How to build a reliable WAF (Web application firewall)
(1) What components are included in WAF implementation and how these components interact to implement WAF defense functions (2) How to maintain WAF rules (Policies) Maintenance Rules (Policies), including obtaining channels, rule testing methods and online performance evaluation (3) supported WAF Product improvement and required information library support
I. WAF implementation
WAF parses HTTP requests (Protocol parsing module), detects Rules (rule module), performs different defense actions (action module), and implements the defense process (Log Module) record it.Regardless of the hardware, software, cloud, and core, we will focus on the implementation of yy waf.WAF consists of five modules (configuration module, protocol parsing module, rule module, action module, and error handling module ).
1. Configuration Module
Set the WAF detection granularity and enable it as needed,
2. Protocol parsing module (important)
The output of protocol Parsing is the operation object during rule detection of the next module. The granularity of parsing directly affects the WAF defense effect. The cloud WAF mode where the WAF module is parasitic on the web server generally relies on the parsing capability of the web server.
3. Rule module (important)
The point is, this is the core of WAF, And I will divide it into three sub-modules.
(1) Rule Configuration Module
Configure the IP blacklist and whitelist, URL blacklist and whitelist, and select a suitable rule package.
(2) Rule parsing module
The main function is to parse specific rule files. It is best to use a uniform rule description language to facilitate the provision of custom rules to third parties. ModSecurity is very good in this aspect.
The rule file consists of four parts: Variable, operator, transaction function, and action.
(3) rule detection module
In the previous step, we set various variables, and then perform addition, subtraction, multiplication, division according to certain logic.
4. Action module (Focus)
Through the rule detection module, we have identified the good and evil of requests. Next, we will respond to the issue of sentencing, not just interception.
5. Log Module (important)
Log processing is very important and very popular. It is rich in content and can be independently developed from WAF to form a separate security product (e.g. Log Service). It uses interfaces to support WAF. For cloud WAF with a huge data volume, a separate big data team will support the architecture, including data storage (e.g. hdfs, kafka, hadoop/spark, storm, and elasticsearch.
6. Error Handling Module
Exception Handling During running errors of the above modules
Ii. WAF rule (policy) Maintenance
WAF needs to cultivate a picture to hide it
Iii. WAF Support Information Library
WAF needs to cultivate a picture to hide it
Almost all the security personnel in the above support database are doing it repeatedly, and resources are not shared. One is internal, and the other is that resources cannot be integrated without a unified description language. Alas, bapeta for security practitioners.