A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws. It can be used to detect SQL injection, Cross-Site Scripting (XSS), Remote File Inclusion, Security Misconfigurations, and much more.
GitLab provides a WAF out of the box after Ingress is deployed. All you need to do is deploy your application along with a service and Ingress resource.
The ModSecurity module runs with the OWASP Core Rule Set (CRS) by default. The OWASP CRS will detect and log a wide range of common attacks.
The Web Application Firewall requires:
To enable the WAF, you need:
Configured Kubernetes objects
To use the WAF on an application, you need to deploy the following Kubernetes resources:
If you are using GitLab.com, see the quick start guide for how to use the WAF with GitLab.com and a Kubernetes cluster on Google Kubernetes Engine (GKE).
If you are using a self-managed instance of GitLab, you need to configure the Google OAuth2 OmniAuth Provider before you can configure a cluster on GKE. Once this is set up, you can follow the steps on the quick start guide to get started.
A network firewall or packet filter looks at traffic at the Network (L3) and Transport (L4) layers of the OSI Model, and denies packets from entry based on a set of rules regarding the network in general.
A Web Application Firewall operates at the Application (L7) layer of the OSI Model and can examine all the packets traveling to and from a specific application. A WAF can set more advanced rules around threat detection.
ModSecurity is enabled with the OWASP Core Rule Set (CRS) by default. The OWASP CRS logs attempts to the following attacks:
- SQL Injection
- Cross-Site Scripting
- Local File Inclusion
- Remote File Inclusion
- Code Injection
- Session Fixation
- Scanner Detection
- Metadata/Error Leakages
It is good to have a basic knowledge of the following:
More information on the direction of the WAF can be found in Product Vision - Defend