Logo

DOSarrest Vulnerability Testing and Optimization
Navigation
  • Home

The Difference Between Positive VS Negative WAF ?

on December 14, 2016 |
DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop DDoS Attacks

The resurgence in Positive security of late has been a refreshing change to the security landscape dominated by anti-virus scanners, IDS/IPS, and anti­spam engines. The resurgence is most noticeable in the field of Web Application Security where Web Application Firewalls have been adopting a Positive Security model to combat the fast paced and ever changing threats they face. However even with the rise of Positive Model Security within the field of Web Application Security there are still divergent views on the best security method.

Positive Model WAF looks to allow access to specific characters or via specific rules. This means that each rule added provides greater access and conversely having no rules in place will block everything by default. This model has the benefit of severely limiting the vectors an attacker can exploit simply because everything that is not expressly allowed is automatically blocked. The issue with this approach is that it tends to require a high level of care and input from the company implementing it to ensure that legitimate customers are not being blocked by overaggressive rules. This type of confusion can usually be eliminated after a few rounds of “whitelisting” (creating rules for legitimate actions) when the service is first implemented.

Negative Model WAF works on the premise that most attackers are using exploits that have already been uncovered. By blocking these exploits and by creating patches or updates for new vulnerabilities that occur, the client will have to do very little besides ensuring that their WAF is up to date to remain secure. This model also alleviates stress over legitimate users being blocked as it is designed to prevent only known illegitimate actions from occurring. The issue with this model is that it depends on the team maintaining the WAF to stay up to date on exploits as they come out and allows attackers much greater freedom to find new vectors as anything that is not being expressly blocked is open for them to try. Given that there are new exploits discovered every day, you could become a victim as this new exploit has not reached your WAF administrator yet and therefore there is no rule in place to protect you. The negative model also referred to as a “Signature based “ WAF, must be constantly updated. In 2014 Symantec stated, after 2 weeks that the majority of anti virus software vendors had yet to update their software for zero day exploits. In other words a zero day attack should be renamed to 14 day attack, that’s scary !

In Summary

Positive model:

You decide what is valid, everything else is blocked
Pros: Much Better protection compared to Negative Model
Cons: Requires “Whitelisting” in order to not block legitimate visitors
Negative Model:

You decide what is not valid and allow everything else
Pros: Easier to implement in most cases
Cons: You are vulnerable to any vectors(zero day attacks) that don’t have signatures in your WAF.
**At DOSarrest we employ a Cloud based Positive WAF model. Most of the other Cloud based WAF providers are using a negative model, whereby they have to manage 10’s of thousands of signatures.

Ben Mina-Coull
Quality Assurance
DOSarrest Internet Security

Source: https://www.dosarrest.com/ddos-blog/the-difference-between-positive-vs-negative-waf

Share this story:
  • tweet

Recent Posts

  • As coronavirus cases surge, so do cyberattacks against the healthcare sector

    January 11, 2021 - 0 Comment
  • DDoS Attacks Remain a Serious Threat to Businesses Worldwide

    December 17, 2020 - 0 Comment
  • Teen who shook the Internet in 2016 pleads guilty to DDoS attacks

    December 10, 2020 - 0 Comment
Comments are closed.
DOSarrest ad

Keep updated with the latest DDoS Attacks

RSSSubscribe
  • Home
  • Latest News
  • Contact
  • Sitemap
© Copyright 2013. All Rights Reserved. Web Development by: 6folds Marketing