Fortanix generally doesn't recommend configuring a WAF with Self-Defending KMS. The Self-Defending KMS architecture ensures that sensitive information is always encrypted in transit (using TLS), and on the server side while stored and in use (using Fortanix Runtime Encryption® technology). The vast majority of WAF features require decrypting the TLS traffic in transit, which would potentially expose key material and sensitive plaintext. Instead of relying on heuristic rules such as those normally implemented by WAFs, Fortanix prefers to implement security by eliminating exploitation points in our architecture. For example, Fortanix implements mitigate the following common web application issues:
- Database queries: The Self-Defending KMS backend only uses parameterized queries.
- Command injection: The Self-Defending KMS backend environment can't execute processes.
- XSS Prevention: The Self-Defending KMS backend generally doesn't render HTML pages.
- HTTP processing: The Self-Defending KMS backend relies on Rust's memory- and type-safety to parse and interpret untrusted input.
Firewalls or other network security tools that only operate on Layer 4 and below may be configured for use with Self-Defending KMS.