Introduction
A WAF can be purchased or downloaded as an open source firewall but it can equally come in hardware form. The way we configure our WAF often determines how well it keeps attackers out so today i would like to go over some of the features that a WAF can have to hopefully give you a better understanding of how you should configure yours or how you should attack the WAF you are currently facing. Configuring a WAF for stricter inspection might be wanted but we have to realise this increases the processing time of a request.
Installation modes
We can install our WAF in two ways and each has their own advantages and disadvantages:
.png)
One-armed mode
.png)
Two armed mode
Features
I looked in the sales documents of some popular WAFs to see what features they offer at the maximum level of protection (and pricing) to see the source documents please refer to the "Sources" chapter at the end of the document.
- OWASP Top 10 Web Application Security
- Geo-IP and IP Reputation > If the IP or region where the IP originates from is not trusted or blacklisted, the WAF will act
- Smart Signatures > The WAF recognizes attack signatures
- Outbound Data Theft Protection (Credit, SSN, etc...) > If the data is being sent over a request, the WAF will act if the data does not belong to the requester
- Adaptive Profiling > Technique of analyzing request and response traffic to generate customized security profiles for the web application.
- Exception Heuristics > Heuristic exceptions signal undesired and possibly inconsistent outcomes and they will be analysed by the WAF
- File Upload Control > checks uploaded files
- Website Cloaking > Cloaking is a search engine optimization (SEO) technique in which the content presented to the search engine spider is different from that presented to the user's browser. This is done by delivering content based on the IP addresses or the User-Agent HTTP header of the user requesting the page. Cloaking also prevents hackers from obtaining information that could be used to launch a successful subsequent attack. HTTP headers and return codes are masked before sending a response to a client. The response headers are filtered based on the headers defined in the Headers to Filter field.
- Protocol Checks for HTTP and HTTPS traffic > Checks if the traffic matches the expected protocol format
- Granular per URL/parameter policies > You can even set a different policy per parameters ... this is why it's important to always check every parameter and URL as some might be less secure!
- Rate Control > For preventing things like DoS attacks