Conditions

Specify what elements of the incoming HTTP/HTTPS request you want the WAF to monitor; some examples of the conditions WAF can operate on:

• cookies exploitable by cross-site scripting
• sizes of various parts of requests, such as the header, HTTP method, query string, query parameter, URI, body
• database queries vulnerably to potential SQL injection attacks
• string and regex matching from the requests themselves

Additionally such conditions may also be combined with traditional firewall policies based on source/destination IP addresses, network interface controllers, etc.

Rules & ACLs

• WAF rules allow one or more conditions such as the examples shown above to be compiled to lists, where they are AND'd to form the complete WAF rules.
• Access control lists (ACLs) can then specify which rules to apply to which application, service, host, etc. that comprise your actual web application
• Rule actions are typically: allow, block, drop, limit, forward, log, count, etc.

Databases

Many WAFs also come with or can readily access extensive lists of known risk vectors, providing useful features such as:

• real-time blacklist lookups
• compromised credential warnings
• malware & botnet detections
• IP reputation

Security Modes

• Negative security: looks for known bad, malicious requests; effective at blocking a large number of automated attacks, however not the best approach for identifying new attack vectors. And too many negative rules may negatively impact performance.
• Positive security: only requests that are known to be valid are accepted,with everything else rejected by default. Works best with applications that are heavily used but rarely updated
• Virtual patching: provide buffer time to fix your application's vulnerabilities by patching "from the outside", i.e. without touching the application source code (and even without any access to it). Equally effective and applicable to securities found in your application's dependencies. Thereby securing your system until a proper upstream or application patch is produced.
• Extrusion detection: monitor outbound data and identify and block information disclosure issues such as leaking detailed error messages orSocial Security Numbers or Credit Card Numbers

The WAF security model and policies leverage a combination technological approaches and paradigms, such as signatures, validations, behavioral monitoring, databases, various modes, conditions, rules, ACLs and much more to achieve its solid protective effect, providing massive security enhancements in a modest increase in technological complexity.

Shared Hosting

One of the most popular hosting types due to its low cost and ease of managing services (through the hosting provider). However, due to the lack of dedicated resources, bad performance, lack of automation and integration with developer tools, a shared hosting platform is usually not recommended.

Self-Managed/Self-Hosted

This type is usually deployed as either a virtual private server (VPS) or as part of a dedicated hosting plan. Due to its benefits of offering unrestrictive usage with more resources, platform upgrades and root access, a VPS is usually preferred by those who have specific platform requirements that cannot be served through shared hosting.
Dedicated hosting allows users exclusive use of servers with their own choice of hardware, platforms, and resource allocations. As a result, a user has absolute control to optimize the server based on his requirements to make it highly-scalable, highly-available, and on-demand.
Both deployment options provide greater flexibility than shared hosting plans, but at the cost of a lot more maintenance efforts and zero out of the box conveniences.

Hosted WAF as a service

Another option is to use dedicated WAF-specific hosting services.
This essentially sets up your WAF as a reverse proxy, except instead of acting as a load-balancer for example, it’s set-up to perform firewall duties. For mature businesses whose needs are relatively static, this could be a feasible option.
But for most businesses competing in the increasingly dynamic technological spaces nowadays, being able to easily adapt and quickly pivot as business objectives and product specifications evolve is an important ability.
Not to mention the increased costs that typically involve both charges per request and huge monthly premiums.

Developer Friendly

It is important to check if your hosting provider supports high-availability and zero-downtime deployments, as well as regular software and security policy updates for your WAF.

Ease of integration and deployment

You should check how convenient the hosting provider makes integrating, deploying and maintaining their WAF service as the security gateway to your web application stack.

Scalability

Prefer to go with a hosting provider who provides seamless auto-scaling options and load-balancing during times of high-resource utilization and consumption spike.

Advanced Platform Features

As an added advantage, look for other key aspects which might be critical for your WAF-guarded web application. More importantly, ensure that you opt for the right platform configurations, including:

• Resources monitoring
• Logging and console access for easier debugging
• Other platform features (flexible CPU cores, SSD, DDoS, CDN, Automated Backups, etc.)
• Costs (many cloud WAF hosting platforms can be quite expensive)

Host your WAF applications on the edge

Deploy a WAF for your web apps to multiple global regions at the same time.
Increase the performance and lower your global latency. This can be performed as easily as spinning up any Docker container that you’d normally use for your core application. Many prebuilt images of industrial grade WAFs such as ModSecurity are readily available from Docker Hub.
Besides the great ease of deployment conferred by hosting WAFs on the edge using Docker containers, this also has the advantage of being comparably much more affordable and economical to users such as yourself. In short, when set-up correctly, this option really does offer the best of all worlds.

With appfleet, developers can deploy a WAF such as ModSecurity globally to multiple regions at the same time with a simple to use UI. This not only results in better security for your web applications, but also ensures superior performance and high-uptime.

appfleet’s WAF hosting features also include:

• Intuitive and simple to use web UI instead of config files and command line tools
• Unique Global Multi-Region deployments
• High-Availability, High-Performance, and Low Latency
• Logs and console for easier debugging in production
• Ease of deployment and low costs made possible by Docker
• Integrated metrics and monitoring
• Affordable pay-as-you-go plans