By: Richard Yew, Head of Product, Edgecast Security
My day is filled with questions from current and potential customers. One that I love answering is what makes our web application firewall (WAF) and our security rulesets so accurate. Accuracy is critical when considering the onslaught of new attack vectors and vulnerabilities occurring over the last couple of years. In fact, the Cybersecurity and Infrastructure Security Agency (CISA) recently added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog. CISA isn’t the only one concerned about security and performance. According to a recent WAF survey, businesses want a reduction in false positives, false negatives, alert fatigue, and to see an improvement in WAF management. For a richer understanding of how businesses are adapting their application security practices, read our WAF Benchmark Report.
So what makes Edgecast Managed WAF Rules more effective? At a high level, it has to do with the special order in which we run our WAF rules and our hybrid signature and anomaly scoring mode with the Managed WAF Rules. We perform these processes within milliseconds via our homegrown waflz engine to provide security without sacrificing performance. Let’s dive into this in greater detail.
Before we review the inner workings of our Managed WAF Rules, let’s take a look at the different layers (pun intended) of the protections in our WAF. Every layer of the WAF rule module plays an important role. The table below provides an overview of its functions.
As you can see, our WAF rules have a lot of layers, and within each layer, there could be anywhere from dozens to hundreds of rules and conditions our WAF has to run. Each rule presents a probability of introducing false positives and impacting performance. Complicating matters is the fact that the Edgecast WAF provides unique abilities to run in Dual WAF mode where you can run two versions of the security configurations for your production traffic concurrently for access control rules, custom WAF rules and managed WAF rules. As we continue to enhance our security solutions, we will add additional protection layers. Which raises the question, how do we ensure our WAF processes millions of requests accurately and efficiently amidst the chaos of all these capabilities and rules?
Besides having a powerful homegrown WAF engine (waflz) specifically designed to scale in a high-performance multi-tenant environment, the key is creating a proper order of operations to run the WAF most efficiently and effectively. To accomplish this, our WAF runs its different layers of rule modules in the following sequence:
Processing every request in sequence (as shown in Figure 1) ensures multiple layers of filtering are performed. This helps us capture the attacks our customers are looking for (i.e., denylisted IP/countries, application DDoS/HTTP flood, automated clients and specific custom request signatures) before the requests hit the Managed WAF Rules. However, this is just part of the security story.
The effectiveness of a WAF isn’t determined just by its ability to mitigate attacks (true positives) but also by its ability to prevent legitimate traffic from being blocked (false positives). Let’s review how we capture most of the application attacks while reducing false positives.
When a request reaches the Managed WAF Rules, it’s evaluated by our proprietary Edgecast Ruleset (ECRS) of more than 500 rules specifically created to mitigate a broad spectrum of application attacks. This presents an additional layer of complexity because there are so many categories of rules [i.e., the generic SQL injections (SQLi), cross-site scripting (XSS), and remote code execution (RCE) rules] and the specific WordPress, Joomla and Apache Struts rules. Careful prioritization is needed to ensure they complement each other to maximize accuracy.
As with the previously mentioned WAF rules modules, the key is the order of operations between each category of the ECRS. Within the ECRS, the request is processed by different rules categories in this order: Edgecast Proprietary Rules > Advanced Application-Specific Rules > Generic OWASP CRS Rules.
Another important feature that enhances the accuracy of the Managed WAF Rules is the customizability of the rules. Each one of the 500+ Managed WAF rules can be customized to ignore specific request parameters (i.e., request header, cookie, query and body parameters). This enables customers to quickly remove any false positives using a simple user interface or API.
You’ve now taken the journey of an HTTP request through our WAF. Something that occurs billions of times every day within every Edgecast server in all 180+ points of presence (PoP) worldwide, as our high-performance WAF runs natively on the same stack that runs our content delivery services. At the beginning of this blog, I mentioned I get a lot of questions about our WAF. I hope you now understand what sets it apart from other solutions. We combine an intelligent order of operations with the various WAF rules modules (from ACL to rate limiting to bot and custom rules), Managed WAF Rules (from specific to generic rules), and the hybrid signature and anomaly scoring mode for security that doesn’t impede performance.
Consider this analogy: Designing and assembling WAF components and rulesets is like making a hamburger. It's not just about having the right ingredients, it's about how they are combined to make a great meal. The same ingredients put together differently can have a drastic impact on taste and the experience for the consumer.
Let’s connect to learn how Edgecast can improve the security and performance of your web applications.
Stay connected and subscribe to our RSS feed.
Call us at
Manage your account or get tools and information.