Cloudflare's Always-On WAF: Decoupling Detection from Mitigation for Enhanced Security
This article introduces Cloudflare's new 'Always-on' Web Application Firewall (WAF) framework, which decouples attack detection from mitigation. This architectural shift provides continuous visibility into potential threats without immediately blocking traffic, allowing security teams to fine-tune rules based on rich analytics and historical data. It addresses the traditional WAF trade-off between visibility (log mode) and protection (block mode) by running all detections constantly in the background, offering a more data-driven and flexible approach to web application security.
Read original on Cloudflare BlogThe Traditional WAF Dilemma
Traditional Web Application Firewalls (WAFs) often present a significant operational challenge: the "log versus block" trade-off. When new applications are deployed or rules are updated, security teams typically start in a logging-only mode. This cautious approach is necessary to identify and mitigate false positives that could disrupt legitimate user traffic. However, it leaves applications vulnerable during the tuning phase. Cloudflare's new approach aims to eliminate this dilemma by allowing continuous detection without immediate blocking, providing both visibility and protection simultaneously.
Architectural Shift: Decoupling Detection and Mitigation
The core innovation in Cloudflare's Always-on WAF framework is the separation of detection from mitigation. All attack signatures are executed on every request as soon as traffic is proxied, irrespective of whether a blocking rule is in place. The results are immediately available in Security Analytics. This architectural separation allows for:
- Continuous Visibility: Gain complete insight into every signature match without sacrificing real-time protection.
- Data-Driven Policy Creation: Build precise mitigation policies based on accumulated historical traffic data, significantly reducing false positives.
- Reduced Onboarding Friction: Simplify the process of deploying new security protections by understanding rule impact before enforcing blocks.
Impact on Latency
The design ensures efficiency. If no blocking rule is created, detections can execute *after* the request has been sent to the origin server, introducing no additional latency. When a rule is activated, the detection moves in-line, potentially adding latency depending on the traffic profile.
Beyond Request-Only Analysis: Full-Transaction Detection
Cloudflare is further enhancing detection capabilities with Full-Transaction Detection. This analyzes the entire HTTP transaction (request and response) rather than just the incoming request. This broader context dramatically reduces false positives and uncovers more subtle threats, such as reflective SQL injection or data exfiltration patterns that are only evident in the response. This represents an evolution in stateful threat detection, moving beyond stateless signature matching.
Leveraging Analytics for Security Posture Management
Security Analytics is central to this new framework, providing a comprehensive view of how signatures interact with web traffic. Key use cases include:
- Onboarding: Understand initial attack patterns and deploy security rules with confidence.
- Identifying False Positives: Analyze rule matches over time to detect legitimate traffic triggers and create scoped exceptions.
- "What-if" Scenarios: Test the impact of new rules against historical traffic to empirically determine production performance before deployment.
Customers can then create granular security rules based on aggregated confidence scores, attack categories (e.g., SQLi, XSS, CVEs), or specific signature Ref IDs, allowing for highly customized and adaptive security policies.