![]() These techniques will only get better in the future. WAFs, and firewalls in general, have evolved a lot over the years, moving from static to dynamic methods for identifying and blocking traffic. ![]() Advanced techniques like this, however, are typically only found in WAF SaaS providers and not in self-contained WAF appliances. These techniques include algorithms that can identify whether certain attacks will work against the target system and only blocking those that would be harmful. More advanced WAF providers are using proprietary techniques to allow and block traffic. Similar issues exist with algorithms used by WAF providers, especially when the WAF is in the learning mode. These algorithms work relatively well but can be poisoned to allow spam. Email systems often use a Bayesian filtering algorithm to identify spam. Training a WAF like this is similar to what happens when you train an email system to identify spam. Once the WAF has been trained, it's moved to enforcement mode. This may include traffic that matches patterns labeled as bad when signatures were used. The objective here is to "train" the WAF to identify what good traffic looks like. One of the "easier" methods employed is to put the WAF in "learning" mode so it can monitor the traffic flowing to and from the protected web server. In the brave new world of dynamic rulesets, WAFs use more intelligent approaches to identifying good and bad traffic. This move has been across multiple technologies, including traditional firewalls, anti-virus software, and, you guessed it, WAFs. There has been a pretty widespread move from static configuration approaches such as allow and block lists to more dynamic methods involving APIs and machine learning. Technology evolves, however, and newer WAF providers are using other approaches to block bad traffic. This involves learning the rules language and having a deep understanding of the HTTP protocol. ![]() The developers have done their best to ensure that the CRS has few false alerts, but, inevitably, anyone deploying the CRS will need to tweak the rules. It includes signatures for all of the OWASP Top Ten web application security risks as well as a wide variety of other attacks. The Core Rule Set (CRS) is an excellent starting point for deploying a signature-based WAF. ModSecurity is a signature-based WAF and often ships with a default set of signatures known as the OWASP ModSecurity Core Rule Set. The ModSecurity project is an open source WAF project that started out as a module for the Apache webserver but has since evolved into a modular package that works with IIS, Nginx, and others. ![]() To illustrate this a bit more, let's look at ModSecurity. To be blunt, this can be pretty nerve-racking. You're often trying to match a general attack pattern without also matching legitimate traffic. And signature writing can be quite complicated as well. Additionally, writing signatures is often more of an art form rather than a straightforward programming task. Signatures work pretty well but require a lot of maintenance to ensure that false positives are kept to a minimum. If this matches an incoming packet, the WAF marks this as bad and discards it. For instance, it may look for something like ' AND 1=1 included as part of the GET or POST request. A very simplistic signature may just look for key identifying elements of a typical SQL injection attack. WAF examplesįor instance, WAFs are often used to block SQL injection attacks. Signatures typically identify a specific characteristic of an HTTP packet that you want to allow or deny. This is what is known as signature-based detection. ![]() As a result, early WAF products are very similar to other products such as anti-virus software, IDS/IPS products, and others. To do this, you have to provide the WAF with a list of what to block. Much like "normal" firewalls, a WAF is expected to block certain types of traffic. The details of how this works are, as you might suspect, a bit more complicated. Generally speaking, the role of a WAF is to inspect all HTTP traffic destined for a web server, discard "bad" requests, and pass "good" traffic on. A WAF is a firewall specifically designed to handle "web" traffic that is, traffic using the HTTP protocol. Web Application Firewalls (WAFs) are one of those niche uses. How well do you know Linux? Take a quiz and get a badge.Linux system administration skills assessment.A guide to installing applications on Linux.Download RHEL 9 at no charge through the Red Hat Developer program. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |