What Makes a WAF Advanced?

As the threat landscape evolves, so must our security controls and countermeasures. The most advanced perimeter threats for data loss or exfiltration occur at the application layer, rendering most next-gen firewalls (NGFW) and intrusion prevention systems (IPS) much less effective. This effect is compounded by the fact that most communications are moving to encrypted data channels not well-supported by NGFW or IPS, particularly at scale. Web application firewalls (WAF) are specifically designed to analyze each HTTP request at the application layer, with full decryption for SSL/TLS.

In recent years, most WAF technologies have remained largely unchanged, as passive filter-based detection systems, much like the related NGFW and IPS technologies. WAF systems apply protocol compliance (ensuring a well-formed request) and signature comparisons (ensuring no known malicious content) to filter and block potential attacks. Additional features have been added to enable session- and user-awareness to fight hijacking and brute force attacks, and IP reputation feeds are applied to attempt to filter out known-bad sources such as botnets, anonymizers, and other threats. These are still largely passive technologies at the data center perimeter, with very limited capacity for interrogating the client.

 There are a few things we know about the current threat landscape:

• Most threats are automated in nature. Attackers automate scans for vulnerabilities. They automate resource hoarding such as purchases of tickets or sneakers for grey-market resale. Distributed denial-of-service (DDoS) attacks are fully-automated to enable the kind of 1Tbps+ attack traffic volume that has become commonplace. Automation is difficult to detect because it is often designed to mimic good traffic and go undetected. Technologies like CAPTCHA have been used to detect such automation, but these verification methods prove ineffective over time and impact the experience of legitimate users.
   
• Credential stuffing is a specific kind of automated attack which leverages the billions of known username and password combinations from prior breaches. Use of stolen credentials was the most prevalent type of application attack of 2017, according to recent threat reports. These attacks prey upon password re-use common for the average citizen of the Internet. Credential stuffing is particularly difficult to detect because these requests not only look normal, they are often “low and slow” by design to avoid detection as a brute force attack.
   
• Malware is pervasive and is used to exploit weaknesses in browsers and the users operating those browsers. Malware has many delivery methods, from email attachments to malicious links on social media and in ads. These compromised machines are used to attack other websites for DDoS, data theft, and resource hoarding. Limited detection and mitigation methods are available unless the client machine is managed by an experienced IT infosec team.
   
• DDoS attacks are not just volumetric in nature. Many attacks are designed to cause resource exhaustion somewhere in the application stack, the application servers, middleware, or back-end database. Detecting these conditions can be difficult since the traffic conforms to most standard input validation checks.

Simply put, these attacks bypass virtually all traditional WAF detection mechanisms since they often do not appear malformed in any way. IP address reputation feeds are of limited effectiveness due to the almost inexhaustible supply of easily compromised targets, including cable modems, IoT devices, public cloud server instances, and more. Source address information changes too rapidly for even a crowd-sourced feed to be very effective in combatting the level of automation typical of these attack vectors. A more advanced web application firewall is clearly needed to fight these threats.

The good news is that Advanced WAF technology is already available and has been for some time. F5 pioneered technology for CAPTCHA-free detection of bots attempting to scrape price data from online retailers nearly a decade ago, when Web Scraping protection was introduced in 2009. F5 has progressively advanced that technology and expanded it into what is now known as Proactive Bot Defense, introduced in 2015. Proactive Bot Defense (PBD) enables interrogation of the requesting client to verify that a human user with a legitimate browser is present. This is a far more effective solution than relying on blocking known botnets by IP address.

With the new F5 Advanced WAF offering, F5 is expanding on their market-leading WAF technology to include capabilities necessary to combat the evolving threats seen in the application security landscape. Advanced WAF includes:

• Proactive Bot Defense. By utilizing cutting edge fingerprinting and challenge/response techniques in conjunction with other behavioral analysis, PBD enables session-level detection and blocking of automated threats.
   
• Layer 7 Behavioral DoS detection and defense. The Advanced WAF is able to dynamically profile traffic and create signatures of anomalous traffic patterns, stopping layer 7 DoS attacks before they impact your application.
   
• DataSafe credential protection. DataSafe dynamically encrypts page content to prevent man-in-the-browser attacks usually caused by malware. DataSafe also dynamically encrypts credentials as they are entered to protect the user at the browser.
   
• Anti-Bot Mobile SDK integration. The techniques used by Proactive Bot Defense work to identify legitimate browsers. For mobile apps, a browser is not present. The Anti-Bot Mobile SDK enables organizations to fight bots with advanced techniques even on mobile API endpoints.

The F5 Advanced WAF is a dedicated security platform to deliver the most advanced application security capabilities available on the market today. F5 is committed to providing cutting edge application security solutions to mitigate even the most sophisticated attacks. Look forward to more advancements on the Advanced WAF platform in the future.