Web Application Firewall (WAF) Overview

▪ Values:
– Protects Web applications
– Ensures against code vulnerabilities and gain
PCI/HIPAA compliancy
– Prevents damage to intellectual property, data
and applications
▪ Advantages:
– Fully integrated/designed for ACOS
– No license; single device solution
– Enables full defense stack
– Scalable and high performance

Confidential | ©A10 Networks, Inc. 1

WAF Features

▪ Easy integration with application delivery

– High-performance solution
– Just bind WAF template to HTTP/HTTPS virtual port
– Also allows for dynamic binding of template via HTTP policy template
– Active, Passive and Learning modes to facilitate easy deployment
– Comprehensive set of counters and debug mode
▪ High-speed event logging using Common Event Format (CEF)
– Data plane events logged to external logging server(s)
– Control plane events may be logged locally or remotely

Confidential | ©A10 Networks, Inc. 2

WAF Key Features - Applicable OWASP Top 10

▪ Missing Function Level Access Control ▪ Injection

– aFleX – SQL injection attack (SQLIA)
▪ Cross-Site Request Forgery (CSRF) check – Allowed HTTP methods checks for allowed
keywords GET, POST etc.
– Referer Check
– Form Consistency Check
– CSRF Check
▪ Cross-Site Scripting (XSS) check
▪ Using Components with Known
Vulnerabilities – HTML XSS check

– URI Blacklist ▪ Insecure Direct Object References

▪ Unvalidated redirects and forwards – Whitelisting URI

– Whitelisting URI – URI Black List/White List check

▪ Sensitive Data Exposure
– Credit Card Number scrubbing
– Social Security Number scrubbing

Confidential | ©A10 Networks, Inc. 3

WAF Key Features and Regulatory Example

▪ Additional Features ▪ PCI DSS examples

– Cookie check – Section 1.2: Blacklist URI, bad bot check
– Credit Card numbers/US SSN masking – Section 3.3: CCN scrubbing
– CSRF check – Section 3.5: FIPS
– XSS check – Section 4.1: SSL/TLS
– Cookie encryption
– Perl Compatible Regular Expressions (PCRE)
Masking
– HTTP protocol compliance check
– Cloaking to hide server responses/error status
codes
– Configurable deny action
– Active/Learning/Passive mode
– Bad bots protection
– SQL Injection check.
– More… Confidential | ©A10 Networks, Inc. 4
Sample Use Cases

▪ Prevent data leakage

– “Badstore” example: SQL injection protection ensures programming errors cannot be
exploited to steal data not intended for release
– Security breaches impair brand reputation: California law states every customer must be
informed after a data breach regardless if this customer is directly impacted
▪ Insurance against unknown vulnerabilities and bad code
– Programmers can make mistakes in not validating data that is presented to the application
– Vulnerabilities are often unknown until publically exploited
– WAF provides a centralized security solution for a heterogeneous application environment
▪ Quick deployment with simple management
– An IT staff has to manage many different solutions, often from different vendors
– Having an effective, easy to use WAF solution in combination with a server load balancer
reduces operational cost

Confidential | ©A10 Networks, Inc. 5

Mitigation – Security Checks: Request Protection (1 of 4)
▪ Allowed HTTP Methods
▪ Specifies HTTP methods (such as GET and POST) that are allowed in requests
▪ SQLIA Check
▪ Checks for SQL strings to protect against SQL injection attacks
▪ Bot Check
▪ Checks the user-agent of inbound requests for known bots.
▪ CSRF Check
▪ Tags each web form field with a nonce (a unique FormID).
▪ Protects against cross-site request forgery (CSRF).
▪ URL Check
▪ Prevents users from directly accessing a website’s URL
▪ Restricts users to access web pages only by clicking hyperlinks on the protected
website.
▪ Approved URL path list for the URL Checks are configurable only through Learning
Mode
Confidential | ©A10 Networks, Inc. 6
Mitigation – Security Checks: Request Protection (2 of 4)
▪ HTTP Check
▪ Checks that user requests are compliant with HTTP protocols.
▪ Form Consistency Check
▪ Ensures that the user input to a web form field conforms to the intended format for
that entry.
▪ XSS Check
▪ Checks for potential HTML XSS scripts to protect against cross-site scripting attacks.
▪ Buffer Overflow
▪ Protects against attempts to cause a buffer overflow on the web server
▪ Sets maximum content length allowed in an HTTP request (0 to 65535 bytes).
▪ Values can be set for Max Cookie, Max Data to Parse, Max Headers, Max URL
Length, Max Post Size, HTML Parameters, Max Request Query Length, and Max
Line Length.
▪ Buffer Overflow settings have pre-defined, default values
▪ Learning mode clears and sets these values to actual Web Application traffic patterns

Confidential | ©A10 Networks, Inc. 7

Mitigation – Security Checks: Request Protection (3 of 4)
▪ Max Cookies
▪ Specifies the maximum number of cookies allowed in a request (0-63)
▪ Max Headers
▪ Specifies the maximum number of headers allowed in a request (0-63)
▪ Referer Check
▪ Verifies referer header in requests contain Web form data from specified server,
instead of an external site.
▪ Protects against cross-site request forgery (CSRF or XSRF) attacks
▪ Deny Action
▪ Describes the type of action taken when WAF denies a client request.
▪ Settings include generic Request Denied messages, http-redirects, or connection
resets.

Confidential | ©A10 Networks, Inc. 8

Mitigation – Security Checks: Request Protection (4 of 4)
▪ URI Blacklists
▪ Specifies exclusion criteria for incoming requests
▪ If the URI of an inbound request matches a rule in the URI Black List, the request is
blocked
▪ URI Whitelists
▪ Connection requests are accepted only if the request matches a criterion in the
URI White List
▪ URL Options
▪ Multiple Decode options
▪ Configurable Comment, Self-reference, and Spaces

▪ URI Black List takes priority over a URI White List:

▪ Even if a URI matches acceptance criteria within the URI White List, a connection is blocked
automatically if it meets a rule in the separate URI Black List.
▪ Custom (cloned) Black/White list definition files are required if additional URI patterns are
needed.
Confidential | ©A10 Networks, Inc. 9
Mitigation – Security Checks: Response Protection (1 of 2)
▪ CCN Mask
▪ Examines strings of outbound replies from Web server for numerical character
patterns
▪ Replaces patterns that resemble credit card numbers with “x”
▪ SSN Mask
▪ Examines strings of outbound replies from Web server for numerical character
patterns
▪ Patterns resembling US social security numbers are replaced with “x” (last four digits
remain intact)
▪ Filter Response Headers
▪ Removes Web server identifying headers in outbound responses
▪ (Server, X-Powered-By, X-AspNet-Version, and more)
▪ Hide Response Codes
▪ Cloaks 4xx and 5xx response codes for outbound responses from the web server
▪ References allowed_resp_codes WAF policy file for a list of acceptable HTTP
response codes
Confidential | ©A10 Networks, Inc. 10
Mitigation – Security Checks: Response Protection (2 of 2)
▪ PCRE Mask
▪ Masks fields containing PCRE (Pearl Compatible Regular Expressions) fixed length
patterns
▪ Replaces masked characters “X” (default) or an Admin chosen character
▪ Because PCRE patterns only match fixed length strings, wildcard characters representing
excessively long strings (* and +) are not supported. The syntax check fails if it detects an
asterisk (*) or plus symbol (+).
▪ For expressions matching an actual “*” or “+” character, insert the “\“ character before
the matched symbol
▪ Cookie Encryption
▪ Protects against cookie tampering.
▪ Uses secret passphrase to decrypt and encrypt cookies transferred between
web server and client

Confidential | ©A10 Networks, Inc. 11