WAFEC, or how to choose WAF technology
RAFAEL SAN MIGUEL CARRASCO

Why I am here
Honestly, I got no
I like to play with
better plan for
WAF technology
Friday afternoon
WAFEC 1.0 has I actually belong
been recently to the WAFEC
published Working Group
Let’s talk about WAFEC!

What will we talk about?
Introduction and concepts
Why WAF devices are not so fun?
How to make them be fun
WAFEC sections
WAFEC and common sense together

So, what is a WAF device?
Cross-site
scripting
SQL Injection WAF devices protect web applications from specific
LDAP vulnerabilities that IDS/IPS/FW technology can’t beat
Injection
WAF devices address the most attack-prone subsystem
XPath within a technology infrastructure: the webserver
Injection
Parameter WAF devices are complex devices with sophisticated features:
tampering actually, they have to be as complex as web applications
Cookie
poisoning
HTTP
Request
Smuggling
HTTP Cross-site
Cross-site Stealth Buffer
Response Request . . .
Tracing Commanding overflows
Splitting Forgery

Some background about WAF
Negative Security Model Positive Security Model
Concept The WAF knows what traffic is an
The WAF learns what traffic profile is
attack, and allows any other traffic to
legitimate, and blocks anything else
go through
• No need for customization • Accurate detection
Advantages • Protection out-of-the-box • Unknown attacks
• Simple, straight-forward • Not dependant on updates
• Highly dependant on updates • Need for learning process
Disadvantages
• Not very accurate • More prone to false positives

Some background about WAF
How are unknown attacks identified with PSM?
http://<site>/get/default.ida?<240chars>%9090<…>%u00=a
Illegal entry point into the site to the .ida file (/get)
Illegal parameter tampering of the .ida file
Buffer overflow attempt on the parameter (240 characters)
Illegal characters within parameter (%)
Nimda was blocked by several WAF devices without a custom signature

Some background about WAF
How is the learning process in PSM?
This looks to be an
attack!
http://a.com/showarticle?id=278
WAF Webserver
http://a.com/showarticle?id=345
http://a.com/showarticle?id=12
id parameter in
showarticle is a
number
http://a.com/showarticle?id=1’%20OR%201=1--

So, what is WAFEC?
WAFEC is an ongoing project and stands for Web Application
Firewall Evaluation Criteria
WAFEC is promoted by WASC, which in turn stands for
Web Application Security Consortium
WAFEC is a document describing WAF capabilities, as an
structured checklist of features
WAFEC allows technicians to evaluate WAF devices and
decide which one best fits in their environment

So, what is not WAFEC?
WAFEC is not an specification of minimum requirements
that a WAF device must comply with
WAFEC is not a tutorial or compendium about WAF
technology or web security
WAFEC is not for managers, but for reasonably skilled
technicians

Why we think WAFEC is necessary?
There is not much Marketing and sales
knowledge about this forces are creating
emerging market confusion
WAF devices and
manufacturers are
proliferating

Why WAF devices are not son fun?
If not properly configured, they can trigger false positives and
stop business
If not properly administered and integrated, they won’t
adapt to application changes
If not properly deployed, they can slow down your
transactions and make business staff unhappy
The solution: do it properly!
… and make sure the product you choose does support
the features you need
… and do it using WAFEC!

How to make them be fun
About false positives and other nightmares
Take your time to refine policies
Define detection rules that will alert you of suspicious events
without the risk of stopping business
Teach the WAF device in the development phase; that will let
you define more accurate policies in production environment

How to make them be fun
About application changes
Web applications change very quickly, which means that the
WAF behaviour has to change as well
Let the WAF device learn from developers in order to enable
policy adjustment in production environment
Define granular policies so that the WAF can rebuild policies for
updated sections or areas with no impact in those that haven’t
changed

How to make them be fun
About application changes
2
1
3 4

How to make them be fun
About performance, latency and SLA
Use SSL accelerators
Define simpler policies for areas or sections subject to SLAs
Use webcache integrated features
Compress HTML content between the WAF and the browser

WAFEC sections
Deployment and architecture
Modes of operation
Bridge, router, proxy or plugin
… there is no rule of thumb: it depends on your network!
SSL operation
Active, passive or not required (case of plugins)
Technology delivery
Appliance or software-only
Support for non-HTTP traffic
Clear trend: the integration of WAF/IPS capabilities in one device

WAFEC sections
HTML and HTTP support
A rather long and boring checklist of features related to
support for protocol and extensions
… but this can drive the decission as well!
Includes length restrictions for every HTTP component
… I have never seen them in place because they
can’t be accurately defined
Response filtering or Intellectual Property Firewalling
… this will let you add an extra layer of security
if everything else fails

WAFEC sections
Response filtering
We have the following datafile that can be remotely retrieved by means of
an OsCommerce’s vulnerability:
Imagine that every security mechanism
implemented in the WAF device fails!

WAFEC sections
Response filtering
ModSecurity’s response filtering capabilities can be configured this way
to prevent the previous datafile to be effectively retrieved:
Which results in forbiden
access to the malicious URL
… with no previous knowledge
about OsCommerce’s
vulnerability!

WAFEC sections
Detection techniques
Two main groups: positive model and negative model
… my best bet is to properly combine both
Negative model: what parameters are important?
update frequency, number of products included,
customized selection of signatures
Positive model: what parameters are important?
basically, effectiveness; if it works, nobody cares
about what the core technology is

WAFEC sections
Protection techniques
Brute force attacks mitigation and Automated clients detecion
… helpful for websites that track users’ activity
Strict request flow enforcement
… nice in theory but difficult to effectively
implement if the application changes often
Cryptographic URL and parameter protection
… this feature really annoys malicious users

WAFEC sections
Logging
It enumerates support for typical event log and notification
mechanisms, found in most widely-accepted technologies
… e-mail, syslog, SNMP traps, OPSEC, etc.
Criteria for log selection and retention
… interesting when legal or regulatory requirements
have to be satisfied
Mechanisms to handle sensitive data
… manual or automatic configuration to rewrite
sensitive data that would be included in logs

WAFEC sections
Reporting
Report formats
Scheduled reports
Customized reports
Flexible reports
… definitively, reports makes management happy!
But, what else can reports be used for?
Trend analysis
Risks priorization
Attackers’ behaviour

WAFEC sections
Some leftovers: Performance and XML
Support for Web Services, WDSL and XML inspection
… this can also drive the final decission if Web
Services need to be protected as well
Maximum number of simultaneous connections, sessions, SSL
resumptions, requests, etc.
… this greatly depends on the underlying technology,
mainly ASIC (faster) or Linux (slower)
Performance under load

WAFEC sections
Management is a key element of WAF devices
This is mainly because policies become complex and have to
quickly evolve in order to adapt to application changes
Any suggestions about We have thought of the following
features that you would sections:
miss?
POLICY MANAGEMENT
PROFILE LEARNING
CONFIGURATION MANAGEMENT
LOGS AND MONITORIN
LEFTOVERS

WAFEC sections
Simplicity to manually accept false positives
… think of it: how would you refine policies otherwise?
This is a false
positive. Tick
to remove it.

WAFEC sections
Ability to define different policies for different applications
… why could this be helpful?
Senior
HIGH Management
LEVEL
MID Webmail
LEVEL users
System
HIGH administrators
LEVEL
Webserver WAF
Potential
LOW customers
LEVEL

WAFEC sections
Support for trusted hosts
… this feature enables ethical hackers to work with no impact in the
Incident Management team
Automated signature download and deployment
… otherwise, the protection can arrive too late
Policy rollback mechanism
… otherwise, the WAF device might stop business
Ability to create custom signatures or events
… this way I can address custom vulnerabilities that exist in my
particular environment

WAFEC sections
Ability to combine detection and prevention
… guess what can this be interesting for?
Ability to manage several devices from one central location
… otherwise, management can’t be centralized and policy adjustment
becomes a nightmare!
Simplicity to relax default policies

Let me ask you some questions
¿Cuanto tiempo se tarda
en aplicar las ¿Existe server side
¿ Quién audita el código
actualizaciones criticas validation para todos los
proveniente de terceros?
de seguridad desde que formularios?
surgen?
¿Quien y cuando aplica ¿Existe correlación entre
¿Se cumple en todo el
las actualizaciones de los logs y los sucesivos
código la política de logs?
seguridad de software upgrades de la aplicación?
funcional/aplicativo?
¿Se eliminan en los pasos ¿Se hacen
¿Cual es el camino critico a producción las porciones pruebas/ataques de
de código que accede a de código para pruebas seguridad a las
los datos de backend? parciales de desarrollo? evoluciones del software?

Want to know more?
More info: www.rafaelsanmiguel.com
www.webappsec.org/wafec
Contact info: rafael.sanmiguel@dvc.es
Interesting info: www.empleoenseguridad.com

Creative Commons
Attribution-NoDerivs 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:
Attribution. You must give the original author
credit.
No Derivative Works. You may not alter, transform, or
build upon this work.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To view
a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter
to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.