How can we help?

The latest application delivery knowledge and expertise at your fingertips.

Web Application Firewall (WAF) Update

We are introducing these enhancements on the Web Application Firewall (WAF) that will provide improved protection, visibility, and reporting for your applications. We are migrating to rules based on the Open Web Application Security Project® (OWASP) Core Rule Set (CRS) as the primary set of rules-based protection.

Benefits to you

OWASP CRS is a set of generic attack detection rules designed to protect web applications from a wide range of attacks, including OWASP Top Ten. The CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc. The OWASP CRS provides significantly better baseline protection for your applications.

OWASP CRS natively provides deeper insights into application traffic attacks. The WAF and GSLB features can also leverage updated reputation data daily, to validate where the traffic hitting your application is coming from and blocking those from known bad actors.

The WAF feature from Kemp is being enhanced to support utilizing the anomaly scoring and paranoia modes available with the CRS to better enable tuning and reducing any false positives.

Additionally, real-time per Virtual Service logging of events and rules triggered whilst performing false-positive analysis is available to make the WAF operation more transparent to our customers.

The LoadMaster user interface, for WAF, is being significantly modified to allow easy selection of countries to block and this will be reflected in enhanced statistics.

The following table outlines the feature comparison and benefits of the enhanced WAF:

 

Legacy WAF

Enhanced WAF

Custom Rules Support

Yes

Yes

Daily Reputation Data Updates

Yes

Yes

Egress response processing

Yes

Yes

Audit Mode

Yes

Yes

GSLB Service Integration

Yes

Yes

OWASP Top 10 Mitigation

Yes

Yes

App-Specific Rules + Signature Updates[1]

Yes

No

Integrated CRS Rulesets

No

Yes

Auto-Updated CRS Signature Updates

No

Yes

False Positive Analysis

No

Yes

Granular per-Service event logging

No

Yes

Anomaly Scoring Threshold Tuning

No

Yes

Paranoia Level Tuning

No

Yes

Source Location-Level filtering

No

Yes

In-UI Statistic Visualization

No

Yes

Table 1: WAF Matrix comparison

 

Our Recommendation

We recommend upgrading your LoadMaster to use the latest WAF feature in 7.2.54.1 Generally Available release from the 08th June 2021. This will not affect your currently configured WAF implementation and provides access to all new functionality to enable migration planning.

Legacy WAF rules are being retired on 29th June 2021 and no further updates will be available. The LoadMaster user interface will reflect this with the title ‘WAF Options (Legacy)’ on v7.2.54.1 release.

Other Information

Details of this change will be published globally on 27th April 2021 on the Kemp Announcements Page.

If you would like assistance in updating your firmware, please access our Customer Support Team and click ‘Submit A Request’.

 

[1] Kemp’s legacy WAF included limited coverage application-specific rules with selective daily updates (e.g., Joomla, CPanel, Drupal) signatures and rules definitions sub-sets as new threats arose. This portion of our rule and signature library has been retired and replaced with a ruleset based on the ModSecurity Core ruleset to provide a wider range of coverage for common yet complex application-layer attacks. The many signatures compiled based on open source industry standards along with out-of-the-box pre-configuration by Kemp allows for the evaluation of combinations of distinct traffic patterns without the requirement for manual signature configuration. Alignment with the models leveraged by the Azure Web Application Firewall, AWS WAF, and Google Cloud Armor system enables the unification of policies in hybrid cloud environments and simplifies cloud migration scenarios.


Comments