Last updated: Oct 17 2016
Web Application Firewall
This topic describes the concept of Web Application Firewall (WAF), specifically related to solutions built within Episerver Digital Experience Cloud Service.
How it works
A WAF sits in front of web applications to filter out malicious traffic at the application layer, see Open Systems Interconnection (OSI) Model. In DXC Service, WAF is always enabled, constantly monitoring the website traffic.
The WAF examines HTTP requests to your website, looking at both GET and POST requests, and applying rules to filter out illegitimate traffic from legitimate website visitors. Illegitimate traffic is challenged, and blocked or stopped.
How does WAF protect my website?
A WAF automatically protects from the following types of attacks:
- SQL injection, comment spam
- Cross-site scripting (XSS)
- Distributed denial of service (DDoS) attacks
A WAF uses rulesets to block common attacks, like cross-site scripting (XSS) and SQL injections. Episerver can update these rulesets at any time to keep the WAF up-to-date with evolving trends in attacks. Because the DXC Service handles significant attack traffic, Episerver identifies new attack styles and adds new WAF rules to protect customers against these potential vulnerabilities.
The WAF engine runs the OWASP ModSecurity Core Ruleset by default, making sure you are protected against the OWASP Top 10 common vulnerabilities.
WAF and DXC Service
- Automatic protection from diverse threats, with strong default rulesets, providing Application layer protection that is fully integrated with DDoS mitigation.
- Fast processing times with instant global updates.
- Cost-effectively fulfill of PCI compliance by utilizing WAF to meet requirement 6.6.
- No hardware, software, or tuning required, as it it is part of DXC Service.
Fast and responsive performance
No need to sacrifice speed for security. In the event of a new attack, the DXC Service makes sure you are protected quickly:
- New rules typically take effect globally in under 30 seconds.
- Less than 1 millisecond latency for web visitors is common.
Compliance for PCI DSS requirement 6.6
Cost-effectively fulfill PCI compliance using Digital Experience Cloud WAF to meet Requirement 6.6. If you are a merchant who handles consumer credit card information, the following options meet the PCI DSS 2.0 and 3.0 Requirement 6.6:
- Deploy a WAF in front of your website (WAF is included with DXC Service).
- Conduct application vulnerability security reviews of all of your in-scope web applications.
The following table shows the DXC Service default ruleset for WAF, which is optimized for Episerver applications and based on best practices. Custom rulesets cannot be defined at this time.
|OWASP Bad Robots||Detects bad web robots that are not from search engines but perform malicious searching and spidering of web sites.|
|OWASP Generic Attacks||Detects generic attacks against web-based applications without specific knowledge of the application. Detects things such as attempting to access an LDAP directory, inject shell commands, and attacks against PHP.|
|OWASP HTTP Policy||Enforces policies around the HTTP protocol, such as methods that are supported and headers that are allowed.|
|OWASP Protocol Anomalies||Detects unusual use of the HTTP protocol that may indicate an attack, but that also may be legitimate.|
|OWASP Protocol Violations||Detects violations of the HTTP protocol that often indicate an attacker attempting to penetrate a site.|
|OWASP Request Limits||Detects excessively large numbers of HTTP headers, HTTP arguments or files.|
|OWASP Slr Et Lfi Attacks||Detects LFI attacks.|
|OWASP Slr Et RFI Attacks||Detects RFI attacks.|
|OWASP Slr Et SQLi Attacks||Detects SQLi attacks.|
|OWASP Slr Et XSS Attacks||Detects XSS attacks.|
|OWASP Trojans||Detects command web trojans.|
|OWASP SQL Injection Attacks||Detects attacks against SQL servers that attempt to inject SQL statements through the web to leak information or take control of a SQL server.|
|OWASP XSS Attacks||Detects cross-site scripting (XSS) attacks that may result in unwanted HTML being inserted into web pages.|
|OWASP Uri SQL Injection Attacks||Detects attacks against SQL servers that attempt to inject SQL statements through the web to leak information or take control of a SQL server via URIs.|
|OWASP Uri XSS Attacks||
Detects cross-site scripting (XSS) attacks that may result in unwanted HTML being inserted into web pages via URIs.