In this article we will outline what a WAF is, explore types of WAFs currently available and deployment options for those WAFs.
What is a WAF?
A web application firewall (WAF) is a special type of firewall that is deployed in front of HTTP applications and is designed to protect websites and web applications from popular web exploits that could compromise security, consume excessive resources or take your website offline. According to the Verizon 2017 Data Breach Report, 29.5% of breaches were caused by web application attacks (by far the most common vector).
Companies are increasingly in the headlines for being hit by serious data hacks or experiencing DDoS attacks that force their business offline. Taking a proactive stance and deploying a WAF can stop these attacks from taking place and keep brand reputations undamaged.
WAFs protect servers. The WAF acts as a reverse proxy forming a proactive layer of protection, sitting between your web application and incoming traffic. The reverse proxy server can either sit behind the firewall in a private network, or in a distributed network such as Content Delivery Networks.
New WAF solutions hit the market each year. Choosing the right type of WAF for your organization and deciding whether to deploy in a distributed fashion or behind your firewall depends on the technology that fits best with your application.
At section.io, we are the only provider to offer the opportunity to choose your security stack modules and where you run them. We have both a rules-based WAF and two different behavioral WAFs in our library of Edge PaaS Modules. You can run your choice of WAF in a distributed fashion (on the section.io cloud in the same fashion as a CDN), behind your firewall on your infrastructure (in the same fashion as an Application Delivery Controller), or on your custom or private cloud.
Whichever solution you select, several benefits are gained by deploying the WAF on our network: (i) additional security via our network layer DDoS protection; (ii) the ability to run your WAF in your development environment for testing; (iii) complete access to DevOps logs and metrics to monitor the behavior of your traffic in real-time.
Types of WAF
The Traditional Rules Based WAF
A traditional WAF works by applying a set of rules to an HTTP conversation to cover common attacks, such as cross-site scripting (XSS) or SQL injection.
ModSecurity is our rules-based WAF offering.
ModSecurity (sometimes called ModSec) is a veteran open-source cross platform WAF engine. It was developed by Trustwave’s SpiderLabs, which quickly became popular worldwide because of its open source availability and its great flexibility.
The company describes itself as the “Swiss Army Knife” of WAFs since its platform is completely customizable. ModSecurity offers the engineer a powerful rules-based language, allowing you to apply rules only where you need to do so.
Our GUI (graphical user interface) allows you to alter security settings in order to configure ModSecurity with this level of flexibility. The version of ModSecurity that we offer is the unmodified, open-source version.
There are various existing rule sets out there, which can be applied to ModSecurity for those who want more of an “out of the box” solution; for instance, the OWASP ModSecurity Core Rule Set (CRS). The CRS is a set of generic attack detection rules for use with the ModSecurity platform designed to protect web applications from the OWASP Top Ten and other common attack categories.
ModSecurity also offers protection for application specific attacks, including Wordpress, media websites, Magento, Magento Enterprise and other ecommerce stores.
The ModSecurity WAF allows for HTTP traffic monitoring, logging and real-time analysis with few or no changes to existing infrastructure.
After signing up for a section.io account, and adding ModSecurity, you can adjust the rule settings and select whether you want to run the rule sets in “Detect” or “Blocking” mode in order to immediately start blocking malicious activity.
Other Rules-Based WAF Offerings
Various of the big CDNs continue to offer rules-based WAFs, including Akamai, Cloudflare, Fastly and Incapsula.
Akamai remains the market leader CDN and security provider in terms of sheer size and revenue. Its Kona Web Application Firewall is deployed at the edge of the client’s network. The level of human expertise constantly monitoring the threat landscape for zero days and new vulnerabilities so that its clients don’t have to is probably Akamai’s greatest strength. Akamai will also customize its rule set according to what each client needs for its individual security posture; although some argue that the customer doesn’t have enough control over its own security postures.
Cloudflare is a newcomer by comparison. Its WAF is rules-based and feature-rich to protect against the major attack types. However, the level of granularity offered is meager compared to that of Akamai; and one of the most significant claims against Cloudflare’s WAF is that it allows for too many false positives. Its default rule set is also regularly updated by the security engineering team to ensure that new significant vulnerabilities are accounted for. For any new threats discovered that could affect a large portion of their user base, new WAF rules are applied; perceived smaller threats are left untouched. Customers at the Enterprise level (roughly around $5,000/month +), however, have the ability to import an unlimited number of their own custom rule sets.
Fastly was founded only five years ago and offers its WAF as part of its overall cloud security defense provisions. Like Akamai, security rules are enforced at the edge as part of Fastly’s relatively new “edge cloud platform”. Fastly builds third-party rules from the OWASP CRS, commercial sources, and open source available options, in addition to generating its own.
Incapsula’s WAF also uses a custom rules engine, which it calls IncapRules. They block critical web application security risks, including the OWASP top 10. The Incapsula WAF is configured to be used out of the box; however, its security team can customize the default rules when requested. As at the other CDNs, the default rule set is regularly updated and new mitigation rules applied. Some users complain that scripting new firewall rules is too complicated and needs to be simplified; and also argue for more custom actions to trigger turning of and off Incapsula settings on different sites and applications. Security controls in an enterprise environment can be challenging to sync up with different teams using different sets of controls.
Limitations to Rules-Based WAFs
Detractors argue that rules-based WAFs are challenging to manage, disposed towards false positives and ineffectual against zero day attacks. Traditional CDN-based WAFs often offer less granularity than the newer solutions in the market meaning you have to turn on blocking across your entire site rather than being able to adapt security per feature or service.
In terms of false positives i.e. clean traffic that is accidentally blocked, a strict rule set like the OWASP ModSecurity CRS can bring an overwhelming number of false positives, which can block good traffic as well as bad. It can take significant tuning to arrive at the right level of alerts. Usually either signatures need to be shrunk to a minimal number, which reduces security coverage, or time and money needs to be spent for identifying and testing new custom rules.
In order to guard against both common threats and zero days i.e. the newest vulnerabilities out there, the WAF rule set must be continually monitored and updated in order to ensure protection. Even when careful monitoring occurs, zero day threats are called that precisely because they take place before the software is known to be outdated, or infected.
Certainly an open source rules-based WAF like ModSecurity requires a certain amount of technical knowledge to be able to program and configure it; particularly if you are defining your own rule set. At section.io, we also see this as an advantage as for those engineers who want that flexibility, ModSecurity provides it.
Newer Learning/Behavioral WAFs
The next-generation of intelligent Web Application Firewalls have been around for the last few years, and are increasingly popular because of their comprehensiveness, flexibility and reduced volume of false positives.
Behavioral WAFs utilize behavioral learning techniques, which allow them to study visitor profiles and determine patterns based on behavior, and accordingly detect and block threats that reveal behavioral anomalies.
As application architectures become more complicated, the legacy rules-based CDN WAFs are finding it increasingly difficult to keep up. Furthermore, the adaptive nature of the behavioral WAF means less time and money needs to be spent on in-house security experts.
Signal Sciences has taken a bottoms-up approach to security since its founding in 2014: the Venice, CA-based company was built by engineers and CISOs frustrated by “trying to make legacy WAFs work while embracing DevOps and Cloud”, and has accordingly focused on creating security products that address the challenges they directly experienced.
Signal Sciences’ CEO, Andrew Peterson, has led the way in building a next-generation Web Application Firewall (WAF) that provides protection for web applications, APIs and microservices that prides itself on taking a human approach - as in Peterson’s words, “we’ve been in that harrowing security defender’s position”.
The Signal Sciences WAF uses a combination of contextual information and cloud analysis to immediately block threats in real-time. Its customers include Yelp, Etsy and Grubhub. As of 2017, they protected 60 billion requests a week. 95% of Signal Sciences’ customers use full blocking mode for their production sites without false positives or the need for detailed tuning.
A key part of the technology at Signal Sciences is the ability to provide detailed monitoring to reveal where attackers are focusing their efforts in order to protect the right parts of the infrastructure. Rather than taking the traditional CDN approach to WAFs and deploying them solely at the edge, Signal Sciences (and section.io) recognize a WAF should be deployed at the location most convenient for the business – either distributed on the section.io cloud or behind the firewall on a section.io Origin PoP.
An additional benefit of deploying Signal Sciences through section.io is that you can run your WAF in your development environment for testing, allowing you to debug failures with confidence and flexibility before deploying to production.
Threat X’s next-gen WAF utilizes a behavioral profiling and correlation engine to analyze attacks and eliminate false positives by grading risk level and progress across the ‘kill-chain’. It learns each site’s unique threat profile and automatically blocks suspicious and malicious traffic while protecting legitimate traffic. Like Signal Sciences, Threat X also covers risk to not just web applications, but APIs and microservices within hybrid cloud environments.
The company’s intelligent WAF is backed by a security team who continually monitors the latest vulnerabilities and hacker trends, and makes adjustments accordingly - all aimed at reducing the workload (and associated cost) of its customers’ security teams.
Similarly to Signal Sciences, Threat X was founded by engineers motivated by direct experience and frustration with legacy solutions and static signatures. Their goal from the outset was simple: “To reduce costly false positives, minimize the operational burden of maintaining traditional WAFs, and remain agile with the evolving threat landscape.”
Adding Threat X to your website via section.io is straightforward: you simply do a DNS change to point at the section.io cloud and that means you can bring Threat X directly onto your website. The Threat X dashboard suite then offers a comprehensive view of all potential threats ranked by threat level, and demonstrates how Threat X responded to each one.
The Denver-based company just raised $8.2M in a Series A funding round and will be further honing its WAF technology.
We expect WAF technology to continue to develop rapidly over the next few years. We also expect the security specialist companies such as Threat X and Signal Sciences to build and deliver the most innovative products.
section.io will continue to provide flexibility and control for our users. Having the choice of WAF software on the section.io platform means our users will not be trapped with aging technology. Having the choice of deploy location means you can decide whether a distributed WAF, a centralized model or a private cloud deploy model is best for your application.
To learn more about how to get started with Website Security please download the full Website Security Guide. For more information on how section.io can improve the security of your website, please contact us.