Search code examples
securitykubernetessql-injectionweb-application-firewallip-restrictions

Is a WAF necessary on Kubernetes?


When reading blog posts about WAFs and Kubernetes, it seems 90+ % of the posts are written by WAF-providers, while the remaining posts seem to be sceptical. So I would like to hear what your experiences are with WAFs, do they make sense, and if so can you recommend any good open-source WAFs? We are currently not allowed to used American cloud providers, as we work with "person data", and the Schrems II judgement has indicated that unencrypted "person data" is not allowed on their platforms (even if on EU servers).

To my understanding WAF help with the following:

  1. IP-whitelists/blacklists
  2. Rate Limits
  3. Scanning of HTTPS requests for SQLi and XSS
  4. Cookie Poisoning and session-jacking
  5. DDOS (requires a huge WAF cluster)

But I would also think that these problems can be handled elsewhere:

  1. IP-whitelists/blacklists can be handled by the Loadbalancer or NetworkPolicies
  2. Rate Limits can be configured in the Ingress
  3. Handling of SQLi and XSS is done by input sanitization in the application
  4. Server-side sessions bound to IPs can prevent poisoning and jacking
  5. DDOS are hard to absorb, so I have no native solution here (but they are low risk?)

Sure, I can see the advantage in centralizing security at the access gate to the network, but from what I have read WAFs are hard to maintain, they have tons af false positives and most companies mainly use them to be compliant with ISO-standards, and mainly in "monitoring mode". Shouldn't it be secure enough to use SecurityPolicies, NetworkPolicies, Ingress Rules and Loadbalancer Rules rather than a WAF?


Solution

  • A good waf does a lot more than that, and it is independent of the deployment model (kubernetes or else).

    A waf can

    • Detect and prevent application level exploits far beyond sqli and xss. Sure, you can make a secure application... but can you actually make a secure application? (A team of sometimes changing developers usually cannot.)
    • Detect and prevent vulnerabilities in underlying layers, like nginx or the OS - or maybe even kubernetes itself.
    • Provide hotfixing known vulnerabilities until they are actually fixed in the code or patched in the underlying component (like for example preventing certain values for certain parameters you know are vulnerable and so on).

    So in short, yes, a waf does make sense with k8s too, in fact it is not dependent on the deployment model. A waf is just a layer 7 firewall that understands http, and can look into traffic to find flaws and prevent exploits.

    Update:

    For example a recent vulnerability was log4shell, in log4j. In a request it was possible to run arbitrary stuff on servers due to a framework level (3rd party) vulnerability. A good, regularly updated waf would prevent that probably even before you read about the problem.

    Spring4shell was a somewhat similar vulnerability in Spring, that can also be prevented by wafs. So could Heartbleed, a vulnerability in openssl.

    There was a php vulnerability quite a while ago that involved a magic number, sent as any parameter.

    Command injection vulnerabilities in any application or component follow specific patterns, and so on.

    A waf also has more generic patterns for usual application vulnerabilities including (but not limited to) sql injection and xss. Sure, your application could be secure and not have these. But especially over time, it will for sure be vulnerable, even the best team cannot produce bug free code, and that applies to security bugs too.

    As a web application is usually only accessible through http, ALL of that is available for capture for a component that understands http. All application layer attacks (and that's a lot) will come through http and a waf at least in theory is capable of preventing them. Surely it will not always recognize everything, it's not magic, and again, you could all implement it yourself. But it would be very difficult and time consuming. The same as you would not implement an API gateway or a network firewall, you would want to use a WAF to provide a layer of protection to your application and it's underlying components.

    On the other hand, it's true that it takes some time to configure for your specific scenario and application. At first, it will probably produce false positives. Then you can decide how to manage those, you can disable entire rules, or remove certain pages or parameters from checks and so on. It does involve some work, maybe a lot for a very complex application. But when it's configured, it provides an additional layer of protection against threats you may not even have currently, but will in the future.

    WAF suggestions:

    If you are running managed kubernetes (AWS EKS, Azure AKS and the like) then probably your cloud provider's waf is the best choice due to easy setup and good integration (though I understand that might not be an option for you). I don't know of a good one apart from modsecurity if you are running your own. Naxsi would come to mind, and while I don't have experience with it, its functionality seems very limited compared to other options and what's described above.