network background popup

The Difference Between Positive VS Negative WAF ?

Dec 14th 2016

The resurgence in Positive security of late has been a refreshing change to the security landscape dominated by anti-virus scanners, IDS/IPS, and antispam engines. The resurgence is most noticeable in the field of Web Application Security where Web Application Firewalls have been adopting a Positive Security model to combat the fast paced and ever changing threats they face. However even with the rise of Positive Model Security within the field of Web Application Security there are still divergent views on the best security method.

Positive Model WAF looks to allow access to specific characters or via specific rules. This means that each rule added provides greater access and conversely having no rules in place will block everything by default. This model has the benefit of severely limiting the vectors an attacker can exploit simply because everything that is not expressly allowed is automatically blocked. The issue with this approach is that it tends to require a high level of care and input from the company implementing it to ensure that legitimate customers are not being blocked by overaggressive rules. This type of confusion can usually be eliminated after a few rounds of "whitelisting" (creating rules for legitimate actions) when the service is first implemented.

Negative Model WAF works on the premise that most attackers are using exploits that have already been uncovered. By blocking these exploits and by creating patches or updates for new vulnerabilities that occur, the client will have to do very little besides ensuring that their WAF is up to date to remain secure. This model also alleviates stress over legitimate users being blocked as it is designed to prevent only known illegitimate actions from occurring. The issue with this model is that it depends on the team maintaining the WAF to stay up to date on exploits as they come out and allows attackers much greater freedom to find new vectors as anything that is not being expressly blocked is open for them to try. Given that there are new exploits discovered every day, you could become a victim as this new exploit has not reached your WAF administrator yet and therefore there is no rule in place to protect you. The negative model also referred to as a "Signature based" WAF, must be constantly updated. In 2014 Symantec stated, after 2 weeks that the majority of anti virus software vendors had yet to update their software for zero day exploits. In other words a zero day attack should be renamed to 14 day attack, that's scary !

In Summary

Positive model:

  • You decide what is valid, everything else is blocked
  • Pros: Much Better protection compared to Negative Model
  • Cons: Requires "Whitelisting" in order to not block legitimate visitors

Negative Model:

  • You decide what is not valid and allow everything else
  • Pros: Easier to implement in most cases
  • Cons: You are vulnerable to any vectors(zero day attacks) that don't have signatures in your WAF.

**At DOSarrest we employ a Cloud based Positive WAF model. Most of the other Cloud based WAF providers are using a negative model, whereby they have to manage 10's of thousands of signatures.

Ben Mina-Coull
Quality Assurance
DOSarrest Internet Security

Added By : Ben Mina Coull

DDoS Article Categories