Ask Sucuri: Common WAF Questions and Concerns

There is no more frustrating experience than knowing you need something, but not knowing which questions to ask.

This resonates with website owners when they are told they need to add (yet another) security solution to their tech stack – and it’s called a Website Application Firewall (WAF).

I spoke earlier this month about the difference between endpoint and cloud-based WAFs. This article will go into more depth about challenges and considerations for each.

Top 10 WAF Questions and Concerns

To help website owners connect the dots, we’ve compiled a list of the most common questions and concerns we get about WAF technologies.

1 – Will a cloud-based WAF impact the performance of my site?

Most cloud-based WAF solutions are built on an Anycast network that includes some form of Content Distribution Network (CDN). This configuration provides global reach, load balancing, failover, and extensive performance improvement features. In many instances, website owners can experience a 60% boost in performance via a cloud-based WAF. The exact gains are highly dependent on how a site is built and configured.

Endpoint WAF solutions generally don’t come with a performance hit, but it depends on how they are deployed. When an endpoint WAF runs within the same web server environment, this can introduce unintentional performance hits. This is actually a common issue with many application endpoints that run within the application itself. This is why some hosts have limitations on which application endpoint solutions and configurations an organization can use within their environment.

2 – What is an Anycast network?

Anycast is a network topology that allows a network to broadcast an IP to multiple locations from a single node, allowing the nearest node to respond to a request.

How it works: Assume your website has a global footprint. Your website is hosted on a server in Austin, Texas, but your readers are in Europe and Asia. Via an Anycast network, a service provider would be able to broadcast your content from a London and Tokyo point of presence (PoP), which improves the user experience as the nearest node responds to the request. In this case, readers in Asia would get the response from the Tokyo PoP, while those in Europe would get responses from the London PoP.

This reduces the total travel time required for each visitor, improving speed and performance. Though an oversimplification, via an Anycast network, a website has improved availability, resiliency, and failover capability.

3 – Do I have to install the WAF?

Cloud-based WAF solutions are configured via DNS (or BGP). In most instances, adding an A record to the site’s DNS is all that’s required. The time to go live is dictated by the DNS Time to Live (TTL), often within 30-60 minutes. This can also be done by switching nameservers, or using CNAME records.

Endpoint WAF solutions, regardless of where they are on the endpoint, have an installation and configuration requirement. Because they run at the endpoint, it’s recommended to work with your developer or system administrator to ensure that they are installed and configured correctly.

4 – Will my website go down during deployment?

Regardless of the type of deployment, your site should not experience any downtime.

With cloud-based solutions, DNS uses a caching mechanism defined by the TTL. When records are changed, the DNS network is updated and goes through a process known as propagation, where all the global DNS nodes are updated. This takes time to complete. During this propagation period, traffic to your site will be going to either the cloud WAF network or the origin server. Once propagation is complete, all traffic will be going to the cloud WAF network.

Downtime can occur if there are endpoint conflicts during the deployment. They can also happen with cloud solutions if your host fails to pull the real IP from the service provider, or blocks the cloud network.

5 – Should I run a cloud firewall or an endpoint firewall?

There are pros and cons to both. I personally consider them complementary solutions. If you’re employing a Defense in Depth approach, they work in conjunction with each other.

For instance, in my personal deployments, I leverage not only cloud-based firewall solutions, but also deploy solutions at the server and application endpoint. For example:

  • OSSEC, a Host Intrusion Detection System (HIDS), to monitor and aggregate local activity.
  • Local kernel firewalls to disable unnecessary ports and restrict access accordingly.
  • A cloud-based firewall to virtually patch and harden the environment.

6 – Are WAFs the only security solution I need?

WAFs are an important security tool, but they are not a substitute for other security tools and controls. Security is about employing a security by default mindset. There are a number of attack vectors where a WAF will not be effective – i.e. stolen passwords, cross-site contamination from soup kitchen servers. For those with a security mindset, WAF technologies are complementary. For those that lack appropriate security posture, WAF technologies may be problematic in giving a false sense of security.

7 – Can WAF technologies be evaded?

There is no 100% solution to security. With enough time and motivation, bad actors can compromise and evade any solution.  Most evasions are often traced back to security misconfigurations, currently listed as #5 on the Open Web Application Security Project (OWASP) Top 10 list of vulnerabilities.

8 – Will WAF technologies strip out good requests?

A WAF shouldn’t strip valid requests, but there may be instances where requests are miscategorized and unintentionally stripped. Service providers invest heavily and work diligently to minimize this potential. It’s good to have a working relationship with your service provider to ensure that if something is being blocked, you can work together to address the problem.

9 – Will WAF technologies adversely affect my SEO?

No. There is no impact on SEO. The only instance where this might be an issue, is if the user inadvertently blocks Google IP ranges thinking it’s a malicious scanner. This will not happen with established WAF service providers.

For WAFs, like the Sucuri Firewall, the inclusion of an SSL certificate and improved speed from the Anycast CDN can actually improve SEO; as these are both confirmed ranking signals from Google.

10 – How does the Sucuri WAF stop an attack? 

The Sucuri Firewall is a Website Application Firewall (WAF) and Intrusion Prevention System (IPS) built specifically to address the challenges websites face. It employs Virtual Patching and Hardening technology that mitigates attacks at the edge (i.e., our network) without requiring the website owner to take any further actions.

A recent example includes the WordPress Rest API vulnerability in core that allowed arbitrary code injection from any user. The Sucuri Firewall was able to inspect all requests attempting to exploit the vulnerability, stripping them from the requests to the application. The same goes for any vulnerability that might be disclosed in the future. In a matter of minutes, the technology is able to patch sites globally without the website owner having to take any action.

This is especially helpful for organizations that have stringent configuration control processes dictating how production environments can be updated, or for organizations that are unaware an issue even exists. At the core of the technology, the WAF intercepts the malicious requests as they go from your visitor’s local environment to your web server; and in a fraction of a second, it decides whether the request is good or bad.


You May Also Like