What Are Web Application Firewall (WAF) Rules?


Web application firewall (WAF) rules are used to define how to inspect HTTP/HTTPS web traffic (requests) to an application, where and what parameters and conditions to look for in the request, and what action the WAF should take when a request matches those definitions. A set of security rules constitutes a security policy.

As applications constantly evolve with new services and pages alongside a constantly growing threat landscape, security policies need to be updated regularly. Updating a security policy means updating and finetuning the set of rules that comprise that security policy to answer the most relevant security threats and needs of the application.

What Are Fundamental (Pre-defined) WAF Rules

Each WAF comes with a basic set of rules out of the box. In most cases these rules are based on certain blocklists as per known signatures, bad reputation IP lists, etc.

The better the WAF, the broader and more robust, and more relevant the pre-defined ruleset would be to answer to the most current cyber security threats. Although these rules are pre-defined, WAF vendors must constantly and continuously update them to ensure their customers are protected against the very latest threats.

What Are Advanced WAF Rules

Advanced WAFs allow analysts, security experts, and other users to define advanced rules with granular customization options to improve their applications’ security and performance and reduce network load on application servers.

Here are some examples of custom rules:

  • Block access to specific sections of a website based on IP address or Headers

  • Prevent search engine bots from accessing a website

  • Redirect traffic to a maintenance page

  • Add an additional header to specific requests

  • Change the value of a header to another value

Rules are usually comprised of rule metadata, a set of conditions, and an action.

Metadata

For each rule, you can set a rule name and a rule description. The rule metadata information is used to describe the rule and is also presented as part of the security event that is generated when a rule is triggered. You can also set the rule state to be enabled or disabled.

Conditions

Conditions are used to trigger the rule by matching a condition to the content of the request. For each rule, you can set multiple conditions.

Action

An action will take place in case the requests matched the conditions described in the conditions section of the rule. The available actions are in dependent on the rule type that is selected.

Rules are usually arranged according to their action type into four major groups:

Priority

In most industry-standard WAFs HTTP/S Requests are matched against rules according to a predefined priority. For instance, Redirect RulesSecurity RulesRewrite Rules and within each group, you can set the internal priority of existing rules within that group

How to set up and manage Radware WAF rules

Radware WAF security policies are comprised of two types of rules – Pre-defined rules and Custom Rules.

Pre-defined rules

This set of rules is what makes Radware WAF a unique turn-key solution. Some of these rules are automatically generated by Radware’s advanced machine-learning algorithms and the Radware data lake, some are updated by Radware’s team of cyber experts at the backend, and some are generated by Radware’s ERT Active Attackers Feed (e.g., Radware’s global intelligence, honey pots, and deception networking, device fingerprinting, etc.)

These rules are dynamic and constantly adapt to protect against the most recent threats. Here are a few types of Radware’s predefined WAF rules:

  • OWASP Top 10

  • Known CVEs ( on top of the OWASP list)

  • Bot mitigation rules

  • RFC violations

  • Anonymous proxy blocking

  • Signature-based protection

  • SQL injection protection

  • DDoS protection

  • Jason validation protection

WAF Rules: Image 1

 

Custom rules

Radware custom WAF rules are advanced rules that contain configurations and settings for advanced application traffic control and manipulation. Here are Radware custom rules’ six main categories:

WAF Rules: Image 2

 

WAF Rules: Image 3

 

What Is A Positive and Negative Security Model

The best security coverage with minimal impact on legitimate traffic is when WAFs combine negative (defining what’s forbidden and accepting the rest) and positive security models (defining what is allowed and rejecting the rest). Combining the two models allows granular and accurate policy definitions, therefore avoiding false positives and false negatives. The negative security model protection is based on up-to-date signatures against known vulnerabilities that provide the most accurate detection and blocking technology of application vulnerability exploits. The positive security model is useful in stopping zero-day attacks. The positive security rules and mechanisms allow the definition of value types and value ranges for all client-side inputs, included encoded inputs and within structured formats such as XMLs and JSONs. The positive security profiles limit the user input to only the level required by the application to properly function, thus blocking zero-day attacks.

How To Generate and Update WAF Rules

The use of the aforementioned security models requires defining policies and rules which can sometimes be labor intensive. Building a security policy usually demands rigorous work on the part of the administrator, while still leaving a system potentially open to attack due to human errors. Advanced WAF solutions should be able to use automation to reduce the cost of ownership and avoid human errors associated with such manual processes.

What Is Auto-Policy Generation

To reduce the effort involved in creating a positive security policy and avoid the risks of human errors, A WAF should provide auto-policy generation based on machine-learning capabilities for automatic rule definition and maintenance. Auto-policy generation is often based on the ability to identify and profile legitimate application transactions and creating “allow” rules based on it.

What Is Continuous Policy Optimization

It is critical to constantly optimize security policies to maintain high-security levels and minimize false positives so that security won’t stand in the way of legit traffic. To achieve both without high operational costs and manual intervention requires an application protection solution capable of automatically reviewing log files on a regular basis and artificial intelligence

Radware’s auto policy optimization engine

 

  • Redirect Rules – used for redirecting traffic to another location when conditions are met

  • Security Rules – used for blocking or allowing traffic when conditions are met.

  • Rate limiting Rules – used for controlling traffic volumes as per set thresholds

  • Remove/Rewrite/insertRules – usually used for modifying the HTTP request and response components when conditions are met.

    • Redirect rules – used for changing headers to redirect traffic to another location when conditions are met

    • Security & Access Control rules – used for blocking or allowing traffic when conditions are met. Within this group of rules, you would find Geo blocking and security bypass rules

    • Rate limiting Rules – used for controlling traffic volumes as per set thresholds

    • Response Delivery rules – used for modifying (Remove, Rewrite, Insert) the headers of the server responses when the conditions of rules are met.

    • API protection rules – used for setting request quotas from specific API endpoints or blocking them altogether, as well as setting specific API conditions to be met such as type, header, body, path, parameters, etc.

    • Bot management rules – used for configuring which action to be taken if a malicious bot was detected, according to the type of bot that was identified

Additional Resources

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia