Edgecast Web Application Firewall Administration Guide Disclaimer Care was taken in the creation of this guide. However, Edgecast cannot accept any responsibility for errors or omissions. There are no warranties, expressed or implied, including the warranty of merchantability or fitness for a particular purpose, accompanying this product. Trademark Information EDGECAST is a registered trademark of Verizon Digital Media Services Inc. About This Guide Transact - Web Application Firewall Administration Guide Version 2.60.300 8/30/2021 ©2021 Verizon Media. All rights reserved. Table of Contents Web Application Firewall (WAF) ................................................................................................................... 1 Introduction .............................................................................................................................................. 1 Configuration ................................................................................................................................................ 3 Overview ................................................................................................................................................... 3 Profiles ...................................................................................................................................................... 4 Threat Detection (Legitimate Traffic) ................................................................................................... 4 Production Traffic ................................................................................................................................. 6 Profile Configuration ............................................................................................................................. 6 Profile Management ........................................................................................................................... 20 Instances ................................................................................................................................................. 22 Handling Detected Threats ................................................................................................................. 23 Instance Management ........................................................................................................................ 26 Activating/Deactivating an Instance ................................................................................................... 27 Best Practices .......................................................................................................................................... 29 Setup ................................................................................................................................................... 29 Threat Analysis (Dashboard) ....................................................................................................................... 31 Overview ................................................................................................................................................. 31 Usage ....................................................................................................................................................... 31 Chart View ........................................................................................................................................... 32 Event Log View .................................................................................................................................... 34 Filters................................................................................................................................................... 37 User Experience .......................................................................................................................................... 39 Overview ................................................................................................................................................. 39 Appendix A .................................................................................................................................................. 40 Country Codes (ISO 3166) ....................................................................................................................... 40 Appendix B .................................................................................................................................................. 49 Table of Contents Edgecast Page i Matched On Variables ............................................................................................................................ 49 Table of Contents Edgecast Page ii Web Application Firewall (WAF) Introduction Many web sites, web applications, and web servers receive and process requests from outside a company's protected internal network. As a result, they are vulnerable to a variety of malicious attacks including SQL injections, cross-site scripting, and application layer distributed denial of service (DDoS). This exposure poses a threat to your infrastructure and the confidentiality, integrity, and availability of the data delivered by those resources over the Internet. These types of attacks can result in unauthorized access to content, the loss of personally identifiable information (PII), and the dissemination of private/copyrighted information. The Web Application Firewall (WAF) service provides a layer of security between many of these security threats and your external web infrastructure. Our WAF increases security by monitoring, detecting, and preventing application layer attacks. It inspects inbound HTTP/HTTPS traffic against reactive and proactive security policies and blocks malicious activity in-band and on a real-time basis. There are various layers to the protection provided to an origin server via Web Application Firewall, such as: • Inherent protection from DDoS attacks. Our worldwide presence establishes an imposing and extensive barrier between an origin server and malicious traffic, regardless of whether it consists of a high- volume HTTP GET flood attack or a slow DDoS attack. • Protection from application layer attacks. Enable a comprehensive set of threat detection measures for the purpose of identifying malicious traffic. These measures define the types of application layer attacks that will be detected, such as: o Protocol validation o Malicious client identification o Generic attack signatures o Known vulnerabilities signatures o Trojan/backdoor access o Denial of Service Transact – Web Application Firewall Administration Guide Edgecast Page 1 • Filtering out unwanted traffic by screening for a custom delivery profile. Traffic that doesn’t meet the requirements defined in this HTTP delivery profile may be blocked before it even reaches our core network. • Establishing traffic restrictions to block malicious traffic. Use a whitelist, blacklist, or accesslist to restrict traffic by ASN, country, IP address, referrer, URL, user agent, HTTP method, media type, and/or file extension. The following diagram illustrates how traffic is screened before it can ever reach our core network. The distributed nature of our worldwide network provides an additional layer of protection to origin servers. Securing an Origin Server via WAF Transact – Web Application Firewall Administration Guide Edgecast Page 2 Configuration Overview The configuration of Web Application Firewall consists of three sequential steps. Once all three steps have been performed, near-real-time threat monitoring may be performed through the dashboard. A brief overview for each WAF setup step is illustrated below. Configuring Web Application Firewall Additional information on each WAF configuration step is provided below. Step Name Description 1 Create Profile Define a security policy for inbound HTTP/HTTPS traffic that defines: • Whitelists, blacklists, and/or accesslists for ASNs, countries, IP addresses, referrers, URLs, user agents, HTTP methods, media types, and file extensions. • A threshold for threat detection and the types of threat detection policies that will be enacted. Transact – Web Application Firewall Administration Guide Edgecast Page 3 Step Name Description 2 Create Instance Select the profiles that may be applied to site traffic and the manner in which detected threats may be handled. An instance defines: • A profile that may be applied to production traffic. • How potential threats are handled. • A profile that may be used to audit production traffic. 3 Activate Instance Define both of the following items through HTTP Rules Engine: • The type of requests that should be secured by Web Application Firewall. • The instance that identifies the profile(s) that may be used to secure/audit site traffic. Tip: Different types of requests may require varying levels of protection. Create a profile and an instance for each type of request that requires a unique level of protection. Profiles A profile defines the set of security restrictions that will be applied to inbound HTTP/HTTPS traffic. Threat Detection (Legitimate Traffic) A profile defines the criteria for determining whether traffic is legitimate or malicious. WAF leverages this security configuration and performs a sequential check for each criterion. An overview of this security check is provided below. 1. Does the request meet a whitelist criterion? If so, it is considered legitimate and no further checks will be performed.