The Web Application Firewall (WAF) Service provides web application firewall, bot/scraping protection, and access control for web applications. It assists teams in complying with key portions of UBC Information Security Standard M10 – Internet-Facing Systems and Services.
Features and Benefits
| Feature | Benefits |
|---|---|
| Attack Mitigation UBC ISS M10 § 2.2.1, 2.4.5 | The WAF inspects traffic and protects against various types of attacks, including malicious traffic, DoS, and bot protection. Bot protection helps identify and mitigate attacks and scraping activity before they cause damage to the site. |
| Virtual Patching | WAF technology enables Cybersecurity analysts to deploy specialized configurations as virtual patches to block the exploit of zero day and other web application vulnerabilities. See the Virtual Patching section of this page for more information. |
| SSL Termination UBC ISS M7 § 2.6 UBC ISS M10 § 3.1, 3.2, 3.3 | WAF implementations include managed SSL certificates – clients of the service no longer need to maintain their own certificates for protected services. All WAF implementations are configured in compliance with Mozilla TLS Standards by default, and are kept up-to-date as those standards change. |
| Load Balancing | The WAF is a high-performance load balancer, and is also capable of managing highly complex request routing logic through custom rules. However, load balancing is not a requirement for implementing the UBC WAF. It can be deployed for websites and web applications running on single hosts. |
| Logging UBC ISS M8 § 2.3, 4.2 | All web requests that transit the UBC WAF are automatically logged and retained for 365 days in the central UBC myLogs service. This ensures compliance with section 2.3 of UBC Information Security Standard M8 for web access logs. While these logs are not available for clients of the service, WAF analysts can perform extracts of these logs as required. For more information, see the WAF Logging tech-ref article. |
| Attack Surface Reduction | The WAF service can be used to minimally and safely expose websites or web applications running on systems with public or private IP addresses to the internet. We also offer a VPNless Service to allow for sensitive applications to be safely exposed to authenticated off-campus users without requiring VPN. |
| Service Availability | 24/7 |
| Support Availability | Regular business hours, critical incident response available after-hours |
Requirements and Eligibility
Audience
UBC system administrators, developers, application administrators, Technical Owners, or business owners may request this service. It can be integrated into new deployments or retroactively added to existing ones.
Price
No cost
Learn More
Getting Started
Requests for WAF onboarding can be submitted through the Cybersecurity Services section of the UBC Self-Service Portal. Once your request is submitted, a Cybersecurity Analyst will contact you within 5 business days to gather information about your request before it’s added to our priority-based onboarding queue.
Onboarding requests are evaluated and addressed based on several factors, UBC Electronic Service risk classification and UBC Electronic Information classification (both defined in UBC ISS U1), the likelihood of attack, and the availability of the requesting team.
Further Information
| Resource | Login Required | Accessible From | Notes |
|---|---|---|---|
| WAF Logging Documentation | CWL | Anywhere |
Environments
The WAF Service is designed as a highly-available, robust solution. Each WAF environment includes two WAF devices deployed as an active/standby pair across two UBC data centres. All traffic is processed by the active device, with failover to standby. Failovers are transparent to end users and applications.
Multiple WAF offerings are available to cover both production and non-production environments. We strongly recommend deploying UBC WAF for both environments to facilitate testing and validation of services protected by the UBC WAF.
Production
There are two production environments available, both offering equivalent levels of performance, functionality, and support.
- Critical: Suitable for large UBC-wide mission-critical systems. This environment is the last to receive upgrades, and incidents involving this environment are prioritized over all others.
- Standard: Suitable for departmental mission-critical systems or large UBC-wide systems that are not mission-critical. This environment receives upgrades before the Critical environment.
Non-Production
There is one non-production environment available. It receives equivalent levels of functionality and support and retains the same failover configuration as the production environments.
- DTS: Suitable for non-production systems, such as development, testing, and staging environments. This environment is the first environment to receive upgrades.
Virtual Patching
Virtual patching is not an automated function of the WAF. The WAF is a highly configurable, programmable solution capable of traffic inspection and manipulation. If you alert the WAF support team to a vulnerability in your system, we can assess mitigation options to determine if a virtual patch can be developed.
A virtual patch involves configuring the WAF with custom code to identify and block traffic intended to exploit the vulnerability. This reduces risk by shrinking vulnerability mitigation time to days or hours instead of weeks or months, giving systems administrators and application developers valuable time to deploy long-term patches with proper testing and validation.
Get Help
For support or more information about this service, please submit a ticket under Submit a Support Request in the Cybersecurity Services section of the UBC Self Service Portal. Support is provided during regular business hours.