Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 32 of 53

researching and evaluating WAF technologies, ensure that they can support custom rules in an easy-to-implement fashion. One of the greatest values of WAFs is for use in virtual patching. Because WAFs sit upstream of web applications and are normally deployed in an inline reverse proxy approach, they are a great place to put protections in place for known, yet unpatched, vulnerabilities. For example, if a vulnerability in a commonly used web application was announced by a vendor, and no patch (fix) was yet available, operators of a customizable WAF could put defenses in place by writing specific rules designed to block known exploits of a certain vulnerability. This is an excellent example of using a WAF to provide virtual patching when a vendor-supplied vulnerability patch simply does not yet exist. Therefore, not only do WAFs protect applications and the integrity and confidentiality of data normally sitting downstream, they also play an important role in protecting the availability of applications, as well. When WAFs are tightly integrated into the upstream reverse proxies and bot management lines of defense, L7 DDoS attacks are easily detected and mitigated. Because most L7 DDoS attacks origi‐ nate from bots running scripts, reverse proxies can limit the amount of incoming traffic from any device, bot management can issue chal‐ lenges to detect bots and drop their traffic, and customized WAF rules can identify request patterns as an indicator of attack. Integra‐ tion of these layers plays an important role in defeating all L7 DDoS attacks. The true key to realizing the value that WAFs provide is derived from applying the appropriate rules in the proper places. Blindly applying every rule to every web application downstream often induces large numbers of false positives. Unfortunately, and in the case of false positives, many organizations either run their antiqua‐ ted hardware-based WAFs in some sort of passive out-of-band mode or they set many, if not all, rules into detect-only mode when deployed inline or in cloud environments. Regrettably, this does nothing more than create a great deal of noise and a false sense of security. The recommendation here is to implement WAFs to their fullest ability and put as many rules as possible into block mode, without affecting legitimate traffic. Beyond WAF rules and rulesets, the concept of daily application scans and vulnerability tests is highly recommended. The objective Defensive Line 6: Web Application Firewalls | 23

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth