Our journey on Web Application protection has already had important chapters, such as a detailed guide to choosing your WAF and a list of how Azion's WAF helps combat each of the OWASP Top 10 threats.
In this post, we will briefly revisit the main threat detection methods adopted by WAFs available on the market and demonstrate the advantages of adopting the Azion WAF to protect your applications and APIs from known and emerging threats and from zero-day exploits.
Main Threat Detection Methods
As you can see in more detail in this blog post, a WAF (Web Application Firewall) is a solution that monitors and controls HTTP and HTTPS traffic between servers and clients on the Internet. It can block or allow requests based on predetermined rules, which can be based on signatures (also known as “vaccines”) or a scoring method.
Signature-Based Method
A signature-based WAF compares each request with a list of known attack patterns (the “signatures”). If a request matches any of the signatures contained in the WAF, it will be blocked.
This is a simple method that can be very effective against widely known attacks. But it has some limitations, such as the fact that it can hardly contain an attack that has not yet been registered in its signature database.
Thus, an application or API protected by a signature-based WAF may still be completely exposed to emerging attacks and zero-day exploits, as attackers put their efforts into hiding or bypassing suspicious characters and commands so that their requests do not match certain signatures. Besides that, to work its way around this challenge, a signature-based WAF needs constant updates to be able to detect new attacks that emerge daily.
But that’s not all: By comparing each request with the signatures of thousands of attacks, this detection method tends to increase latency of websites and applications, affecting user experience, which can be especially damaging for time-sensitive services such as payment and streaming services.
Scoring-Based Method
In turn, a scoring-based WAF analyzes requests based on criteria such commands and data contained in them. This way, a score is assigned to each request, and if it is above the limit defined in the WAF, the request is blocked.
So instead of matching requests against a database of known signatures, this type of WAF relies on rules set by the administrator to monitor requests and block those wheresuspicious elements are found (such as “INSERT” or “\\”).
One of the benefits of this approach is that it does not impact latency like the signature-based one, since it performs comparisons against a small set of rules instead of a bank of thousands of signatures. Also, because the rules can be set based on characteristics of requests that are normally suspect, a scoring-based WAF can even block threats that have not yet been discovered, making it much more reliable and effective against emerging and zero-day attacks.
Discover the Azion WAF
How It Works
To provide the best protection for our customers, the Azion WAF uses the scoring-based detection method. This means that each incoming request is compared against a detailed set of rules and given a score, which can be associated with with security risks in web applications.
A significant advantage of associating this approach with our platform’s architecture is that, according to the score received, suspicious requests can be blocked directly at Azion’s edge locations, without even getting close to the origin of our customers. Every incoming request is treated using an efficient, performant set of security rules and, according to the assigned score, suspicious requests can be blocked directly at our edge locations, without the need for a new request or connection to the origin, resulting in the mitigation of the origin of the attack.
In addition, you can customize the blocking sensitivity for each threat family according to the specifics of your application and business, lowering the risk of false-positives while keeping your application and users safe from threats of all types. This is also ensured in the learning stage of the solution, where the WAF Rule Set identifies the legitimate behaviors of your application and enters them into a permission list known as a whitelist.
WAF Tuning also allows you to adapt your WAF’s behavior by analyzing normally blocked IPs, making scoring rules more flexible for internal traffic and legitimate tests performed on your application.
For more details about the sensitivity settings, the Rule Set and WAF Tuning, and the entire process of implementing and using Azion’s WAF, please refer to our documentation.
Advantages
Azion’s WAF Is Scoring-Based
As discussed before, the scoring-based method is the most secure threat detection method with the least impact on your application’s performance, and this is the one adopted by the Azion WAF. It maximizes the detection and mitigation of known and unknown threats, reduces the number of false positives, and applies specific policies for either bots and human users, without performance loss or requiring frequent updates.
Azion’s WAF Is Ultra Fast to Configure and Implement
In addition to ensuring effective protection, Azion’s WAF also benefits from easy and ultra-fast configuration and implementation. By using dashboards and intuitive interfaces, you can create your WAF, define rules specific to your business, establish levels of sensitivity, and implement security across Azion’s global network of edge locations in minutes.
Azion’s WAF Uses Both Pre-Established and Custom Rules
To ensure all these benefits, you can use the pre-established rules of the Azion WAF (which adopts the highest level of sensitivity by default), or you can customize rules and conditions according to the needs and specificities of your industry, strengthening protection against more frequent threats and lowering the level of sensitivity of others to avoid false positives. In the following image you have an example of how all this is done simply in our Real-Time Manager.
Azion’s WAF Meets the Most Important Compliance Rules in the Market
In the globalized information economy, meeting strict data compliance rules is a must for securing users’ information. That’s why Azion’s WAF meets globally recognized compliance requirements such as SOC 3 and PCI DSS v4.0.
In addition, by having edge locations on five continents, Azion simplifies how you meet local compliance rules, preventing sensitive data from flowing through servers that don’t comply with the rules of specific countries and regions.
Azion’s WAF Is Part of the World’s Most Reliable Edge Computing Platform
The Azion WAF is a module of the Edge Firewall, Azion’s complete security stack. In addition to protecting against OWASP Top 10, emerging and zero-day attacks, it provides you with free unmetered DDoS security with DDoS Protection and a programmable protection perimeter for your network layer with Network Layer Protection.
In addition, both the WAF and all of our security solutions are easily integrated with Real-Time Metrics, Data Streaming, and our other observability tools, enabling simple connection to your SIEM tool and real-time data analysis to improve your security rules, avoiding false positives and detecting potential flaws that could open the door to emerging threats.
At Azion you also have the Azion Marketplace, a digital catalog with ready-to-implement solutions that enhance your applications and your security in just a few clicks, with no need to write code from scratch.
Finally, in the Azion Edge Computing Platform you find tools to build and deliver the best modern applications running on our 100+ globally distributed edge locations. Solutions like Image Processor and Edge Caching help ensure that even with the most complete and modern protection, your applications will also deliver the best performance and user experience.
Success Cases
The extensive effectiveness of our scoring-based WAF is attested by customers and even global events.
In late 2022, a successful SQL Injection (SQLi) attack, popularly known as “WAF Bypass”, affected a large number of applications protected by WAFs of some of the biggest global players in the market. Azion’s WAF, on the other hand, was able to block this attack without requiring additional rules or any type of update: our WAF's standard SQLi protection was proved effective in 100% of the tests performed.
After that, in the first half of 2023, another attack, known as CRLF Injection Bypass, also surprised large service providers which use signature-based WAFs and found themselves vulnerable to this emerging threat. Once again, the Azion WAF proved its effectiveness without the need for any updates.
Our customers also attest to the effectiveness and efficiency of Azion’s WAF on a daily basis. Companies such as B2W (which includes platforms like Americanas.com and Submarino.com), Magalu, and the Netshoes portal are some of those that have used our solution to block millions of attacks per year and drastically reduce their false positives numbers, which are frequent in signature-based WAFs and can be harmful by preventing legitimate traffic from reaching your applications.
Conlusion
Azion’s WAF is the ideal match for companies that want to protect their applications against OWASP Top 10 threats, emerging attacks and zero-day exploits without losing performance or blocking legitimate traffic. Set up a free account today to discover all the benefits of our WAF and edge computing in practice. And talk to one of our experts to find out how Azion can drive the digital revolution in your company.
