Update: WAF 2.0 became mature.
Wooow! Are you ready for something new? Well, we have it! The long-awaited BitNinja WAF 2.0 beta is now here!
Currently, this beta is available for everyone who has Pro or Trial license. But wait! Before you go running to our Dashboard, to switch it on … please take a few minutes to read this article, as it contains lots of super valuable information – that will help familiarize you with this brand-new feature.
Why WAF 2.0 is better than any other WAF solutions?
•We grant a pre-defined, default ruleset for all the websites hosted on your server to guarantee low false positive rate.
•You have the option to change the rules or completely disable them per domain.
•You can choose between Log only mode and Active protection per server and per domain.
•You’ll have the very handy Lock down feature for emergency situations.
•Completely integrated with the BitNinja ecosystem (global greylist, incident management, etc).
•Very easy and hassle-free enabling just like all BitNinja modules.
What is the WAF 2.0 technology stack?
Through the development of the original WAF module, we realized there are way too many features that we need to implement – just to catch up with the demands. That’s why we decided to change our tech stack and use industry-standard technologies. We started to look at the various WAF models and opted for a model used by CloudFlare and Incapsula. The WAF 2.0 is based on a very fast reverse proxy engine – the popular n nginx 1.12. Plus – supported by a well-known, super reliable WAF engine (mod_security v3). In addition the battle-tested ruleset from the Open Web Application Security Project, the OWASP crs v3. This setup works very well, and the performance is killer. In the near future, we plan regularly updating update and fine-tuning the current ruleset, add additional rulesets and implement even more and more rules. We monitor the false positive rates of all rules – and based on our findings we can tweak risky rules on the fly, as well as release the fixes frequently and automatically.
Is it production ready?
We have tested the new WAF 2.0 alpha on more than 50 production web servers in the last 4 months without any major problem. During this period, we were finetuning the rulesets, created new UI features, improved the protection (HTTPS), etc, according to the feedbacks and requests. Also, we’d like to grab the opportunity, to say thank to you for all those, who participated in the alpha test and helped us during the development.
Now, everything is ready for release it as a beta. Bugs can happen – as it’s still in beta – but our results show it’s time to move forward from the alpha.
Also, we have great news for Virtuozzo users: BitNinja WAF 2.0 works 100% well in case of simulated ipset, too!
How to get started – safe implementation
Just like every other BitNinja module, WAF 2.0 is a plug and play module as well.
If you’ve already had the old WAF module enabled on your server, you only have to enable the WAF 2.0 on the Dashboard and the old WAF will be disabled automatically, without any outages.
In case it’s the first time you’re switching the firewall on, please read the documentation site beforehand (https://doc.bitninja.io/modules/waf2.html). We prepared with a step-by-step setup guide for extra cautious users there, too.
You’ll find a dedicated menu for this module on the left side of the Dashboard. Let’s see what you can do there:
You can make settings on 1 server at a time. At the top of the page, you can select the specific server.
In the image above, you can see the switch button on the top right side. There you can enable the module. (There’s another way to switch it on: Servers / Module view menu.)
After enabling the module you can enable the HTTPS protection, too.
If you are using HTTPS protocol on the server, it is recommended to enable the HTTPS protection.
If you scroll down a little, there you’ll see all the domain patterns. Initially, there will be only the default “/” pattern. Domain patterns are similar to virtual hosts of web servers. You can think of a domain pattern as a combination of a host and path with * wildcards.
Of course, the newly added pattern will be shown up here, too.
At the top, you can create new patterns.
The schema is given, so it’s important, to put a / after each pattern to make it work. And the * after the / means that the / will be examined (e.g. the www.yourdomain.com/contact will be protected), too. Also, if you’d like the subdomains to be examined with this pattern, add *. at the beginning.
(It’s not RegEx, but it translates into nginx regular expressions in the background.)
Let’s see what you can set in each pattern:
1.You can access the settings of each pattern by clicking the gear wheel icon.
2.If you need to disable the WAF for some reason, you can make it here.
3.Lock down option: It means the visitors can see the website, but not able to do anything else (e.g. register, upload files, etc). Why is it good? If the website is very vulnerable, it’s a smoother way to only lock down instead of blocking the whole access of it until the problems are fixed.
4.Action: You can choose between two modes here. In Log only, if the module perceives a malicious request, it’ll log it, but won’t greylist the IP. The other option is the Challenge and greylist IP (set by default), which will not only log the request but also greylist the IP.
5.Ruleset template: There are 3 templates by default: safe minimum, general medium ruleset, general strict ruleset. The differences between them are the number of enabled rules.
Of course, you can enable/disable any rules in the rulesets:
6.BitNinja Ruleset: A ruleset created by the BitNinja security team. We maintain these rules and keep adding rules for new vulnerabilities.
7.OWASP Core Ruleset: The latest version of the OWASP Core Ruleset. It contains general rules against the OWASP Top 10 vulnerabilities.
8.Triggered: Number of incidents that the given ruleset or rule generated in the last 30 days.
9.False: How many false positives the given ruleset or rule generated. Below 10, you can see the actual number, above 10, the percentage to all the triggered incidents.
10.Forked: It shows you how many rules were changed compared to the chosen template.
11.You can enable/disable the rules here. Please use this switch, rules by rules and not enable/disable the whole ruleset.
After making any changes here, don’t forget to click on the Save button.
Managing, creating templates:
You can find a “Manage ruleset templates” button under the add new pattern section. Here you can modify an existing or create a new template. You can set which rules should be enabled in that template.
All saved settings get activated – with a config reload – on your server immediately without any outages.
Feedbacks and feature requests
We would really appreciate if you could share your ideas for the future WAF 2.0 developments. All feedback – or specific requests – you may have are important to us, as we take them into consideration when working on our new developments. As our valued Partner, your opinion matters! You can share your experience and/or ideas via email (firstname.lastname@example.org) If there’s anything you miss from WAF 2.0 module, tell us on Wantoo. Thank you in advance for your help and cooperation. It’s appreciated. 🙂