1
Web Application Firewall
Null Bhubaneswar
18 March 2023
Sampad Rout

SAMPAD ROUT
CISSP®
Security Architect | Microsoft
A little about me
2

3
GE
Industrial R&D security ( Aviation, Power and Water, Renewable Energy, Appliances,
Transportation)
Royal Bank Of Scotland Securing banking platform mostly mortgage division of Coutts
AT&T Securing the Media division HBO, Warner Media
Microsoft Securing the Ad Platform
Outside Org Reviewer for ISC2, Contribution to Opensource (Virtual Patch / IaC), Trainer
EXPERIENCES SO FAR
What do I do in Spare time
XBOX | BLOG | Stories and Movies
Subject Matter Expert on
AppSec | Data Protection | Secure Architecture | Container
Security | API Security

Firewall - Definition, Nomenclature and History,
WAF, Difference between Firewall and WAF
What is what
01.
Pattern Identifiers, Default mechanism, Template
rules, Advanced rules, IP reputation
CONTENTS 101
Demo
How a WAF works
4
03.
Look and feel of the rules , Signals and
GUI
02. 04.
& If Something I left covering which I should
have + Q&A
Architecture & Placements

What is What
Firewall, Nomenclature & History,
WAF, Difference between Firewall
and WAF
01.
5

What is a Firewall
6
The name firewall : It came from similar in purpose to physical
firewalls designed to contain fires and keep them from spreading.
● Firewalls established a barrier between a network that was internal
to a company and considered trusted, and an external network, that
was considered untrusted.
● In a simple sense a Firewall controls what traffic should be allowed
and what to be blocked into your system based on defined rules &
patterns.

7

8
A Firewall is a network security device, may come in as a
software, a hardware device or a SaaS model, that monitors
and filters incoming and outgoing network traffic based on
an organization’s previously established security policies.
— Common Definition

Firewall Evolution
9
How firewall was enhanced through out
Firewall Generations
First Generation Second Generation 2.5 Generation
Stateless Stateful, Bidirectional
Targeted / Specialized
Firewalls
Packet Filters based on IP
and Ports / L3 or L4
Connection / Session based
IP , Ports / L3 or L4
IPS, UTM,URL Filtering
IP Tables, OS firewall, Basic
Switches
Usage : ACLs
Advanced Switches
Usage : ACLs , DMZ
Up to L5-L7, Scaling and
Performance
IP Spoofing, Valid return
traffic vs Imposter
Good traffic vs Bad Traffic Signature oriented, No
Dynamisms

Firewall Evolution Cont..
10
How firewall was enhanced through out
Firewall Generations
Third Generation Next-Gen
Stateful, Scalable
Stateful, Hybrid, RBAC, User
grp
identify HTTP conversation &
apps specific attacks/ L7
Deep packet inspection, Adv
threat protection/L7
Host based Application
firewalls, WAF
Performance, QoS, non-
Disruptive
Vendor issued NGFW Juniper,
CISCO, Checkmarx etc

Web
Application
Firewall
A web application firewall (WAF) protects web
applications (hosted in any platform)from a
variety of application layer attacks such
as cross-site scripting (XSS), SQL injection etc
(OWASP Top 10) and beyond.
11
Port / OSI ref model
Layer 2 DataLink
Layer 3 Network
Layer 4 Transport
Layer 5 Session
Layer 6 Presentation
Layer 7 Application
Layer 1 Physical
WEB APP FIREWALL
NETWORK FIREWALL

12
How a WAF
works
02.
Pattern Identifiers, Default mechanism, Template
rules, Advanced rules, IP reputation

Based on Actions / Perform
Traffic Pattern Audit/ Monitor Block Allow (Supersedes)
Defined Set Whitelist(Supersedes) Blacklist
Handle / Gauge True Positives False Positives
True
Negatives
False Negatives
RBAC Read-only (Most)
App based (App
Owners)
Admin (Ops)
Super User / God
mode
(Improvements)
Action Matrix
13

PREVENTIVE & TECHNICAL CONTROL
14
Basic Model DESCRIPTION EXAMPLE
Happened nth
time
If a malicious event happens for nth
number of time with in a defined
period from a particular IP/user.
XSS/ Inj attack / Failed login
pattern detected 50 times in a
minute - Block
Reputation WAF’s global analysis engine
IP, DCs gets flagged as bad actors
for 24 hrs globally
Templated rules
Supports zero-days and virtual
patching
If there is no patch released or
You are not able to patch
Complex and Adv
rules
Complex rules, Combination of rules
Whitelist ~ Blacklisted, Allowed
~Blocked and track~ discover

15
LET’S SEE HOW IT
LOOKS
03.
Enough Talk, Let’s see it in action

Start from the basic:
● OWASP / Port
Swigger XSS Cheat
sheet.
● Analyzing your app
environment and
traffic pattern.
● Any Zero-day
● How a IaC rule look
like.
HOW TO RULE 101
16
scope = "global"
group_operator = "all"
expiration = ""
conditions {
type = "single"
field = ”domains"
operator = "inList"
value = "instances-scw-cloud"
}
actions {
type = ”Whitelist"
marking = "scw-cloud" }
conditions {
field = "method"
operator =
"doesNotEqual"
type = "single"
value = "DELETE” ||
value = "PATCH” ||
value = "GET” ||
value = "POST” ||
value = "OPTIONS” ||
value = "HEAD” ||
value = "PUT” ||
}
actions {
marking = "wrong-
http-method"
type = "block"
}
•

Architecture
17
04.
How the WAF Functionally and Logically
placed in Network

Functional Architecture
18

Where you should Place it
19
1 Reverse Proxy
2 Side Car
3 On the Frontend
4 SaaS Model
5
Customized
requirement
(Istio, Envoy, Serverless, Agent
Only)
6 PaaS Model
WAF
Strategic
Placement

Q&A