I said in my last article that one of the key factors when it comes to judging the effectiveness of a WAF is accuracy. There is a metric that, measured in an objective way, provides an unmistakable view of quality and accuracy of a WAF solution: false negatives and false positives.
To better understand this concept, we have to deep dive a bit in the mechanics of a WAF operation. The essence of a WAF is to inspect the traffic sent towards a web site or application infrastructure. This function, although ideally supported and managed by a group of human experts, has to be done automatically, according to a set of predefined patterns and some techniques that allow to categorize and label traffic as 'good' or 'bad'. This capacity of automation is key. Every http request, before reaching the web server, will be scanned by the WAF and compared against some models to determine the likelihood of this traffic belongs to a legitimate transaction or it is part of an attack. These models are based on rules and, depending on the chosen strategy to define and create the rules (which is inherent to every WAF), they will provide a more or less accurate result.
It is fundamental to understand that, by definition, there is no 100% infallible protection, other than literally blocking every single request.
Arguably, this firewall configuration is the one that fully protects against every attack. Flip side is that you don't receive ANY kind of traffic, though.
One of the basic strategies of attackers is disguising themselves among legitimate users, mimicking their behavior, so it is difficult to detect them. Therefore, every WAF will introduce a small (ideally it should be none) percentage of mistakes:
• False positives: Requests that have been labeled as malicious by the WAF but were actually legitimate.
• False negatives: Malicious requests that have not been detected by the WAF and consequently are not filtered.
The key factor is to find an adequate balance between false positives and false negatives, given that in practice, it becomes impossible to reduce both to 0%. Since a WAF must be configurable in terms of tolerance, the company (or the service provider that manages the WAF) should trade off between false positives and negatives:
In my next article, I will talk about the right strategy to balance between false positives and false negatives. However, if suspense is killing you, I recommend the reading of this white paper to unveil the secret.