10 Features Every WAF Must Have

Innovations like machine learning have transformed web application firewalls (WAFs) and enabled them to keep up with the explosive growth of malicious attacks.

98% of web applications are vulnerable to attacks like SQL injection, remote code execution, and cross-site scripting (XSS). WAFs swoop in to save the day, but offering a robust security defense only scratches the surface when it comes to the comprehensive features of the best WAF.

Key WAF Features and Differences: Network, Cloud, and Host-based

There are three main types of WAFs: network, cloud, and host-based. Each type has its own unique features and advantages.

1. Network-based WAFs

Network-based WAFs are deployed at the network perimeter as gatekeepers. Their main role is to filter out malicious web traffic at the network edge before it reaches the web applications. These WAFs are generally installed on dedicated hardware or run on a server solely for this purpose.

Pros:

• Provide a high level of security, protecting all applications on the network.

• Low latency (e.g., P99 latency) and high throughput.

Cons:

• High cost due to dedicated hardware or a specific server setup.

• Changes or updates might require downtime or could disrupt network operations.

Key Feature:

Network-based WAFs excel in managing SSL/TLS traffic. They decrypt incoming SSL/TLS data to inspect it for potential threats. After inspection, they re-encrypt the data before it is sent to the application, maintaining confidentiality.

2. Host-based WAFs

Host-based WAFs are integrated directly into the web server's software stack. This close integration provides fine-grained application-specific protection, making them suitable for applications with custom security needs.

Pros:

• Can be configured to the specific needs of each application.

• No need for additional hardware, as these are software solutions.

Cons:

• Only protects the application on the server where it's installed, which may consume server resources, affecting application performance.

Key Feature:

Host-based WAFs are known for their capability to create custom security rules at the application level. This customization provides enhanced security that is finely tuned to each application's unique requirements.

3. Cloud-hosted WAFs

Cloud-hosted WAFs provide a flexible and scalable solution without needing on-premises hardware. Third-party providers offer these WAFs as a service as part of their suite of cloud threat detection tools, making them accessible to businesses of all sizes.

Pros:

• Quick deployment and no maintenance of physical hardware.

• Effortlessly scales with your traffic demands without any additional hardware.

Cons:

• Latency issues are due to the geographical distribution of the cloud servers.

• Less direct control over the configurations and security settings compared to on-premises solutions.

Key Feature:

Cloud-hosted WAFs are known for their ability to integrate with other cloud services. This integration provides a holistic approach to security that leverages the cloud infrastructure's inherent flexibility and scalability.

7 Questions to Ask When Choosing the Right WAF Features

Choosing the right WAF is crucial for effectively securing your applications. Here are seven vital questions that can help you select a WAF that meets your organization's specific needs.

1. Which Deployment Models Are Supported?

Ensure the WAF supports various deployment options – on-premises, cloud, or hybrid – to align with your existing and future infrastructure.

2. What Does the WAF Protect Against?

A good WAF should shield against all known vulnerabilities affecting web applications, including OWASP Top 10 risks and zero-day exploits.

3. What Detection Techniques Are Used?

Look for WAFs that use multiple detection techniques, like signature matching, behavior analysis, and anomaly detection. Also, consider how the WAF manages false positives to avoid disrupting legitimate traffic.

4. Is the WAF Customizable?

The WAF should offer customizable rules and policies tailored to your application's specific security needs.

5. Is the WAF Equipped with Learning Capabilities?

Use WAFs with AI and machine learning capabilities that can adapt their protection strategies based on new threat detection techniques.

6. Is the WAF Scalable?

Consider the scalability of the WAF to handle growing traffic volumes or sudden spikes without degrading the performance.

7. Is It Easy to Deploy?

The deployment process should be straightforward and should not disrupt your current operations. Cloud-based WAFs often offer the easiest deployment options with minimal downtime.

10 Features Every WAF Must Have

Selecting a WAF solution is not easy, and you must ensure the tool has key features that address current and emerging security threats. This section details essential WAF capabilities, explains their importance, and offers guidance on implementation.

Core Protection Features

1. Machine Learning Engine

WAFs equipped with machine learning models can continuously learn from security data, adapting to new threats without relying on predefined rules and enabling the detection of emerging threats like zero-day attacks by identifying behavior anomalies. 

Implementation Tips:

• Train the model on diverse datasets.

• Regularly update the ML models with new data to ensure accuracy and relevance.

• Use proven algorithms like IsolationForest to train your models.

from sklearn.ensemble import IsolationForest

import numpy as np

training_data = np.random.rand(100, 5)  # Simulated data

model = IsolationForest(n_estimators=100, max_samples='auto', contamination=0.01)

model.fit(training_data)

2. API Discovery and Security

APIs are a common part of modern applications. A good WAF solution should include API discovery features to automatically identify, catalog, and enforce security policies on APIs to protect them from misuse and vulnerabilities.

Implementation Tips:

• Enforce strict access control (often implemented as part of an identity governance framework), plus encryption for sensitive APIs.

• Automate API scanning to detect changes and new deployments continuously. The below example shows a basic API monitoring configuration in a WAF using pseudo rules.

{

  "rules": [

    {

      "rule_type": "api_discovery",

      "action": "monitor",

      "trigger": "new_api_detected",

      "response": "log_and_alert"

    },

    {

      "rule_type": "api_security",

      "action": "enforce",

      "trigger": "unauthorized_access",

      "response": "block_and_alert"

    }

  ]

}

3. Anti-Bot Protection

Anti-bot protection uses behavior analysis and challenge responses to identify and block malicious bots. It is a critical step in application security to prevent automated threats like scraping, brute force attacks, and credential stuffing.

Implementation Tips:

• Use rate limiting to curb excessive requests from a single source.

• Analyze user behavior patterns for bot detection.

Deployment and Management

4. Rate Limiting

Rate limiting allows you to limit user or IP requests in a given time frame. It helps prevent DoS attacks and maintain service availability during traffic spikes.

Implementation Tips:

• Adjust rate limits based on user roles and behavior patterns.

• Implement dynamic rate limits that can adapt during peak times or attack scenarios. For example, you can adjust rate limits based on server load:

if server_load > 80%:

    rate_limit = '5r/s'

else:

    rate_limit = '10r/s'

5. File Security

File security prevents users from uploading malicious files to web applications. It mainly prevents malware attacks that target file upload functionalities common in web applications.

Implementation Tips:

• Implement file type restrictions and size limits.

• Use a combination of signature-based detection and behavioral analysis to identify and block suspicious files.

• Edit the configuration settings of the WAF based on our requirements. The below image shows the file security options provided by open-appsec:

6. Integration Capabilities

WAF solutions should easily connect with other security systems and IT infrastructure, enhancing the overall security by allowing different products to work together seamlessly. 

Implementation Tips:

• Use standardized protocols like REST API for integrations.

• Maintain a centralized dashboard to monitor data from all integrated security tools.

Advanced Capabilities

7. Protection Against OWASP Top 10 and Zero-Day Threats

The OWASP Top 10 lists the most critical security risks to web applications. It includes the most common and critical vulnerabilities, such as SQL injection, broken authentication, and sensitive data exposure, as well as newly emerging threats to help organizations protect against zero-day vulnerabilities. 

Implementation Tips:

• Regularly update your WAF with the latest signatures and anomaly detection algorithms. Alternatively, choose a powerful WAF that is not signature-dependent, like open-appsec.

• Implement strict input validation and output encoding techniques. For example, the WAF rule below is configured to protect you against SQL injection and XSS attacks. It is structured to set conditions based on patterns in the query string and return a 403 Forbidden status if these patterns match known malicious patterns associated with SQL injection or XSS.

# Protect against SQL injection and XSS attacks in an Nginx configuration

location / {

    set $block_sql_injections 0;

    if ($query_string ~* "union.*select.*\(") {

        set $block_sql_injections 1;

    }

    if ($block_sql_injections = 1) {

        return 403;

    }

    set $block_xss_attacks 0;

    if ($query_string ~* "<script") {

        set $block_xss_attacks 1;

    }

    if ($block_xss_attacks = 1) {

        return 403;

    }

}

8. DDoS Protection

WAF solutions should be able to identify and mitigate the impact of DDoS attacks to ensure your application does not go offline, even during large-scale attack campaigns.

Implementation Tips:

• Configure rate limiting and geofencing rules. The below example shows how to use rate limiting to mitigate DDoS attacks.

http {

    limit_conn_zone $binary_remote_addr zone=addr:10m;

    limit_conn addr 100;

    server {

        location / {

            limit_req zone=one burst=10 nodelay;

        }

    }

}

• Integrate your WAF with cloud-based DDoS protection services.

9. Content Delivery Network (CDN) Integration

Ensure your WAF solution integrates with CDNs to distribute web content efficiently across global locations. By distributing the traffic load, it improves website performance while providing an additional layer of security.

Implementation Tips:

• Configure CDN settings to cache static content and offload requests from the origin server to reduce server load.

• Use the CDN’s SSL/TLS capabilities.

10. Customization and Control

The WAF solution should allow users to create custom rules tailored to specific security needs and organizational policies.

Implementation Tips:

• Choose a WAF that provides a user-friendly interface for creating and managing custom rules.

• Regularly audit and test custom rules.

open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.

To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.