Docsright arrowEdge Stackright arrowUsing Web Application Firewalls in Ambassador Edge Stack

5 min • read

Using Web Application Firewalls in Ambassador Edge Stack

Ambassador Edge Stack comes fully equipped with a Web Application Firewall solution (commonly referred to as WAF) that is easy to set up and can be configured to help protect your web applications by preventing and mitigating many common attacks. To accomplish this, the Coraza Web Application Firewall library is used to check incoming requests against a user-defined configuration file containing rules and settings for the firewall to determine whether to allow or deny incoming requests.


Ambassador Edge Stack also has additional authentication features such as Filters and Rate Limiting. When Filters, Ratelimits, and WebApplicationFirewalls are all used at the same time, the order of operations is as follows and is not currently configurable.

  1. WebApplicationFirewalls are always executed first
  2. Filters are executed next (so long as any configured WebApplicationFirewalls did not already reject the request)
  3. Lastly Ratelimits are executed (so long as any configured WebApplicationFirewalls and Filters did not already reject the request)

Quickstart

See the WebAplicationFirewall API reference and WebAplicationFirewallPolicy API reference pages for an overview of all the supported fields of the following custom resources.

  1. First, start by creating your firewall configuration. The example will download the firewall rules published by Ambassador Labs, but you are free to write your own or use the published rules as a reference.

  2. Next create a WebApplicationFirewallPolicy to control which requests the firewall should run on. The example will run the firewall on all requests, but you can customize the policy to only run for specific requests.

  3. Finally, send a request that will be blocked by the Web Application Firewall

Congratulations, you've successfully set up a Web Application Firewall to secure all requests coming into Ambassador Edge Stack.

Rules for Web Application Firewalls

Since the Coraza Web Application Firewall library Ambassador Edge Stack's Web Application Firewall implementation, the firewall rules configuration uses Coraza's Seclang syntax which is compatible with the OWASP Core Rule Set.

Ambassador Labs publishes and maintains a list of rules to be used with the Web Application Firewall that should be a good solution for most users and Coraza also provides their own ruleset based on the OWASP core rule set. It also satisifies PCI 6.6 compliance requirements.

Ambassador Labs rules differ from the OWASP Core ruleset in the following areas:

  • WAF engine is enabled by default.
  • A more comprehensive set of rules is enabled, including rules related to compliance with PCI DSS 6.5 and 12.1 requirements.

See Configuring Ambassador Edge Stack's Web Application Firewall rules for more information about installing Ambassador Labs rules.

For specific information about rule configuration, please refer to Coraza's Seclang documentation

Observability

To make using Ambassador Edge Stack's Web Application Firewall system easier and to enable automated workflows and alerts, there are three main methods of observability for Web Application Firewall behavior.

Logging

Ambassador Edge Stack will log information about requests approved and denied by any WebApplicationFirewalls along with the reason why the request was denied. You can configure the logging policies in the coraza rules configuration where logs are sent to and how much information is logged. Ambassador Labs' default ruleset sends the WAF logs to stdout so they show up in the container logs.

Metrics

Ambassador Edge Stack also outputs metrics about the Web Application Firewall, including the number of requests approved and denied, and performance information.

MetricTypeDescription
waf_created_wafsGaugeNumber of created web application firewall
waf_managed_wafs_totalCounterNumber of managed web application firewalls
waf_added_latency_msHistogramAdded latency in milliseconds
waf_total_denied_requests_totalCounter (with labels)Number of requests denied by any web application firewall
waf_total_denied_responses_totalCounter (with labels)Number of responses denied by any web application firewall
waf_denied_breakdown_totalCounter (with labels)Breakdown of requests/responses denied and the web application firewall that denied them
waf_total_allowed_requests_totalCounter (with labels)Number of requests allowed by any web application firewall
waf_total_allowed_responses_totalCounter (with labels)Number of responses allowed by any web application firewall
waf_allowed_breakdown_totalCounter (with labels)Breakdown of requests/responses allowed and the web application firewall that allowed them
waf_errorsCounter (with labels)Tracker for any errors encountered by web application firewalls and the reason for the error

Grafana Dashboard

Ambassador Edge Stack provides a Grafana dashboard that can be imported to Grafana. In addition, the dashboard has pre-built panels that help visualize the metrics that are collected about Web Application Firewall activity. For more information about getting Prometheus and Grafana set up for gathering and visualizing metrics from Ambassador Edge Stack please refer to the Prometheus and Grafana documentation.