Web Application Firewall
Web Application Firewall (WAF) is an Edge Firewall module, developed to protect edge applications from threats such as SQL Injections, Remote File Inclusion (RFI), Cross-Site Scripting (XSS), and other web vulnerabilities. WAF analyzes HTTP and HTTPS requests, detects, and blocks malicious activity before it reaches your application infrastructure.
WAF operates in the seventh layer of the OSI model, the application layer, where the relationship between web applications and their respective network services and user data takes place. It also works as a barrier to filter and monitor traffic between your application and the requests from the internet.
Web Application Firewall is based on requests scoring methodology. Each HTTP/HTTPS request is compared to a very strict and detailed set of application standards and given a score that is associated with a particular family of threats. According to the score received by the request, it can be released or blocked directly in Azion’s edge nodes, before the threat reaches its origin or causes any type of damage. You define the desired level of sensitivity for blocking each family of threats.
To avoid blocking lawful requests and malfunctions of your application, you must perform a learning step. In this step, WAF identifies the legitimate behaviors of your application by placing them on an allowlist. If internal traffic, tests, and false positives are being blocked by WAF, you can also fine-tune its settings in the Tuning tab, inside a created WAF.
Implementation
Section titled Implementation| Scope | Source |
|---|---|
| WAF | How to check your WAF mode |
| WAF | How to find information about WAF blocked requests |
Prerequisites
Section titled PrerequisitesTo configure a WAF Rule Set, which is what a WAF configuration is called, you must have an Edge Firewall configuration with the Web Application Firewall module activated.
Learn more about Edge Firewall modules and the Rules Engine for Edge Firewall.
WAF Main Settings
Section titled WAF Main SettingsThe Threat Type Configuration table is available in the Main Settings tab of a WAF configuration. Threats are categorized into families, according to the purpose of the attack.
| Threat family | Description |
|---|---|
| SQL Injections Sensitivity | Detects attack attempts by injecting SQL code into the application. |
| Remote File Inclusions (RFI) | Detects attempts to include files, usually through scripts on the web server. |
| Directory Traversal | Prevents exploitation of vulnerability regarding insufficient sanitization of file name fields provided by users, so that characters representing shortcuts to the parent directory are passed through the file API. |
| Cross-Site Scripting (XSS) | Prevents the injection of client-side scripts into pages viewed by your visitors. |
| File Upload | Detects the attempt to upload files to the web server. |
| Evading Tricks | Protects against some coding tricks used to try to evade protective mechanisms. |
| Unwanted Access | Detects attempts to access administrative or vulnerable pages, bots, and security scanning tools. |
| Identified Attacks | Prevents several types of common attacks and known vulnerabilities that should certainly be blocked. |
You can also enable and disable protection for each threat family individually through the Active switch in the third column.
Sensitivity levels and WAF scores
Section titled Sensitivity levels and WAF scoresSensitivity levels define how strictly WAF will consider a request as a threat. A request will be blocked by WAF if it obtains a score greater than or equal to the configured sensitivity level threshold. You can set one sensitivity level for each threat family.
| Sensitivity | Description and WAF sore threshold |
|---|---|
| Lowest | The requisition will be considered a threat if it presents very strong evidence and receives a score greater than or equal to 40. This sensitivity has a lower level of protection for your applications, but it’ll also avoid blocking requests with less chance of false positives. |
| Low | The request will be considered a threat if it presents very strong evidence and receives a score greater than or equal to 24. This sensitivity has a lower level of protection for your applications, but it’ll also avoid blocking requests with less chance of false positives. |
| Medium | Recommended sensitivity level. The request will be considered a threat if it presents sufficient evidence and receives a score greater than or equal to 16. |
| High | At the slightest hint of a threat, the requisition may be blocked, even when it has a score greater than or equal to 8. This level of sensitivity may present more false positives if the learning stage doesn’t have sufficient coverage on the variability of scenarios and uses of its application. |
| Highest | At the slightest hint of a threat, the requisition may be blocked, even when it has a score greater than or equal to 4. This level of sensitivity may present more false positives if the learning stage doesn’t have sufficient coverage on the variability of scenarios and uses of its application. |
Each sensitivity level tolerates a defined number of threat indicatives, the WAF score represents this amount of threat indicatives. The more flexible the sensitivity level is, the higher the WAF score it accepts. The most rigid sensitivity levels, on the other hand, only accept requests with a fewer signs of threats.
WAF Tuning
Section titled WAF TuningWAF Tuning is an analytical tool that shows IPs from requests that match the WAF rules. The Tuning tab is where you can make the WAF’s operation more flexible. IPs are displayed grouped in the Filter WAF rule table. You can filter by Domain, Time Range, Network Lists, IP, and Countries.
In the filters below Filter Possible Attacks:
- Enter the domain (required), time range, which network lists you prefer to use, which IPs you are investigating, and the country of origin of the requests.
- Click the Apply filter button.
To see IPs marked by WAF, you must at least specify the domain (or the domains) of your application. The other fields are optional but enable a more detailed selection.
By clicking the Apply filter button, a list of Possible Attacks will be displayed. This list includes the fields Rule ID, Description, Hits, IPs, Countries, Top 10 IPs Address, and Top 10 Countries.
For more information about these possible attacks, see the WAF Custom Allowed Rules documentation.
Allowed Rules
Section titled Allowed RulesThis tab allows you to create Match Zones for Allowed Rules.
The Allowed Rules are composed of the fields:
| Field | Description |
|---|---|
Rule ID | Unique numeric ID of a WAF Rule. |
Rule Description | Automatic textual description of what the rule is/does. |
Reason | Alternative manual textual description. |
URI | Uniform Resource Identifier (URI) is the path that goes after the domain in the URL. |
Path | When specified, restricts the application of the Match Zone only to the defined path. The path delimits the scope of action of the rule. |
Match Zone | Parts or fields of the requisition that’ll be compared with the match pattern. It can be Path, Query String, Request Header, Request Body, File Name, or Raw Body. |
Active | Allowed Rule active status switch. |
Match Zone dropdown options
Section titled Match Zone dropdown optionsThe Match Zone dropdown opens the options available to complete this field. Each option has a specific behavior, as explained in the table below.
| Field | Description |
|---|---|
Path | Match pattern will be compared with the request path. |
Query String | Match pattern will be compared to the query string, also called GET arguments. |
Request Header | Match pattern will be compared to the HTTP headers of the request. |
Request Body | Match pattern will be compared to the body of a POST, also called POST arguments. |
File Name (Multipart Body) | Match pattern will be compared with the name of the files in multipart POSTs . |
Raw Body | Match pattern will be compared to the uninterpreted body of a requisition, also called the unparsed body. |
The
Last EditorandLast Modifiedfileds are only available through the API.