WAF rules: What they are and what do we use them for?

Web Application Firewall (WAF) managed rules are used to analyze web requests to your domain and filter out undesired traffic.

What is Web Application Firewall?

A WAF is a specific type of application firewall that monitors, filters and blocks Hypertext Transfer Protocol (HTTP) traffic. By doing so it can prevent common web attacks that exploit web application's known vulnerabilities, such as:

  • structured query language (SQL) injection
  • cross-site scripting (XSS)
  • cross-site forgery
  • file inclusion
  • cookie poisoning
  • broken authentication
  • sensitive data exposure
  • XML external entities (XXE)
  • broken access control
  • security misconfigurations
  • insecure deserialization

The early versions of WAF came to market in the late 1990s when the first types of web attacks became more prevalent. Early available WAF were commercial products which limited their use, however, in 2002 an open source project ModSecurity was started to make WAF more accessible. Its core rules set for protecting web applications are based on OASIS Web Application Security Technical Committee’s (WAS TC) analysis of web attacks and application vulnerabilities. In 2003 the rules set was expanded and standardized through the Open Web Application Project (OWASP) database of web security vulnerabilities.

How WAF works

A web application firewall applies specifically to web applications on the application layer of the network. It is deployed in front of web applications and analyzes bi-directional web-based (HTTP) traffic to detect and block anything malicious. The WAF can be implemented in software or hardware, running in an appliance device, or a typical server running a common operating system. WAFs are not designed to defend against all types of attacks, rather they are meant to be used in conjunction with other network security solutions such as network firewalls and intrusion prevention and detection systems.

They use a combination of rules or policies and rule-based logic, data parsing and signatures to detect and prevent the attacks, so they depend on the quality and quantity of provided rules and signatures. The attacker may use browser emulation, obfuscation, virtualization and IP obfuscation to attempt to bypass WAFs.

WAFs can be deployed as a transparent bridge, transparent reverse proxy or reverse proxy. Transparency refers to the fact that HTTP traffic is sent directly to the web application and therefore the WAF works transparently between the client and server, without them noticing it. On the other hand, when a reverse proxy is used, the HTTP traffic is sent to the WAF directly, which then sends the filtered traffic to web applications. These have the benefit of obfuscating the web applications behind the WAF, however, they may introduce performance latency. While a proxy server protects a network client's identity by using an intermediary, a WAF is a type of reverse proxy that obfuscates and protects the server from exposure by having the clients pass through the WAF before reaching the server.

How do WAF (Web Application Firewall) rules work

WAF can operate based on block lists (negative security model) that protects against known threats. On the other hand, WAF can operate based on allow lists (positive security model) that only admits pre-approved traffic. Both approaches have their advantages and disadvantages, which is why many WAFs employ both in a hybrid security model.

Glossary

HTTP

Hypertext Transfer Protocol. A protocol that connects web browsers to web servers when they request content.

WAF

Web Application Firewall.