How do you monitor and filter malicious traffic with WAFs?

Your business requirements will further define your security needs and eluminate the best deployment model. The kinds of clients and data your WAF deals with should dictate your architecture. For highly sensitive enterprise clients you may be restricted to an on-premise model. For WAF's not dealing with PII or sensitive functions, cloud solutions can offer quickest, most reliable options. It is best to fully understand your business requirements before choosing your model.

A hybrid model should be used in almost every scenario. Malicious traffic takes many forms, a layered defense in depth approach will always block more malicious traffic. Web applications that only use an on-premise solution are vulnerable to DDOS attacks. Cloud providers specialize in web application firewalls -- investing in a cloud-based bastion firewall will prevent costly downtime. This does not prevent the need for an on-premise solution, different web applications will face different threat actors. Implementing an on-premise layer allows for tailoring your defenses to specific threat actors. Multiple providers and bastion layers should be used for high risk web applications. Use a cloud based solution if you can only choose one.

With platform’s like Heroku, they have one touch add-ons for this setup. Except for DNS parking and pointing, rest all are one-click-to-go steps there.

Two sets of rules should be used for each firewall layer, a whitelist and a blacklist. Whitelisting a traffic parameter will block all traffic that does not fit the defined parameter ruleset. Blacklisting a traffic parameter will block all traffic with that ruleset. Web application endpoints and HTTP methods should be whitelisted when possible. Whitelisting yourdomain/home/* will block access to yourdomain/uploads/ Blacklisting yourdomain/uploads/ will also block traffic to /uploads/ but not prevent access to /admin/, /internal/... etc. Specific traffic parameters indicating malicious activity should be blacklisted.

Alert for WAF needs to be configured by filtering out the know scanners to avoiding misleading alarming on the system. Better to have a custom header on those known scanners to filter down the know source and unknown source as well.