, user base, load base, when you are busy, and how tolerant users are about false positives
- Know your adversary - your adversary and their techniques might vary, depending on your industry
- Know your environment - your software stack, load balancers, proxy, cdn, etc.
Intrigued by WAF? If you want to know more, including fine-tuning your WAF, how to use anomaly scoring to reduce false positives, and what paranoia mode is, you can watch Tin’s full presentation here.
Register now for the next All DayDevOps, November 6, 2019. It will be a day to discuss WAF, security, CI/CD, cloud native infrastructure, cultural transformation, site reliability engineering, and more.
photo: Christina Morillo