This section discusses some commonly asked questions regarding WAF.
What are the traditional WAF challenges addressed by the NSX Advanced Load Balancer?
The following are the solutions that WAF provides to secure customer applications.
Security: Combine different verification methods to provide a comprehensive security layer (Signatures, Positive Rules, Client Reputation, Machine Learning, Outlier analysis and others).
Automation: WAF solution that can be driven by any of the current automation frameworks (Ansible, Terraform etc) and can be integrated into a SDLC (Secure Development Life Cycle).
Observability: WAF solution that provides deep insights into the traffic, application behavior and clients.
Ease of use & Simplicity: WAF solution gathers data, learns from the data and auto-tunes the policy or helps the admin to adjust the policy quickly.
Scalability: WAF solution that caters to small and large applications in a similar manner.
Performance: WAF solution that uses the resources to the best effort and provides measurements to validate it.
What are the features provided as part of WAF?
The WAF features are as follows.
OWASP Top 10 Protection.
Input Validation – XSS, SQLi etc.
Positive Security Model through Application Learning.
Scripting for application logic flaws - Using Data Scripts.
API Protection for JSON, XML.
Simplified Policy Definition.
Real-time Insights.
Elasticity and Automation.
Other security features provided by the NSX Advanced Load Balancer are.
Application Rate Limiting.
DDoS Protection.
L3/L4 ACLs.
L7 Rules/Policies and so on.
For comprehensive information on all WAF features, see WAF Features.
Does the NSX Advanced Load Balancer provide WAF as a service?
As of today, the WAF (or LB) is not offered as a cloud service and is deployed to the customer environment. However, WAF-as-a-service offering is planned in the future. The WAF (or LB) is similar to a physical WAF in terms of on-prem deployment and has better operational, scale, performance, and visibility. The NSX Advanced Load Balancer also offers Controller-as-a-Service that includes WAF as part of LB offering.
What is the sizing recommendation for WAF?
Recommendations for running WAF and other Application Security features on the NSX Advanced Load Balancer platform are 2vCPUs and at least 4GB of RAM. If more performance is required for the protection of the virtual services, additional Service Cores might be required. For detailed analysis of and applications requirement, please reach out to your VMware specialist, who will happily assist.
Do we need separate license for WAF?
Since WAF solution is part of a large LB/ADC offering, a separate license for WAF is not required. However, make sure the Service Engine sizing is adjusted based on the WAF requirements.
What is Positive Security Model?
Positive Security Model, also called Application specific policy, describes the application behavior and provides an input validation by setting an accepted range (and length) of characters. If the input validation specification is not as expected, it reports a policy violation.
Example: product_id=[0-9]{0..63}
.
For more information on Positive Security, see Positive Security and Learning.
What do Signatures do?
Signatures perform input and output validation by analyzing all incoming and outgoing traffic. Signatures contain detection for OWASP Top 10 attack vector among many other uses.
What is an Allowlist?
See WAF Allowlist.
What is Application Learning?
In a system, Application Learning is the method of collecting statistical information of an application's normal usage to generate a Positive Security Model. For more information, see Application Learning for WAF.
What is WAF processing flow?
The WAF processing flow is as follows:
For an incoming request, the Allowlist policies are checked. If there is any matching condition, the request is added to the Allowlist, that is, WAF processing is turned off for that request.
If none of the conditions match, the Positive Security engine checks if the request is in line with the learned data.
If a request is marked illegitimate by the Positive Security engine, it is flagged or blocked immediately.
If Positive Security marks the request as legitimate, the request is sent to the Signature engine which checks it against the Signatures, in order to identify any attacks.
If WAF finds an attack vector, it blocks the request.
If WAF Policy is in Enforcement mode, it blocks the request.
If WAF Policy is in Detection mode, though it flags the request, it does not block it.
For a detailed view of WAF Architecture, see Architecture.
How does the system behave when creating WAF policy using CLI and API?
While creating the WAF Policy using the CLI and the API, the following two fields are deprecated:
crs_groups
.application_signatures.rules
.
The above mentioned groups and rules are now taken directly from the referenced wafcrs
and the respective wafapplicationsignatureprovider
object.
The following new fields are available instead of the deprecated fields.
crs_overrides.
application_signatures.rule_overrides.
These fields are used to perform configuration changes, like setting the mode attribute or adding the exclude_list settings for a rule or group.
See the snippet below to check the overrides.
{ "name": "Example Policy 1", "waf_mode": "WAF_MODE_ENFORCEMENT", "waf_profile_ref": "/api/wafprofile?name=System-WAF-Profile", "waf_crs_ref": "/api/wafcrs?name=CRS-2020-3", "crs_overrides": [ { "name": "CRS_903.9002_Wordpress_Exclusion_Rules", "enable": true }, { "name": "CRS_920_Protocol_Validation", "rule_overrides": [ { "rule_id": "920310", "enable": false }, { "rule_id": "920311", "enable": false } ] }, { "name": "CRS_930_Application_Attack_LFI", "rule_overrides": [ { "rule_id": "930120", "exclude_list": [ { "match_element": "ARGS:path", "match_element_criteria": { "match_case": "INSENSITIVE" } } ] } ] } ] }
What is a false positive?
A false positive is a legitimate request that is flagged as an attack.
What are the Paranoia Modes available in WAF? What are the considerations for choosing the mode?
The available paranoia modes are:
1- Low (Default and recommended mode).
2- Medium.
3- High.
4- Extreme.
The following are the two aspects that must be considered while setting the paranoia mode.
Risk level of an application.
Resources available for policy tuning.
For more information on paranoia mode, see OWASP CRS Paranoia Mode.
What is a false negative?
An attack that is not detected is called a false negative.
What is Exception for false positive mitigation?
An Exception adds a matching condition of <IP, URL, parameter>
in front of a Signature Rule or a Rule Group. For more information on Exceptions, see Exceptions.
What is a CVE?
CVE or Common Vulnerabilities and Exposures is a list of publicly disclosed computer security flaws. When a CVE is mentioned, it refers to a security flaw that has been assigned a CVE ID number.