What is a Web Application Firewall?

An Introduction to a Web Application Firewall or WAF

A Web Application Firewall (WAF) provides security for online services from malicious Internet traffic. WAFs detect and filter out threats which could degrade, compromise, or knock out online applications. WAFs examine HTTP traffic before it reaches the application server. They also protect against unauthorized transfer of data from the server.

The PCI Security Standards Council defines a WAF as “a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.”

WAFs protect web applications from common vulnerabilities while providing the ability to customize the security rules for each application.

How Web Application Firewalls Work

WAFs intercept and inspect all HTTP requests using a set of customized policies to weed out bogus traffic. Traditionally, the customization of WAF security rules is complex and can be difficult to achieve without expert knowledge. Customized WAFs also require maintenance as each application is modified.

WAFs come in the form of hardware appliances, server-side software plugins, or filter traffic as-a-service. WAFs can be considered as reverse proxies i.e. the opposite of a proxy server. Proxy servers protect devices from malicious applications, while WAFs protect web applications from malicious endpoints.

Attacks That WAFs Prevent

WAFs can prevent many attacks, including:

  • Cross-site Scripting (XSS) — Attackers inject client-side scripts into web pages viewed by other users.
  • SQL injection — Malicious code is inserted or injected into an web entry field that allows attackers to compromise the application and underlying systems.
  • Cookie poisoning — Modification of a cookie to gain unauthorized information about the user for purposes such as identity theft.
  • Unvalidated input — Attackers tamper with HTTP request (including the url, headers and form fields) to bypass the site’s security mechanisms.
  • Layer 7 DoS — An HTTP flood attack that utilizes valid requests in typical URL data retrievals.
  • Web scraping — Data scraping used for extracting data from websites.

 

 

Web Application Firewall Deployment

Reverse Proxy – The WAF is a proxy to the application server. Therefore, device traffic goes directly to the WAF.

Transparent reverse proxy –
A reverse proxy with transparent mode. As a result, the WAF separately sends filtered traffic to web applications. This allows for IP masking by hiding the address of the application server. Performance latency is a potential downside during translation.

Transparent bridge – HTTP traffic goes directly to the web application.
As a result, this makes the WAF transparent between the device and the server.

WAF Security Models

WAFs can follow either positive and negative security models, or a combination of both. A positive security rejects everything not named as allowed. A negative security model has a list of banned items and allows everything not on that list.

WAF Rules

WAFs follow rules or policies customized to specific vulnerabilities. As a result, this is how WAFs prevent attacks. Creating the rules on a traditional WAF can be complex and require expert administration. The Open Web Application Security Project (OWASP) maintains a list of the top web application security flaws for WAF policies to address.

WAFs address the most common pain-points for application security teams by providing visibility to traffic flows that security rules.

Traditional Firewalls Versus Web Application Firewalls

A traditional firewall protects the flow of information between servers while WAFs are able to filter traffic for a specific web application. Network firewalls and web-application firewalls are complementary and can work together.

Traditional security methods include network firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS). They are effective at blocking illegitimate traffic on the lower end (L3-L4) of the a low Open Systems Interconnection (OSI) model. Traditional firewalls cannot detect attacks unique to the security flaws in web applications because they do not understand Hypertext Transfer Protocol (HTTP) which occurs at layer 7 of the OSI model. They also only allow the port that sends and receives requested web pages from a HTTP server to be open or closed. This is why WAFs are important for preventing attacks like SQL injections, session hijacking and Cross-site Scripting (XSS).

History of Firewalls and WAFs

Technically, the term firewall was coined in 1851 as a physical wall to prevent the spread of fire. In modern times, the Morris virus — unleashed in 1988 — was one of the first Internet viruses that created the need for a virtual firewall. In the early 1990s, a network-based firewall was developed that could specifically protect FTP traffic. This was the beginning of firewalls being able to control access to applications or services. By the end of the 1990s, with the increase in online activity, the hacking of web servers became problematic, and the focus turned to development of Web Application Firewalls (WAFs).By 2002, WAFs were in greater use and an open source project called ModSecurity created a core set of WAF security rules.

In 2003, the Open Web Application Security Project (OWASP) began to further expand and standardize the capability of WAFs. Every three or four years, the OWASP TOP 10 list of web security vulnerabilities is published for the compliance industry to address.

The first dedicated WAFs protected e-commerce websites against common attacks such as:

  • Hidden field manipulation — Manipulation of hidden fields to alter data stored in those fields.
  • Cookie poisoning
  • Parameter tampering — Parameters exchanged between client and server are manipulated to change application data.
  • Buffer overflow — A bug that overwrites adjacent memory locations while writing data to a buffer.
  • Cross-site Scripting (XSS) — Attackers inject client-side scripts into web pages viewed by other users.
  • SQL injection — Malicious code is inserted or injected into an web entry field that allows attackers to compromise the application and underlying systems.
  • Remote code execution — Attacking a computing device and making changes, regardless of the device’s geographic location.
  • Forced browsing — Attack accessing resources that are not referenced by the application, but are still accessible. For example, directory listings.

Web Application Firewall Benefits vs Weaknesses

Web Application Firewall Benefits

WAFs prevent attacks that try to take advantage of the vulnerabilities in web-based applications. The vulnerabilities are common in legacy applications or applications with poor coding or designs. WAFs handle the code deficiencies with custom rules or policies.

Top web application firewalls are often called, Intelligent WAFs and provide real-time insights into application traffic, performance, security and threat landscape. This visibility gives administrators the flexibility to respond to the most sophisticated attacks.

When the Open Web Application Security Project (OWASP) identifies the most common vulnerabilities, WAFs allow administrators to create custom security rules to combat the list of potential attack methods. An intelligent WAF analyzes the security rules matching a particular transaction and provides a real-time view as attack patterns evolve. Based on this intelligence, the WAF can reduce false positives.

Web Application Firewall Weaknesses

WAFs sit in-line between users and applications. Therefore any delay or latency can impact the end user experience. Since the inspection of requests and responses is compute-intensive, WAFs do introduce traffic latency. The extent of that delay, and whether it would even be tolerable to an end user depends on the WAF’s performance, policy complexity and the application in use. This can put organizations in a compromising situation: over-provision their WAFs to ensure minimal impact, which comes at a higher cost; or set security policies to a minimum to reduce inspection time, which compromises safety.

WAFs can also be complex to deploy given the need to establish efficient policies. They also require regular maintenance when applications have additions or updates.

Intelligent web application firewall with point-and-click simplicity and webscale performance

Traditional web application security solutions do not provide visibility and security insights that administrators can use to create an effective application security posture. Enterprises need real-time visibility into application traffic, user experience, security and threat landscape, and application performance to identify and protect against the most sophisticated attacks. Appliance-based web application firewall (WAF) solutions do not leverage their privileged position in the path of application traffic and are blackboxes when it comes to delivering application visibility.

Download the Brief

WAF Capabilities

The most effective and efficient WAFs offer the following capabilities:

  • Central, scalable policy management
  • HTTP validation
  • Granular security insights on traffic flows
  • Input protection
  • Automated attack blocking
  • Data leakage protection
  • Policies tailored to widely used applications
  • Point-and-click policy configurations, customizable for each application

Are you interested in learning more about the Avi Vantage Platform?

Complete your digital transformation with our next-gen application delivery platform. Experience 5x faster application rollouts, visibility with actionable analytics, and up to 70% cost savings compared to F5 Networks and Citrix NetScaler.

Schedule a Demo

Privacy Preference Center

Close your account?

Your account will be closed and all data will be permanently deleted and cannot be recovered. Are you sure?