Edge Stack Web Application Firewall Quickstart

One-Stop API Gateway solution with built-in PCI 6.6 compliant WAF.

Edge Stack WAF — One-stop built-in security

In today’s landscape of growing security and compliance concerns, finding the right solution to open up your application to the world can be time consuming and involve sourcing bits of the solution from multiple vendors. Ambassador Labs is here to help with our Ambassador Edge Stack API Gateway now with its own WAF functionality built in. No longer do you need to pair a potentially expensive third party WAF offering with your API gateway to meet your company’s compliance needs.

We make getting started opening your application up for the world while keeping a strong security posture simple. By applying two convenient CRDs to your running AES installation, you can quickly enable the Ambassador Labs WAF. We even provide you with a packaged set of rules that offer OWASP Top 10 protection and PCI 6.6 compliance to help you get started. These rules can be further customized to meet your needs or you can bring in your own rule set built with Coraza’s SecLang.

Ambassador Edge Stack provides a one-stop solution to open access to your application with strong auth controls and integrations, rate limiting, and now WAF protection. To see just how easy it is to get started, let’s go through setting up a new cluster and protecting it with the WAF.

Installing Ambassador Edge Stack into your cluster

The best way to quickly get started with installing AES is to follow our QuickStart guide. This will get you up and running with a basic installation of Edge Stack complete with a service that you can use to test the cluster.

Assign a hostname to your listener

Use whatever method is used for your provider of choice for adding a DNS entry for your listener. For a simple test, you can add the IP address held in $LB_ENDPOINT from Step 1 to your Hosts file (/etc/hosts) if on a *nix system.

.
.
.
<IP ADDRESS>  waf-blog.localdomain

Enabling the WAF

Now that we have AES up and running, let’s get to the good part: enabling the WAF to process your incoming traffic.

Creating a new WebApplicationFirewall Resource

The first step is to create a WebApplicationFirewall resource. This resource configures a firewall instance with a set of rules and runtime options, like if request denials should be logged or not. Rules can be stored at HTTP endpoints or in ConfigMaps. Our starting resource will use a ruleset created by Ambassador Labs and retrieved from HTTP endpoints. This starter rule set configures the WAF to use all of OWASP’s Core rule set, which protects your system from the OWASP Top 10 vulnerabilities, and has been enhanced by us to also provide PCI 6.6 compliance.

kubectl apply -f -<<EOF
---
apiVersion: gateway.getambassador.io/v1alpha1
kind: WebApplicationFirewall
metadata:
  name: "example-waf"
  namespace: "default"
spec:
  firewallRules:
    - sourceType: "http"
      http:
        url: "https://app.getambassador.io/download/waf/v1-20230825/aes-waf.conf"
    - sourceType: "http"
      http:
        url: "https://app.getambassador.io/download/waf/v1-20230825/crs-setup.conf"
    - sourceType: "http"
      http:
        url: "https://app.getambassador.io/download/waf/v1-20230825/waf-rules.conf"
EOF

Creating a new WebApplicationFirewallPolicy Resource

Next, the WebApplicationFirewallPolicy resource instructs Edge Stack on which requests should be protected by which WebApplicationFirewall resource. Your Policy can reference multiple Firewalls, so you can consolidate all your matching criteria and WAFs into a single Policy. For this example, however, we are creating a Policy that references our single example Firewall, and applies it to all incoming requests (the default if no more specific rules are provided).

kubectl apply -f -<<EOF
---
apiVersion: gateway.getambassador.io/v1alpha1
kind: WebApplicationFirewallPolicy
metadata:
  name: "example-waf-policy"
  namespace: "default"
spec:
  rules:
  - wafRef:
      name: "example-waf"
      namespace: "default"
EOF

Making sure everything is ready

kubectl get waf && kubectl get wafp

Sending some requests

Send a good request

curl -Lki https://<HOSTNAME>/backend/

Here, we should see a valid response:

HTTP/1.1 200 OK
content-type: application/json
date: Fri, 08 Sep 2023 17:22:18 GMT
content-length: 223
x-envoy-upstream-service-time: 0
server: envoy
{
    "server": "thunderous-banana-mgune5tc",
    "quote": "The light at the end of the tunnel is interdependent on the relatedness of motivation, subcultures, and management.",
    "time": "2023-09-08T17:22:18.22809918Z"
}

Send a bad request

On this request we set the User-Agent to Arachni, a penetration testing tool. If someone is using Arachni on your system, they are looking for vulnerabilities and you want to fend them off!

curl -Lki -H 'User-Agent: Arachni/0.2.1'  https://<HOSTNAME>/backend/

Here we should see the request being blocked by the WAF:

HTTP/1.1 403 Forbidden
date: Fri, 08 Sep 2023 17:22:56 GMT
server: envoy
content-length: 0

Congratulations, you now have a cluster up and running that is protected by a WAF, all handled by Ambassador Edge Stack!

Next Steps

For a deeper dive into the mechanics of the WAF, and best practices that we followed at Ambassador Labs on our way to SOC2 certification using our own WAF, you can view our recent webinar on-demand.

For more information on the options for the Ambassador Edge Stack WAF, please checkout our WAF user guide.