When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will the solution be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This paper will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it. To achieve this the paper will show how to abstract the WAF around a web service, something that developers are commonly used to working with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service functionality can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAFś decision but also on data about your application and its context, which can significantly reduce the false positive rate up to the point of practically not existing. This paper will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type and itś possible impact.
%0 Journal Article
%1 mjs:Berner:WAF
%A Berner, Juan
%D 2020
%K deepsec ds3 mjsarticle security_architecture waf web_application web_application_firewall
%N 1
%P 987-994
%T Building Your Own Web Application Firewall as a Service
%U http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_069_Berner_WAF.pdf
%V 19
%X When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will the solution be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This paper will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it. To achieve this the paper will show how to abstract the WAF around a web service, something that developers are commonly used to working with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service functionality can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAFś decision but also on data about your application and its context, which can significantly reduce the false positive rate up to the point of practically not existing. This paper will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type and itś possible impact.
@article{mjs:Berner:WAF,
abstract = {When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will the solution be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This paper will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it. To achieve this the paper will show how to abstract the WAF around a web service, something that developers are commonly used to working with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service functionality can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF\'s decision but also on data about your application and its context, which can significantly reduce the false positive rate up to the point of practically not existing. This paper will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type and it\'s possible impact. },
added-at = {2021-09-19T18:42:17.000+0200},
author = {Berner, Juan},
biburl = {https://www.bibsonomy.org/bibtex/259449b7f2a836ad846af106c5bc81995/steschum},
interhash = {c743802e51d894bd8e02410617f250fe},
intrahash = {59449b7f2a836ad846af106c5bc81995},
issn = {2192-4260},
journaltitle = {Magdeburger Journal zur Sicherheitsforschung},
keywords = {deepsec ds3 mjsarticle security_architecture waf web_application web_application_firewall},
language = {DE},
number = 1,
pages = {987-994},
subtitle = {And Forgetting about False Positives},
timestamp = {2021-10-22T17:15:30.000+0200},
title = {Building Your Own Web Application Firewall as a Service},
url = {http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_069_Berner_WAF.pdf},
urldate = {2020-06-25},
volume = 19,
year = 2020
}