A Web Application Firewall (WAF) is designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. It can help to prevent attacks related to web application vulnerabilities, such as SQL injection, crosssite scripting (XSS), and file inclusion.
You should run in passive/tap mode first, gather the data, and then build policies. It’s a widely recommended approach when deploying a Web Application Firewall (WAF) or similar security solutions.
Here’s the rationale:
Understanding the Traffic:
Before deploying a security solution in a blocking or active mode, it’s critical to understand your application’s traffic patterns and behaviors. Running the WAF in passive/tap mode allows you to monitor the incoming and outgoing traffic without making any changes to it. This gives you an insight into what “normal” traffic looks like for your application and helps you spot any anomalies or potential threats.
Reducing False Positives:
False positives (i.e., legitimate requests getting blocked) can have a detrimental effect on business operations, user experience, and can even lead to downtime. By analyzing the traffic in passive mode first, you can fine-tune the rules to minimize the chances of false positives when the WAF is deployed in active mode.
Customized Policies:
Every application is unique. While comprehensive, Off-the-shelf WAF configurations may not fully align with your application’s specific behaviors and requirements. By running in passive mode, you gather the essential data to build and refine policies tailored to your application’s specific needs.
Mitigate Business Risks:
Suddenly deploying a WAF in active mode can inadvertently block legitimate business traffic, leading to potential loss of revenue or unhappy customers. Passive mode allows you to mitigate these risks by configuring the WAF accurately and effectively before enforcement begins.
Training and Skill Development:
Running the WAF passively provides an excellent learning opportunity for security and IT teams. They get accustomed to the WAF’s interfaces, learn about traffic patterns, and develop skills for fine-tuning and managing the WAF effectively.
Steps for Deployment:
- Deployment in Passive/Tap Mode: Deploy the WAF and monitor traffic without blocking any requests. Analyze the logs to understand traffic patterns, spot anomalies, and identify potential threats or false positives.
- Analysis and Fine-tuning: Based on the observed traffic, adjust and fine-tune the WAF’s rule set. Identify and address potential false positives.
- Testing in a Controlled Environment: If possible, test the WAF’s active mode in a staging or pre-production environment to understand its behavior before deploying it in the production environment.
- Deployment in Active Mode: Once you’re satisfied with the WAF’s configuration and rule set, switch it to active mode to start enforcing the policies and blocking malicious traffic.
- Continuous Monitoring and Iteration: Regularly review the logs, alerts, and policies. Adjust and refine the WAF’s configurations as needed based on new insights and changing traffic patterns.
In summary, while it might be tempting to immediately deploy a WAF in active mode, especially if there are immediate threats or concerns, taking a phased approach by initially running in passive mode will result in a more effective and efficient security posture in the long run.
WAF Best Practices and Recommendations
Implementing and managing a WAF requires careful planning and adherence to best practices. Here are detailed best practices and recommendations:
1. Understanding Your Web Application
- 1.1 Application Profiling: Understand the behavior of your web application. This allows you to identify what is “normal” and hence detect anomalies.
- 1.2 Identify Assets: Understand which parts of your application are most sensitive and need the most protection.
2. Deployment Mode
- 2.1 Reverse Proxy: Deploy WAFs as reverse proxies to hide the IP address of the web server.
- 2.2 TAP Mode: For monitoring purposes without blocking threats in realtime.
3. Rule Management
- 3.1 Positive Security Model: Allow known good patterns and block everything else.
- 3.2 Negative Security Model: Block known bad patterns.
- 3.3 Regularly Update Rules: WAF vendors often release updates to counter new vulnerabilities.
- 3.4 Custom Rules: Tailor rules based on your application’s behavior.
- 3.5 Limit Rule Set: Too many rules can affect performance. Prioritize and only use necessary rules.
4. Monitoring and Logging
- 4.1 Regular Audits: Regularly audit and review logs to understand attack patterns and finetune the WAF.
- 4.2 Centralized Logging: Integrate WAF logs with a Security Information and Event Management (SIEM) system.
- 4.3 Realtime Alerts: Set up realtime alerts for critical threats.
5. Performance Considerations
- 5.1 Scalability: Ensure your WAF can handle current and future traffic loads.
- 5.2 SSL/TLS Offloading: Let WAF handle SSL/TLS, freeing up resources on the web servers.
- 5.3 Caching: Use WAF caching capabilities to improve web application performance.
6. False Positives and Negatives
- 6.1 Finetuning: Regularly tweak WAF rules to reduce false positives.
- 6.2 Test in Passive Mode: Initially run the WAF in a monitoring-only mode to observe its behavior without affecting traffic.
7. Integration
- 7.1 Integration with Other Security Tools: Combine with Intrusion Prevention/Detection Systems (IPS/IDS), DDoS protection, and other security mechanisms for layered defense.
- 7.2 API Protection: Ensure the WAF can handle and inspect API traffic, as APIs are increasingly being targeted.
8. Patch Management
- 8.1 Regular Updates: Keep the WAF software and underlying platform updated.
- 8.2 Virtual Patching: Use WAF to virtually patch known vulnerabilities in the web application until a fix is deployed.
9. Bot Management
- 9.1 Rate Limiting: Limit request rates from single sources to prevent misuse.
- 9.2 ChallengeResponse: Employ CAPTCHA or JavaScript challenges to distinguish between humans and bots.
10. DDoS Protection
- 10.1 Geoblocking: Block traffic from countries or regions that are not relevant to your audience.
- 10.2 Rate Limiting: Prevent volumetric attacks by setting up thresholds for request rates.
11. Backup and Recovery
- 11.1 Regular Backups: Back up WAF configurations regularly.
- 11.2 Disaster Recovery: Have a plan in place to quickly restore WAF operations in case of failures.
12. Training and Knowledge
- 12.1 Training: Ensure that the teams managing and monitoring the WAF are adequately trained.
- 12.2 Stay Informed: Regularly update knowledge about new threats, vulnerabilities, and best practices.
13. Continuous Review
- 13.1 Regularly Review Policies: Business needs and application behaviors change over time. Review WAF policies to ensure they remain effective and relevant.
14. Protection Against OWASP Top 10
Ensure that the WAF is configured to protect against the top 10 most critical web application security risks as identified by the OWASP (Open Web Application Security Project).
Implementing the above best practices and recommendations will help ensure that your WAF provides robust protection for your web application while maintaining optimal performance.