0% found this document useful (0 votes)
295 views11 pages

Web Application Firewall (WAF)

The document provides an overview of a Web Application Firewall (WAF), including its values, advantages, features, and how it can protect against common vulnerabilities. It describes the WAF's integration capabilities, logging features, and how it addresses the OWASP Top 10 security risks through various checks and response protections.

Uploaded by

Ghajini Sanjay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
295 views11 pages

Web Application Firewall (WAF)

The document provides an overview of a Web Application Firewall (WAF), including its values, advantages, features, and how it can protect against common vulnerabilities. It describes the WAF's integration capabilities, logging features, and how it addresses the OWASP Top 10 security risks through various checks and response protections.

Uploaded by

Ghajini Sanjay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Web Application Firewall (WAF) Overview

▪ Values:
– Protects Web applications
– Ensures against code vulnerabilities and gain
PCI/HIPAA compliancy
– Prevents damage to intellectual property, data
and applications
▪ Advantages:
– Fully integrated/designed for ACOS
– No license; single device solution
– Enables full defense stack
– Scalable and high performance

Confidential | ©A10 Networks, Inc. 1


WAF Features

▪ Easy integration with application delivery


– High-performance solution
– Just bind WAF template to HTTP/HTTPS virtual port
– Also allows for dynamic binding of template via HTTP policy template
– Active, Passive and Learning modes to facilitate easy deployment
– Comprehensive set of counters and debug mode
▪ High-speed event logging using Common Event Format (CEF)
– Data plane events logged to external logging server(s)
– Control plane events may be logged locally or remotely

Confidential | ©A10 Networks, Inc. 2


WAF Key Features - Applicable OWASP Top 10

▪ Missing Function Level Access Control ▪ Injection


– aFleX – SQL injection attack (SQLIA)
▪ Cross-Site Request Forgery (CSRF) check – Allowed HTTP methods checks for allowed
keywords GET, POST etc.
– Referer Check
– Form Consistency Check
– CSRF Check
▪ Cross-Site Scripting (XSS) check
▪ Using Components with Known
Vulnerabilities – HTML XSS check

– URI Blacklist ▪ Insecure Direct Object References


▪ Unvalidated redirects and forwards – Whitelisting URI

– Whitelisting URI – URI Black List/White List check


▪ Sensitive Data Exposure
– Credit Card Number scrubbing
– Social Security Number scrubbing

Confidential | ©A10 Networks, Inc. 3


WAF Key Features and Regulatory Example

▪ Additional Features ▪ PCI DSS examples


– Cookie check – Section 1.2: Blacklist URI, bad bot check
– Credit Card numbers/US SSN masking – Section 3.3: CCN scrubbing
– CSRF check – Section 3.5: FIPS
– XSS check – Section 4.1: SSL/TLS
– Cookie encryption
– Perl Compatible Regular Expressions (PCRE)
Masking
– HTTP protocol compliance check
– Cloaking to hide server responses/error status
codes
– Configurable deny action
– Active/Learning/Passive mode
– Bad bots protection
– SQL Injection check.
– More… Confidential | ©A10 Networks, Inc. 4
Sample Use Cases

▪ Prevent data leakage


– “Badstore” example: SQL injection protection ensures programming errors cannot be
exploited to steal data not intended for release
– Security breaches impair brand reputation: California law states every customer must be
informed after a data breach regardless if this customer is directly impacted
▪ Insurance against unknown vulnerabilities and bad code
– Programmers can make mistakes in not validating data that is presented to the application
– Vulnerabilities are often unknown until publically exploited
– WAF provides a centralized security solution for a heterogeneous application environment
▪ Quick deployment with simple management
– An IT staff has to manage many different solutions, often from different vendors
– Having an effective, easy to use WAF solution in combination with a server load balancer
reduces operational cost

Confidential | ©A10 Networks, Inc. 5


Mitigation – Security Checks: Request Protection (1 of 4)
▪ Allowed HTTP Methods
▪ Specifies HTTP methods (such as GET and POST) that are allowed in requests
▪ SQLIA Check
▪ Checks for SQL strings to protect against SQL injection attacks
▪ Bot Check
▪ Checks the user-agent of inbound requests for known bots.
▪ CSRF Check
▪ Tags each web form field with a nonce (a unique FormID).
▪ Protects against cross-site request forgery (CSRF).
▪ URL Check
▪ Prevents users from directly accessing a website’s URL
▪ Restricts users to access web pages only by clicking hyperlinks on the protected
website.
▪ Approved URL path list for the URL Checks are configurable only through Learning
Mode
Confidential | ©A10 Networks, Inc. 6
Mitigation – Security Checks: Request Protection (2 of 4)
▪ HTTP Check
▪ Checks that user requests are compliant with HTTP protocols.
▪ Form Consistency Check
▪ Ensures that the user input to a web form field conforms to the intended format for
that entry.
▪ XSS Check
▪ Checks for potential HTML XSS scripts to protect against cross-site scripting attacks.
▪ Buffer Overflow
▪ Protects against attempts to cause a buffer overflow on the web server
▪ Sets maximum content length allowed in an HTTP request (0 to 65535 bytes).
▪ Values can be set for Max Cookie, Max Data to Parse, Max Headers, Max URL
Length, Max Post Size, HTML Parameters, Max Request Query Length, and Max
Line Length.
▪ Buffer Overflow settings have pre-defined, default values
▪ Learning mode clears and sets these values to actual Web Application traffic patterns

Confidential | ©A10 Networks, Inc. 7


Mitigation – Security Checks: Request Protection (3 of 4)
▪ Max Cookies
▪ Specifies the maximum number of cookies allowed in a request (0-63)
▪ Max Headers
▪ Specifies the maximum number of headers allowed in a request (0-63)
▪ Referer Check
▪ Verifies referer header in requests contain Web form data from specified server,
instead of an external site.
▪ Protects against cross-site request forgery (CSRF or XSRF) attacks
▪ Deny Action
▪ Describes the type of action taken when WAF denies a client request.
▪ Settings include generic Request Denied messages, http-redirects, or connection
resets.

Confidential | ©A10 Networks, Inc. 8


Mitigation – Security Checks: Request Protection (4 of 4)
▪ URI Blacklists
▪ Specifies exclusion criteria for incoming requests
▪ If the URI of an inbound request matches a rule in the URI Black List, the request is
blocked
▪ URI Whitelists
▪ Connection requests are accepted only if the request matches a criterion in the
URI White List
▪ URL Options
▪ Multiple Decode options
▪ Configurable Comment, Self-reference, and Spaces

▪ URI Black List takes priority over a URI White List:


▪ Even if a URI matches acceptance criteria within the URI White List, a connection is blocked
automatically if it meets a rule in the separate URI Black List.
▪ Custom (cloned) Black/White list definition files are required if additional URI patterns are
needed.
Confidential | ©A10 Networks, Inc. 9
Mitigation – Security Checks: Response Protection (1 of 2)
▪ CCN Mask
▪ Examines strings of outbound replies from Web server for numerical character
patterns
▪ Replaces patterns that resemble credit card numbers with “x”
▪ SSN Mask
▪ Examines strings of outbound replies from Web server for numerical character
patterns
▪ Patterns resembling US social security numbers are replaced with “x” (last four digits
remain intact)
▪ Filter Response Headers
▪ Removes Web server identifying headers in outbound responses
▪ (Server, X-Powered-By, X-AspNet-Version, and more)
▪ Hide Response Codes
▪ Cloaks 4xx and 5xx response codes for outbound responses from the web server
▪ References allowed_resp_codes WAF policy file for a list of acceptable HTTP
response codes
Confidential | ©A10 Networks, Inc. 10
Mitigation – Security Checks: Response Protection (2 of 2)
▪ PCRE Mask
▪ Masks fields containing PCRE (Pearl Compatible Regular Expressions) fixed length
patterns
▪ Replaces masked characters “X” (default) or an Admin chosen character
▪ Because PCRE patterns only match fixed length strings, wildcard characters representing
excessively long strings (* and +) are not supported. The syntax check fails if it detects an
asterisk (*) or plus symbol (+).
▪ For expressions matching an actual “*” or “+” character, insert the “\“ character before
the matched symbol
▪ Cookie Encryption
▪ Protects against cookie tampering.
▪ Uses secret passphrase to decrypt and encrypt cookies transferred between
web server and client

Confidential | ©A10 Networks, Inc. 11

You might also like