Drupal defense in depth — securing Drupal at edge layer via a Web Application Firewall (WAF)

Defense in depth and the edge layer

In today's highly connected digital world, web application security has become a top priority for organisations and developers alike. As Drupal-based applications continue to grow in popularity and complexity, ensuring the protection of sensitive data and application resources is essential. One crucial layer of defense in the Drupal security architecture is the edge layer, which can be secured via a Web Application Firewall (WAF).

WAFs are powerful tools designed to protect web applications from common threats and vulnerabilities. Unlike traditional network firewalls, which focus on blocking unauthorised access to network resources, WAFs specifically target web application layer attacks. By inspecting incoming and outgoing traffic at the application layer, WAFs can detect and block a wide range of malicious requests and data manipulation attempts.

Within the Drupal security layers, WAFs play a vital role in preventing common web application attacks such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). By positioning WAFs between the client and the Drupal web application, they serve as a first line of defense, filtering out potentially malicious requests before they reach the application itself.

This whitepaper aims to provide a comprehensive understanding of the security risks and challenges associated with web application protection in the Drupal security architecture. It also presents the top 10 best practices and recommendations for configuring and managing WAFs for Drupal applications. By implementing these best practices, organisations can significantly enhance the security posture of their Drupal applications.

The information presented in this whitepaper is intended for web application developers, DevOps engineers and system administrators responsible for managing Drupal applications. IT security professionals interested in enhancing Drupal application security using WAFs will also find the content valuable. Additionally, business decision-makers looking to improve the overall security posture of their Drupal applications can benefit from the insights and recommendations provided in this whitepaper.

Security risks and challenges

There are 6 main security risks and challenges at the edge layer:

1. Common injection attacks
2. WAF misconfigurations
3. Predictable resource location attacks
4. Application layer Distributed Denial of Service
5. Clickjacking attacks

1. Common injection attacks

Drupal applications, like any other web applications, are susceptible to a variety of attacks. These attacks can lead to unauthorised access, data breaches and even the site or server being compromised. Some common web application attacks include SQL injection, Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF).

2. WAF misconfigurations

One of the primary challenges in implementing a WAF is the proper configuration of its security policies. Incorrectly configured policies can result in false positives (where legitimate requests are blocked) or false negatives (where malicious requests are allowed through). Ensuring that the WAF is correctly configured to provide the appropriate level of protection without affecting the application's functionality is a significant challenge.

3. Predictable resource location attacks

Predictable resource location is an attack technique used to uncover hidden website content and functionality. By using brute force techniques, an attacker may locate file and directory names not intended for public viewing. This may then disclose sensitive information from the website such as database information, passwords and internal file paths to other sensitive areas.

4. Application layer Distributed Denial of Service

Application layer Distributed Denial of Service (DDoS) attacks are used by hackers to attack web servers and applications. They work by directing large amounts of HTTP requests at a webpage to overload target servers with requests. Rate-based detection engines are not successful at detecting these types of attacks, as the traffic volume of these attacks may be under detection thresholds.

5. Clickjacking attacks

Clickjacking attacks occur on client sites with a purpose to trick the application users into clicking on something different than what they perceive. It is a malicious technique used by an attacker to direct traffic to a specific site or to make a user like or accept a rogue application. More malicious purposes might be to collect sensitive information saved on a browser, such as passwords, or to install malicious content.

Top 10 best practices and recommendations

Below we’ve put together our top 10 best practices/recommendations for securing the edge layer using a WAF.

1. Regularly update and maintain WAF rulesets
2. Monitor and analyse WAF logs
3. Implement positive and negative security models
4. Balance security and performance
5. Integrate WAF into the development lifecycle
6. Implement virtual patching
7. Enable bot protection
8. Protect against DDoS attacks
9. Conduct regular security audits and assessments
10. Invest in WAF training and education

1. Regularly update and maintain WAF rulesets

Updating and maintaining WAF rulesets is essential for ensuring that the WAF remains effective in protecting against known vulnerabilities and emerging threats.

Security benefits: By regularly updating rulesets, you ensure that your WAF can respond to the latest attack vectors.

Actionable steps:

Note: If you’re using a cloud WAF service, the WAF provider should be updating the WAF regularly with the latest rulesets and handling new threats as they become known. Monitor the provider’s changelogs or newsletters for updates to the WAF and any actions you should take. You should monitor your logs even more closely after a WAF service update to ensure a smooth transition. If you’re managing your own WAF, consider step 2 below. In both cases, steps 1, 3 and 4 are relevant.

1. Monitor security news sources and vulnerability databases for the latest threats and vulnerabilities relevant to your application and infrastructure.
2. Update your WAF rulesets to address newly discovered vulnerabilities and emerging attack techniques.
3. Regularly review and test your WAF configurations to ensure their effectiveness.
4. Schedule periodic security assessments to validate the WAF's effectiveness and identify areas for improvement.

2. Monitor and analyse WAF logs

Web Application Firewall logs are your window into the inner workings of your WAF and show what traffic is blocked and allowed.

Security benefits: Monitoring and analysing WAF logs is crucial for detecting potential security incidents, understanding attack patterns and optimising WAF policies.

Actionable steps:

1. Configure your WAF to log all relevant information, including blocked and allowed requests, alert messages and any additional metadata.
2. Set up log analysis tools or Security Information and Event Management (SIEM) solutions to help identify trends, anomalies and potential threats.
3. Regularly review logs for signs of emerging threats, attack patterns and potential policy adjustments.
4. Implement alerts for specific events or conditions that may indicate a security incident.

3. Implement positive and negative security models

WAFs use a combination of positive security models and negative security models to block malicious traffic while allowing legitimate traffic to pass.

Security benefits: Positive security models define what’s explicitly allowed, while negative security models define what’s explicitly blocked.

Actionable steps:

Note: If you’re using a cloud WAF service, the WAF provider should provide documentation on what WAF settings you can adjust. Ideally, test WAF configuration changes on a development environment first and then in “report mode” before using the settings on your production site.

1. Determine the appropriate balance between positive and negative security models for your application.
2. Implement an allow list of allowed HTTP methods, headers and content types to ensure that only valid requests are processed.
3. Create a block list of known malicious payloads, patterns, and behaviours to block known attack vectors.
4. Regularly review and update the positive and negative security models based on application changes and emerging threats.

4. Balance security and performance

Balancing security and performance is crucial when implementing a WAF.

Security benefits: Overly restrictive policies can lead to a negative user experience, while overly permissive policies may allow malicious traffic to pass through.

Actionable steps:

1. Test and measure the impact of your WAF configurations on application performance and latency.
2. Optimise WAF settings to minimise performance impacts while maintaining adequate security levels.
3. Monitor WAF performance metrics and adjust configurations as needed to maintain a balance between security and performance.
4. Consider implementing caching, content delivery networks (CDNs) or other optimisation techniques to improve performance.

5. Integrate WAF into the development lifecycle

Software development lifecycles (SDLCs) should be grounded in a security-first approach that incorporates all layers of security including the WAF.

Security benefits: Integrating a WAF into the development lifecycle ensures that security considerations are included throughout the application's design, development and deployment.

Actionable steps:

1. Include WAF configuration and testing as part of your application's development process.
2. Conduct regular security testing and vulnerability assessments during development to identify and address potential issues before deployment.
3. Continuously update and refine WAF policies based on application changes and new threats.
4. Train developers on WAF configurations and best practices to ensure consistent security measures are applied across the organisation.

6. Implement virtual patching

Virtual patching is the practice of implementing WAF rules to mitigate known vulnerabilities in the application until a permanent fix can be deployed.

Security benefits: Virtual patching provides an additional layer of protection while a more comprehensive solution is developed.

Actionable steps:

1. Identify known vulnerabilities in your application or infrastructure that may require virtual patching.
2. Develop WAF rules to mitigate these vulnerabilities by blocking known attack patterns or limiting access to affected resources.
3. Test and implement the virtual patching rules in your WAF to ensure they effectively mitigate the identified vulnerabilities without impacting legitimate traffic.
4. Monitor and update the virtual patches as needed, and plan for a permanent fix in the application or infrastructure.

7. Enable bot protection

Automated bots can pose a significant security risk, as they can be used for attacks such as DDoS, scraping or brute-force login attempts.

Security benefits: Enabling bot protection helps identify and block malicious bots before they can cause damage.

Actionable steps:

1. Configure your WAF to detect and block known malicious bots by analysing user-agent strings, request patterns and other indicators.
2. Implement rate limiting to prevent automated attacks from overwhelming your application.
3. Consider using CAPTCHA or other challenge-response mechanisms to differentiate between humans and bots.
4. Monitor bot activity and adjust WAF rules to stay ahead of evolving bot threats.

8. Protect against DDoS attacks

DDoS attacks can overwhelm an application's resources, causing outages or degraded performance.

Security benefits: WAFs can help protect against application-layer DDoS attacks by filtering malicious requests and enforcing rate limits.

Actionable steps:

1. Configure your WAF to identify and block known DDoS attack patterns.
2. Implement rate limiting to prevent attackers from overwhelming your application with a high volume of requests.
3. Monitor for DDoS attack indicators and adjust WAF rules and thresholds to stay ahead of evolving threats.
4. Consider using cloud-based WAFs, Content Delivery Networks (CDNs), or other DDoS mitigation solutions to distribute and absorb attack traffic.

9. Conduct regular security audits and assessments

Just like functional testing and content audits, security audits and testing should be part of your team’s regular development process.

Security benefits: Regular security audits and assessments are essential for ensuring the effectiveness of your WAF and identifying areas for improvement.

Actionable steps:

1. Schedule periodic security assessments to evaluate the effectiveness of your WAF and its configuration.
2. Use vulnerability scanners and penetration testing tools to identify potential weaknesses and attack vectors.
3. Review and adjust WAF rules based on the findings of the security assessments.
4. Address any identified vulnerabilities or gaps in your WAF's protection.

10. Invest in WAF training and education

Web application security is multilayered and complex. Your team must understand security concepts, configuration and tools well enough to do their jobs effectively, including using a WAF.

Security benefits: A well-trained team is crucial for effective WAF management. Investing in training and education ensures that your team is up-to-date on the latest threats, best practices and WAF capabilities.

Actionable steps:

1. Provide WAF training for your security, infrastructure and development teams to ensure they understand the features and capabilities of your WAF solution.
2. Encourage team members to attend security conferences, workshops and online courses to stay current with industry security trends and best practices.
3. Implement a knowledge-sharing culture within your organisation to share experiences and lessons learned.
4. Evaluate and update training programs regularly to keep pace with evolving threats and WAF technologies.

Benefits and outcomes

Implementing the top 10 best practices and recommendations for web application security can lead to several benefits and positive outcomes for your organisation. These include:

1. Enhanced security posture
2. Compliance with regulatory requirements
3. Reduced risk of data breaches
4. Improved website performance
5. Cost savings and ROI
6. Streamlined incident response
7. Continuous improvement

1. Enhanced security posture

By adopting the best practices outlined in this whitepaper, your organisation will strengthen its security posture and better protect its web applications from attacks.

2. Compliance with regulatory requirements

Many industry regulations, such as IRAP (Australia), PCI Data Security Standards (global), GDPR (Europe), and HIPAA (US), mandate the use of a WAF to protect sensitive data. Implementing these best practices can help your organisation achieve and maintain compliance.

3. Reduced risk of data breaches

A well-configured and managed WAF can prevent data breaches by identifying and blocking malicious traffic, thereby reducing the risk of unauthorised access to sensitive information.

4. Improved website performance

By mitigating application-layer attacks and minimising malicious traffic, a WAF can improve the overall performance of your web application, leading to a better user experience for legitimate users.

5. Cost savings and return on investment (ROI)

Investing in WAF security can yield significant cost savings in the long run. Preventing security incidents can save your organisation from the financial and reputational damage that often follows a data breach.

6. Streamlined incident response

With a well-configured WAF, your security team will be better equipped to respond to threats and incidents quickly and efficiently. This can lead to faster resolution and less downtime for your web application.

7. Continuous improvement

Regularly monitoring, assessing, and updating your WAF configuration will ensure that your organisation's security posture continuously improves as new threats emerge and best practices evolve.

Conclusion

In this whitepaper, we have explored the importance of Web Application Firewall (WAF) security as a critical component of a comprehensive cybersecurity strategy. We have highlighted the various security risks and challenges associated with WAFs and provided 10 best practices and recommendations to help your organisation protect its web applications effectively.

It's essential to recognise that no single security solution can provide complete protection against all threats. Therefore, implementing a robust WAF should be part of a multi-layered defense strategy that incorporates various security controls and processes.

Cyber threats and the threat landscape are continually evolving. To maintain an effective security posture, organisations must regularly assess and update their WAF configurations and stay informed about the latest security best practices.

A proactive approach to WAF security can help your organisation prevent data breaches, maintain compliance with industry regulations, and improve website performance. It’s crucial to invest the necessary resources and expertise into securing your web applications and implementing the best practices outlined in this whitepaper.

By following the guidance provided here, your organisation will be better equipped to protect its web applications from threats and minimise the risk of data breaches and other security incidents.

National Institute of Standards and Technology (NIST) Cybersecurity Framework and the edge protection layer

NIST is a US-based agency that provides critical measurement solutions to promote equitable standards such as the NIST Cybersecurity Framework (NIST CSF). NIST CSF is recognised globally as one of the leading standards for organisational cybersecurity management.

The NIST CSF can be applied to edge protection layer to enhance the security of an organisation's edge infrastructure and protect against cyber threats targeting web-based resources. Here are some of the NIST CSF activities that can apply to this layer:

Identify:

1. Asset inventory: Identify all web-facing assets, including web servers, applications, content delivery systems, and associated data.

2. Risk assessment: Assess the cybersecurity risks associated with these web-facing assets, considering vulnerabilities, threats and potential impacts.

Protect:

1. Access controls: Implement robust access controls, including authentication and authorisation mechanisms, to restrict access to web resources.

2. Web Application Firewalls (WAF): Deploy a WAF to filter and monitor incoming web traffic for malicious requests and attacks.

3. Content delivery security: Ensure secure content delivery by using HTTPS and content security policies to mitigate risks like data leakage or content injection attacks.

4. Patch management: Keep web servers, applications and other components up to date with security patches to address known vulnerabilities.

5. Security headers: Use security headers (e.g. Content Security Policy, HTTP Strict Transport Security) to enhance web security and protect against common attacks.

Detect:

1. Web traffic monitoring: Implement web traffic monitoring and logging to detect suspicious or malicious activity, such as SQL injection attempts or brute force attacks.

2. Anomaly detection: Use anomaly detection mechanisms to identify unusual patterns in web traffic that may indicate an attack.

3. Incident detection: Establish incident detection processes to respond promptly to web-based security incidents.

Respond:

1. Incident response plan: Develop an incident response plan specific to web-based security incidents.

2. Web server hardening: Take action to address vulnerabilities or security incidents of edge systems, including isolating compromised systems and applying security patches.

Recover:

1. Backup and recovery: Maintain regular backups of web resources to ensure data and configuration recovery in the event of an incident.

2. Business continuity: Develop and test business continuity plans that address web services to minimise downtime and ensure availability.

More about NIST

Resources and further reading

The following resources and references offer additional insights, best practices and technical guidance for securing web application firewalls and enhancing your organisation's overall cybersecurity posture.

Industry standards and guidelines

1. OWASP Top Ten Project
2. OWASP ModSecurity Core Rule Set
3. PCI DSS
4. NIST Special Publication 800-44: Guidelines on Securing Public Web Servers

Blogs and online resources

1. Imperva blog
2. Cloudflare blog
3. AWS WAF documentation
4. Microsoft Azure WAF documentation

Books and publications

1. Web Application Security: A Beginner's Guide by Bryan Sullivan and Vincent Liu
2. The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski
3. Web Application Firewalls: A Practical Approach by John Stauffacher

By leveraging the resources provided here, you’ll gain a more in-depth understanding of WAF security and the steps necessary to protect your web applications effectively. Continued learning and staying current with security best practices are essential components of maintaining a strong security posture in the ever-evolving world of cybersecurity.