Web Application Firewall (WAF) Update
We are introducing these enhancements on the Web Application Firewall (WAF) that will provide improved protection, visibility, and reporting for your applications. We are migrating to rules based on the Open Web Application Security Project® (OWASP) Core Rule Set (CRS) as the primary set of rules-based protection.
Benefits to you
OWASP CRS is a set of generic attack detection rules designed to protect web applications from a wide range of attacks, including OWASP Top Ten. The CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc. The OWASP CRS provides significantly better baseline protection for your applications.
OWASP CRS natively provides deeper insights into application traffic attacks. The WAF and GSLB features can also leverage updated reputation data daily, to validate where the traffic hitting your application is coming from and blocking those from known bad actors.
The WAF feature from Kemp is being enhanced to support utilizing the anomaly scoring and paranoia modes available with the CRS to better enable tuning and reducing any false positives.
Additionally, real-time per Virtual Service logging of events and rules triggered whilst performing false-positive analysis is available to make the WAF operation more transparent to our customers.
The LoadMaster user interface, for WAF, is being significantly modified to allow easy selection of countries to block and this will be reflected in enhanced statistics.
The following table outlines the feature comparison and benefits of the enhanced WAF:
|
Legacy WAF |
Enhanced WAF |
Custom Rules Support |
Yes |
Yes |
Daily Reputation Data Updates |
Yes |
Yes |
Egress response processing |
Yes |
Yes |
Audit Mode |
Yes |
Yes |
GSLB Service Integration |
Yes |
Yes |
OWASP Top 10 Mitigation |
Yes |
Yes |
App-Specific Rules + Signature Updates[1] |
Yes |
No |
Integrated CRS Rulesets |
No |
Yes |
Auto-Updated CRS Signature Updates |
No |
Yes |
False Positive Analysis |
No |
Yes |
Granular per-Service event logging |
No |
Yes |
Anomaly Scoring Threshold Tuning |
No |
Yes |
Paranoia Level Tuning |
No |
Yes |
Source Location-Level filtering |
No |
Yes |
In-UI Statistic Visualization |
No |
Yes |
Table 1: WAF Matrix comparison
Our Recommendation
We recommend upgrading your LoadMaster to use the latest WAF feature in 7.2.54.1 Generally Available release from the 08th June 2021. This will not affect your currently configured WAF implementation and provides access to all new functionality to enable migration planning.
Legacy WAF rules are being retired on 29th June 2021 and no further updates will be available. The LoadMaster user interface will reflect this with the title ‘WAF Options (Legacy)’ on v7.2.54.1 release.
Other Information
Details of this change will be published globally on 27th April 2021 on the Kemp Announcements Page.
If you would like assistance in updating your firmware, please access our Customer Support Team and click ‘Submit A Request’.
[1] Kemp’s legacy WAF included limited coverage application-specific rules with selective daily updates (e.g., Joomla, CPanel, Drupal) signatures and rules definitions sub-sets as new threats arose. This portion of our rule and signature library has been retired and replaced with a ruleset based on the ModSecurity Core ruleset to provide a wider range of coverage for common yet complex application-layer attacks. The many signatures compiled based on open source industry standards along with out-of-the-box pre-configuration by Kemp allows for the evaluation of combinations of distinct traffic patterns without the requirement for manual signature configuration. Alignment with the models leveraged by the Azure Web Application Firewall, AWS WAF, and Google Cloud Armor system enables the unification of policies in hybrid cloud environments and simplifies cloud migration scenarios.