Considering WAFs and how they can improve your security

By Aaron Wiseman
By Aaron Wiseman
Considering WAFs and how they can improve your security

What is a WAF?

A Web Application Firewall (WAF) is a security appliance for inspecting, logging and blocking unwanted traffic before it reaches a web-server. This is an evolution of the traditional network firewall in that it implements the ability to intercept HTTPS traffic so it can inspect and filter the requests being made to a web application. 

What are WAFs used for?

As a firewall, WAFs provide all the same type of protections that a regular firewall provides, plus some additional ability to apply rulesets for specific HTTP request headers and payload contents.

Here are the common purposes that WAFs are used for:

  • Log requests to the application
  • Protect from Denial of Service (DOS) attacks by implementing rate limiting
  • Implement standard organisational security header settings like HSTS, Content-Security-Policy and X-Content-Type-Options
  • Ensure HTTPS termination implements the latest ciphers and security standards
  • Scan request for generic and generalised exploit payloads, for example OWASP ModSecurity List
  • Block traffic from certain geographic locations
  • Allow IT teams to block 0-day exploits before applications are patched

What about Cloudflare?

Many schools have been adopting Cloudflare as a WAF, but it needs to be recognised that Cloudflare goes well beyond a WAF and provides additional functionality that you wouldn’t find in a traditional firewall or reverse-proxy product.

In addition to the WAF capabilities, Cloudflare also offers:

  • Content Optimisation (Rocket Loader)
  • Content Distribution Network (CDN)
  • Distributed Denial of Service attack (DDOS) protection
  • Bot Detection
    and much more.

These additional features are generally focused around performance for static websites and don’t provide any additional security. DDOS protection can be important in certain situations, but our support team would work with you and your upstream providers in the rare event of a DDOS attack. In terms of content optimisation, Schoolbox already implements best practices around content optimisation. We have found that Rocket Loader can cause JavaScript to break on Schoolbox due to the way it changes the page load order.

Can I use a WAF in front of Schoolbox?

Our standard recommendation is that you do not need a WAF product in front of Schoolbox. This is because Schoolbox is actively monitoring, updating and ensuring the highest possible security practices are being implemented by the product. The best practice with security is to implement it as close to the application itself. This allows the security practices to be application aware and specific to the needs and requirements of the application itself.

We recognise this requires a degree of trust in our ability to deliver a secure application. To help understand how we deliver this security we invite you to review our security measures, monitor traffic and conduct your own penetration tests. Specific to the features of the WAF this table should help identify where the Schoolbox application already provides existing security measures.

Schoolbox
Standard Firewall
WAF
Notes
Logging requests to the application.
Schoolbox can provide logs to a remote server on request.
Protect from DOS attack by implementing rate limiting.
This requires quite fine control to avoid blocking regular user traffic.
Implement standard organisational security header settings like HSTS, Content-Security-Policy and X-Content-Type-Options.
Ensure HTTPS termination implements the latest ciphers, protocols and security standards.
We have found many WAFs do not implement the latest standards. The HTTPS standards provided by a WAF should be compared against our standards.
Scan request for generic and generalised exploit payloads.
Schoolbox implements in application protections against all standard OWASP attacks. As these rulesets are generic and not specific, they should be set to alert, rather than block to ensure valid requests are not impacted.
Block traffic from certain geographical locations.
Schoolbox utilises many 3rd party providers that integrate via APIs from around the world. Careful consideration should be given to ensure legitimate traffic is not blocked. Please review our subprocessor list for further details.
Allow IT teams to block 0-day exploits before applications are patched.
Schoolbox is committed to fixing and deploying security patches within 48 hours of reports.

But our security consultant, best practice guide or security sales person, says we must have a WAF to be secure

No single device will make an organisation secure. It requires all parties to accept responsibility for security and implement best practices across the board. Good security is implemented when all stakeholders work together and hold each other to account.

A WAF system is an important part of the security toolkit, but they generally do not provide security out of the box. If you must have a WAF in order to meet compliance requirements it is important to carefully consider what value you wish to extract from the device in the context of what Schoolbox already offers. We believe they are best utilised as a passive device that keeps an eye on what is happening but does not actively impact the service unreasonably.

If you must install, we would recommend the following best practices:

  • Initially setup WAF rulesets in ‘monitor’ mode
  • Alert rather than block traffic so that you can review for false positives and avoid breaking the application unexpectedly
  • Turn off automatically forwarding port 80 to 443 (Schoolbox will do this for you, but there are some reasons we still need port 80 traffic)
  • Do not block traffic from North America and Europe.
  • Ensure your WAF supports the latest security cyphers (TLS 1.2+), automated certificate rotations and HTTPv3
  • Ensure your WAF supports WebSocket connections
  • Disable additional features for content optimisation like ‘Rocket Loader’ and bot detection

We have installed our WAF and now Schoolbox is broken

Unfortunately this is an all too common outcome following the implementation of a WAF in front of Schoolbox. Here are some of the common symptoms that get reported to our support team but are caused by WAF appliances:

Symptom
Cause
Our notifications panel sits waiting to connect.
The WAF does not support WebSockets.
A page isn’t loading with no explanation.
The WAF is blocking certain page requests.
We attempt to save a record, but it just disappears.
The WAF is blocking certain page requests.
The page loads but we are unable to interact with anything.
The WAF is blocking Javascript or there is a content accelerator changing the way Javascript is being loaded.
Our SSL certificate has expired.
Port 80 has been blocked, or port 80 is being forwarded to 443.
We are unable to log into Help with SSO.
The WAF is blocking certain page requests related to oAuth or there is bot detection filtering.
Turnitin reports take a long time to appear.
The WAF is filtering traffic from other countries.
We are trying to use an LTI tool but it just doesn't work as expected.
The WAF is filtering traffic from other countries or is blocking requests related to oAuth.
We had a security audit completed but Schoolbox didn’t meet the minimum requirements.
The WAF does not support the latest HTTPS standards.

The impacts on the Schoolbox service following the implementation of a WAF can be varied and subtle. They are often difficult to detect and very hard to diagnose. Our support team is unable to support issues that are caused due to a WAF as they are not trained in WAF configuration. Once our support team has identified the issue is specific to your network environment, the responsibility for resolving the issue will rest with the school and the WAF vendor.

Conclusion

Schoolbox believes WAFs are an important security tool. In scenarios where applications are not adopting best practices, they are a great way to ensure that the organisation is protected. They also provide an excellent method for gaining oversight of traffic and monitoring for emerging threats.

However when WAFs are actively blocking traffic or degrading the service they can quickly become a huge burden on all involved. Negative impacts include increased service failure, increased support costs, and additional network complexity and surface area.

Our recommendation stands that Schoolbox will always do its best to uphold the highest security standards and not require a WAF to be installed in order to ensure your data is protected and safe. However if you wish to enable a WAF do so with our best practices in mind and the acknowledgement that you will need to support any connectivity issues related to Schoolbox.

Additional Reading: