Table of Contents

1. 1. Introduction
2. 2. What is AWS Managed Rules?
3. 3. What is Protocol Enforcement by WafCharm?
4. 4. How to use Protocol Enforcement by WafCharm effectively
5. 5. Conclusion

1. Introduction

We released a new third-party managed rule set for AWS WAF called Protocol Enforcement by WafCharm! If you are using AWS WAF v2, you can easily set it up and implement it from the management console to enhance web security. In this blog post, we will explain this rule set and how to use it effectively.

2. What is AWS Managed Rules?

Firstly, please see the blog posts below for information about the managed rules.

• Managed Rules for Beginners
• Introduction to AWS WAF Managed Rules

As explained in the posts above, managed rules are a set of rules written, curated, and managed by AWS or AWS Marketplace Sellers that can be easily deployed on AWS WAF. Cyber Security Cloud also released three managed rules.

• Cyber Security Cloud Managed Rules for AWS WAF -HighSecurity OWASP Set-
• Cyber Security Cloud Managed Rules for AWS WAF -API Gateway/Serverless-
• Cyber Security Cloud Managed Rules for AWS WAF Classic -OWASP Set-

Each rule set is provided for use cases such as addressing vulnerabilities represented by the OWASP Top 10 and vulnerabilities specific to API Gateway/Serverless environments. A new rule set called "Protocol Enforcement by WafCharm" has been added to this lineup.

3. What is Protocol Enforcement by WafCharm?

HTTP requests inspected by WAF are written in a format based on Hypertext Transfer Protocol as the name suggests. For example, they are composed of various elements, such as “method,” indicating the action you want the server to perform; “path,” indicating the target resource within a server; and “headers,” representing various additional information.

Example of an HTTP request

GET /jp/blog HTTP/1.1   # Method: GET, Path: /jp/blog
Host: www.wafcharm.com  # Host header
User-Agent: foobar      # User-Agent header
...

Programs, such as web browsers and commands, are responsible for assembling and sending this information to the server. There is a certain framework, but within that framework, the data sent to the server is up to the program (or its users). Therefore, malicious programs and attackers attempt to embed various crafted data in HTTP requests to exploit vulnerabilities in an application.

The existing rule sets, such as the “HighSecurity OWASP Set” we have published in the past, protect your web service by inspecting the tampered data to detect attacks and blocking them by deeming the request as (explicit) attacks. While this approach is appropriate and important, it is very difficult to fully address cyber attacks that are becoming more sophisticated and complex every day while balancing the risks of false positives. Additionally, in cases where older web application frameworks are used, unexpected attacks could occur due to the differences in HTTP specifications and their usage compared to the time of development.

The new managed rule set “Protocol Enforcement by WafCharm” takes a different approach from the above to address this issue broadly and universally. The approach, as suggested by the name of the rule set, involves "enforcing protocols," meaning detecting and blocking requests that violate protocols (or similar issues). Below are some of the examples.

• A non-numeric string is specified in the Content-Length header, where a numeric value should be specified.
• A request containing content does not have a Content-Type header.

While violations of such protocols and formats do not directly imply a cyber attack exploiting vulnerabilities, they have the characteristics of being likely requests from malicious programs or bots in that they do not conform to common practices. It is important to demonstrate to attackers that robust security measures are in place, and it also is beneficial to defend against attack vectors that older application frameworks may not cover by broadly blocking requests that are unlikely to come from typical browsers or applications before explicitly facing a cyber attack.

4. How to use Protocol Enforcement by WafCharm effectively

Because this rule set takes a completely different approach from previous rule sets as mentioned above, you can enhance the defensive performance by using this rule set with existing rule sets such as the HighSecurity OWASP Set, the API Gateway/Serverless, or our other product WafCharm.

The concept of the rule set is to eliminate suspicious requests as much as possible at an early stage, so we recommend you to apply this rule set before the existing rule sets or WafCharm’s rules.

Furthermore, even though the rule set’s concept is to conform to the protocols, specific circumstances and unexpected events could occur depending on the characteristics of your websites and services. Therefore, please follow the same process as any other WAF operations and implement the rule set with rule action Count first to confirm that the legitimate requests are allowed as expected, and then change the rule action to Block.

5. Conclusion

We have explained the concepts and procedures of our new managed rule, Protocol Enforcement by WafCharm. Please consider using the rule set with another existing rule set, such as HighSecurity OWASP Set or API Gateway/Serverless.

Please also consider our product WafCharm if you have challenges implementing rules and customizations in WAF on your own. Not only can you apply powerful rules with easy operations, but we also provide comprehensive support for your web security operations from various perspectives with features such as WAF log alert, analyzation, and technical support.