A Web Application Firewall (from here on out known as a WAF) is a piece of software or hardware that provides a layer of protection for web applications (websites) on the internet.
We have worked with a few options over the years and decided to post a rundown of our thoughts and recommendations.
Well, the internet is a bit like the wild west. When a website comes online it is instantly bombarded by badness from all directions. Most of this is in the form of bots (from robots, automated programs that scour the internet for vulnerable websites), and they don’t obey speed limits.
When vulnerabilities are exploited by bots, this can lead to a website being defaced, data being stolen (usernames and passwords, sensitive private information, etc), or even becoming a zombie bot among other zombie bots that go on to infect other vulnerable websites (a net of bots, or botnet, which you may have heard about in the news).
Botnets, with the processing power and internet bandwidth held hostage by them are eventually rented out to the highest bidder on the black market. Vulnerabilities can cause all kinds of very real-world damage from there.
So, on top of the usual security best practices to prevent bad things from happening, sometimes a WAF is introduced as a first line of defence.
This isn’t an exhaustive list by any means, but these are a few products that we’ve looked at over the years and think are up to the task.
Amazon AWS WAF
This WAF is a great option when you’re already in the AWS ecosystem.
Requires a load balancer to be placed in front of the website, this is often in place already when we’re using AWS but not always.
As with other services in AWS, the convenience does come with a cost, and this WAF can be a relatively expensive option. It also uses a pay-per-rule model for rule expansion (rules determine how attackers are detected by the WAF).
However it does come with a managed set of rules that cover common vulnerabilities (such as the OWASP Top 10), and can be tweaked to suit your application.
Another common option is Cloudflare. Much like AWS, Cloudflare has a suite of tools built around security and performance. This includes a WAF, along with DDoS Protection and other offerings that take the pressure off.
While the OWASP Core Rulesets aren’t included in the Free plan, the Free plan does allow for simple firewall rules, and moving to the Pro plan is a cost effective way to get a more capable and managed WAF in place.
For the technically inclined, they also post in-depth articles on security and performance on their Cloudflare blog.
Note: Cloudflare requires switching your DNS nameservers which can be a non-starter for some projects.
Nginx based. Open Source.
This WAF mainly relies on looking at tokens (non-alphabetic characters such as
!@#$%^&*()_+-=\|~ etc) in the URL.
Detection is limited to looking at the URL that’s being loaded, but this is still useful to combat the common types of injection (when user input hasn’t been sanitised by the application, which can allow malicious code or data into the application).
Takes a hard approach by default and relies on whitelisting for the website to work correctly, making thorough testing a must.
Apache or Nginx based. Open Source.
This WAF is a bit more intricate but the main advantage is that it can be used with the OWASP Core Rule Set, a set of instructions for ModSecurity for detecting vulnerabilities and attacks in the OWASP Top 10.
ModSecurity can also observe everything going into or coming out of the application, for example, picking up unexpected errors that display sensitive technical data. You may have even spotted this yourself on other websites. We often don’t expect that the application itself can be in the wrong from time to time!
Of course, bespoke is an option too. One of our team members uses a custom solution (written in Google’s golang programming language) which does an excellent job at catching unsavoury input before it can do any damage, based on heuristics they have chosen.
This is especially useful when you want to block traffic based on specific criteria, or would like to handle such visitors in a more complex way than simply blocking them.
Keep in mind, all WAF options also come with varying degrees of false positives, as they usually err on the side of caution. Each website is different and there is always testing and configuring involved when setting up a WAF, depending on your threat model (the scope of attacks and vulnerabilities you’re concerned about).
Most of these products also offer a training mode so you can get a feeling for what traffic might be blocked before you turn the switch for real.
All but the dullest of websites carry around complexity that unfortunately comes with security risks attached.
A WAF isn’t always needed, but for more complex websites or where sensitive data is being handled, a WAF is a great option that provides an extra layer of defence for peace of mind.
While we only covered a few options, as you can see they cover the gamut of setups and budgets. Simply put, any of these options are worth considering, and sometimes no WAF is just as valid an option too.
Get in touch for our honest advice on using a WAF in your project.
Share this post: