Skip to main content

Introduction

First of all let me answer to one of the obvious questions - why OpenSource? - Simple enough, we can take F5, Imperva, there are solutions from Fortinet, Check Point, Palo Alto to name a few. Sure we can, but not everyone has access to such technologies and because of this reason we are going to take a look at OpenSource.

I'm deliberately avoiding questions around risks of such a deployment in mission critical networks so take this article as education. Nothing else.

So, what is WAF?

In the first place WAF is a firewall with functionality that differs from a typical Next Gen Firewall. Web application firewalls, as you could have already guessed, are built to protect web applications potentially vulnerable to external attacks.

Known vendor solutions come with broader functionality rather than open source and include the following:

  • Initial traffic analysis making it easier to come up with the filtering policy
  • OWASP filtering (Protection against XSS, SQL injects, HTTP headers analysis, zero day protection and so on)
  • Bot protection
  • Some vendors also provide NGFW features. Here we are talking of sandbox, IPS, malware protection etc. Standard NGFW features
  • There are also WAFs with SLB capabilities

What of those can we get from OpenSource? - Many. Would we have to reinvent the wheel in the process? - Sure thing :)

  • Analysis, reports? Hand made only. We should (more like must) forward the logs to a SIEM system for exactly this reason.
  • OWASP? - Yes, again. No GUI though, hardcore mode only
  • Application detection? - Yes, hypothetically. Although one would have to write its' own signatures for this.
  • Bot protection? - To a degree.

Anyway, for educational purposes we'll take a look at OpenSource

Back to top