The
first time I read about Web
Application Firewall (WAF)
I thought it would be difficult to install and configure because it’s
really different from network firewall. Network firewall policies has
mainly IP addresses and services. It’s easy to understand and
configure. However,
WAF has mainly file types, URL, HTTP methods and headers. It seems
more complex than network firewall. Nevertheless,
I think the most important thing
is
to start configuring a basic policy. We have to start small, but most
of all, start. We are going to realise that a basic security
policy
will be a good protection. A basic security
policy
requires little administration effort. A
basic security
policy
is going to protect a high percentage of applications.
 |
| Progressing with application security using the BIG-IP ASM system |
We
should enable Attack
Signatures
in a basic security policy for a good protection. An
attack signature is a rule or pattern which is able to identify a
particular attack. These signatures are updated by the F5 threat
research team daily with the new vulnerabilities discovered. The F5
ASM uses these signatures to each HTTP request and response to detect
and block known attacks. In
addition, the Transparent
Enforcement
Mode
is also really useful because
we can apply a security policy in transparent mode to detect attacks
but they are not going to be blocked. It’s really useful because we
can know how many attacks and what kind of attacks web services are
receiving.
 |
| Attack Signature List |
IP
Intelligence
is another interesting feature useful for a good protection. IP
Intelligence is a subscription-based database where there are lots of
malicious IP addresses. Updating
manually a blacklist is really difficult because malicious IP
addresses are constantly changing. Therefore, configuring IP
Intelligence to block malicious IP addresses is
easy and a best practice. On the other hand, it’s also a best
practice to configure the IP
Geolocation
feature, which
is another database of IPv4 and IPv6 addresses. This database can be
used to identify the origin of traffic and, at the same time, we
can deny access to a particular country of origin.
 |
| IP Intelligence |
A
common attack vector is confusing web servers, web applications, and
security products using malicious content hidden in HTTP requests
that web servers and simple HTTP proxies often fail to detect. As a
result, Protocol
Compliance
must be mandatory in WAF security policies. For
instance, HTTP Protocol Compliance will check Content-Length in POST
requests
as
well as
whether
there is no Host header in HTTP/1.1 requests. You can see all the
validation checks in this K10280.
Moreover,
Protection from
Evasion Techniques,
such
as using ../
to navigate to a parent directory of interest,
is also recommended.
 |
| HTTP Protocol Compliance |
Finally,
there
are two more security features really useful for a good protection.
One of them is Protection
from Parameter Exploits - Blacklisting.
This
feature parses parameters and it validates the values against
signature and metacharacter policies to identify known exploit
patterns. The other security feature is Threat
Campaigns
which
is a subscription service for Advanced WAF that provides a set of
data to evaluate whether incoming requests are malicious.
 |
| Threat Campaign |
Regards!
Stay at home! Start
protecting your web applications, but most of all, start!
Posts
