Positive Security rules define allowed application behaviour. These rules can be created by the Learning Engine, scanner import or manually. A Positive Security rule will match when the request (or parts of the request) matches the behaviour defined in the rules. This is in contrast to Signatures, which describe attack patterns and will match when an attack pattern is found.
Both Positive Security and Signatures allow similar concepts for rules.
- Enable / Disable
- Mode (Detection / Enforcement) by rule
- Paranoia levels of rules
Reasons for Using the Positive Security Model
- As Positive Security is defining application behaviour it can reduce the attack surface by only allowing known good traffic.
- A Positive Security can result in better performance.
Instead of checking a value against a long list of known attacks, the validation is against a single expression.
Configure Positive Security Group
To create a Positive Security group,
- From the Avi UI, navigate to Templates > WAF > WAF Policy and click on Create.
Edit an existing WAF Policy.
- Enter the required details under the Settings tab.
- Click on the Positive Security tab.
- Click on Add Group to create the New Positive Security Group.
In the New Positive Security Group screen, enter the details as shown below:
Field Description Additional Information Name Enter a relevant name for the policy. Description Enter a description to identify the group Learning Group Select this option to enable the group for learning Hit Action Select either Allow parameter or No operation from the drop down. The selected action gets implemented if a rule in this group matches a match type. Miss Action Select either Block or No Operation from the drop down. The selected action gets implemented if a rule in this group does not match a match type. Location Click on Add Location to create a new location Rules are created in locations. Locations are derived from URLs.
- Click on Save.
Creating a Location
- Enter a unique Name to identify the location.
- Enter the Description.
- Select a Match Type, for example, Path.
- In the field Criteria, select the criterion to use for matching the HTTP request in the URI.
- Enter the String Value.
- Select Match Case to enable case sensitivity.
- To add another match type, select one from the Add Match Type drop down list.
- Click on Add Rule to create a new rule.
The New Location screen is as below:
- Click on Save.
Creating an Argument Rule
- Click on the Rule Enabled toggle button to enable/disable the rule. The rule is enabled by default.
- Enter a unique Rule ID.
- Enter the rule Name.
- Enter a Description for the rule.
- Select a mode:
- Use Policy Mode: When Detection or Enforcement can not be applied, the policy mode is used. For the policy mode to take effect, the WAF policy should allow delegation.
- Detection: WAF rules will be processed but HTTP transactions will not be intercepted. Any rule configured to intercept HTTP transactions will be bypassed.
- Enforcement Mode: WAF rules are processed and HTTP transactions intercepted, as per the rules configured.
- Select a WAF Ruleset paranoia mode. The rules will be determine based on the Filter Rule Paranoia Level selected. The Paranoia mode set for a WAF Policy defines its rigidity.
- Define the Match Elements as shown below:
i) Enter the Value Max Length to define the maximum length of the match value.
ii) Enter a Match Value Pattern to identify the expression which describes the expected value.
iii) Enable Arguments Case Sensitive, if required. This will ensure the match value has the same case as specified in the match value pattern.
- Click on Add Match Element and define the match elements as shown below:
i) In the field Name, select the variable specification.
ii) Enter a Sub Element.
iii) Click on Excluded, if required.
The New Argument Rule screen is as below:
- Click on Save.
Selecting a Paranoia Mode
- 1- Low
- 2- Medium
- 3- High
- 4- Extreme
Two aspects that should be considered while setting the paranoia mode are:
- Risk level of an application.
- Resources available for policy tuning.
The following table maps paranoia modes to different risks levels and resource availability.
|High application risk level||High paranoia mode|
|Low application risk level||Low paranoia mode|
|Resources available for tuning||Higher paranoia mode|
|Limited resources available for tuning||Lower paranoia mode|
For more information on paranoia mode, refer to OWASP CRS Paranoia Mode.