WAF Design

Crafting a Robust WAF Design

Requirements

A WAF blocks incoming traffic in one of two ways (more details here):

• Blocklist which protects against known attacks and

• Allowlists that only admit pre-approved traffic.

A blocklist is analogous to a bouncer at the club that only lets people in if they fit the dress code whereas an allowlist is an exclusive club where only members on the invite list are allowed in.

There are benefits to either of these implementations and that’s why most WAFs come as hybrid models. Due to time constants, I will only implement a blocklist WAF for now which will scan for the following attacks: SQLi and XSS. Will be adding the allowlist to the roadmap.

Implementation

There are three ways a WAF can be implemented

1. Reverse Proxy: Implement the WAF as a reverse proxy server, such as NGINX or Apache with a Rust-based module or middleware.

2. Library: Integrate the WAF logic directly into your web application code using a Rust library.

3. Standalone Binary: Develop a standalone Rust binary that acts as a WAF and sits in front of your web application server, inspecting and filtering incoming traffic.

Integration Option	Pros	Cons
Reverse Proxy	Works at the network level, intercepting requests before they reach the web server. Offers a clear separation between the WAF and the web server, making it easy to switch WAF implementations or configurations. Can be used with different web servers and technologies.	Requires configuration of web server settings and potentially additional server hardware. Can introduce a level of complexity in routing and load balancing if multiple web servers are involved. Limited to HTTP/HTTPS traffic.
Library Integration	Direct integration with the application code allows for fine-grained control over request processing. Easier to access and modify the application's data structures and logic. Can be used with non-HTTP protocols or non-standard web applications.	Complex to implement and maintain, as the WAF logic is tightly coupled with the application. May require substantial code changes if the web application is already developed. Difficult to change or switch WAF implementations without extensive code updates.
Standalone Binary	Provides a dedicated, isolated layer for filtering traffic before it reaches the web server. Can be deployed without altering the existing application code or server configuration. Suitable for protecting multiple web servers or services behind a single entry point. Offers flexibility for scaling and load balancing.	Requires additional network configuration to route traffic through the standalone WAF. May add latency to requests as they pass through the extra layer. Requires separate deployment and maintenance from the application, potentially leading to operational overhead.