Layers of Defense: WAF-Mirroring with YOTTAA
YOTTAA is implementing WAF-mirroring to provide continuous, high-quality protection for our customers’ sites. WAF-mirroring will allow us to create and refine WAF rulesets without having to put the WAF into learn mode or implement untested rules.
Web Application Firewalls (WAFs) protect eCommerce sites against malicious web traffic attempting to compromise them. WAFs work by using rulesets based on signatures for various known attacks. At YOTTAA, we deploy OWASP’s Core Rule Set, and then manually customize it for each site’s content. Failure to analyze and customize WAF rulesets can lead to false positives and false negatives, meaning that some legitimate traffic gets blocked, and some malicious traffic is permitted to access your site’s origin server.
Administrators must analyze and customize WAF rulesets when they initially deploy the ruleset, when origin server content changes significantly, and whenever the Core Rule Set (CRS) is upgraded.
Previously, we only had two options when updating a ruleset: put the WAF into learn mode as we refined the rules (no longer blocking suspicious traffic), or add untested rules while the WAF was in block mode and watch for any side effects. WAF-mirroring helps us avoid either of these less-than-ideal scenarios.
YOTTAA‘s WAF-Mirroring allows each customer site to retain its WAF protection using existing, proven rules while testing new rules to verify their accuracy. The active front-end WAF blocks suspicious requests using the proven rules while the Mirror WAF examines the same traffic using the new rules. The Mirror WAF generates a report of suspicious requests without blocking traffic. Traffic evaluation from both the front-end and Mirror WAFs is fed to YOTTAA Analytics where it is compared, and behavioral differences are noted.
This traffic evaluation assists users in assessing the effectiveness of Core Rule Set rule modifications and custom rules used to extend the Core Rule Set. Using WAF Mirroring, users can continue to make further Rule Set modifications and extensions until the changes are proven effective.
WAF-Mirroring will also allow testing of new releases of the OWASP Core Rule Set. OWASP periodically releases updated rulesets that provide enhanced vulnerability scanning. Most recently, OWASP released v3.3.2 which included important updates such as new bot and crawler detection rules, and the ability to detect attempts to bypass UNIX remote code execution rules. WAF-Mirroring allows customers currently provisioned with older OWASP Core Rule Set releases to test the attack-detection performance of a new OWASP Core Rule Set without disabling WAF blocking and without the risk of unanticipated side effects. Once the comparison between the front-end WAF and Mirror WAF performance is done and has validated the new OWASP Core Rule Set, users can deploy the new enhanced rules for active blocking.
YOTTAA ‘s WAF-mirroring capability is integrated into the YOTTAA portal for easy configuration and reporting. Through the portal, administrators can enable WAF-Mirroring and specify which Core Rule Set and custom rules to deploy to the active and mirror WAFs. The YOTTAA portal will generate easy-to-read and comprehensive reports comparing ruleset behavior. Then, site administrators can deploy the new proven ruleset without any pause in site protection.
