An Introduction to a Web Application Firewall or WAF
A Web Application Firewall (WAF) provides security for online services from malicious Internet traffic. WAFs detect and filter out threats which could degrade, compromise, or knock out online applications. WAFs examine HTTP traffic before it reaches the application server. They also protect against unauthorized transfer of data from the server.
The PCI Security Standards Council defines a WAF as “a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.”
WAFs protect web applications from common vulnerabilities while providing the ability to customize the security rules for each application.
How Web Application Firewalls Work
WAFs intercept and inspect all HTTP requests using a set of customized policies to weed out bogus traffic. WAFs block bad traffic outright or can challenge a visitor with a CAPTCHA test that humans can pass but a malicious bot or computer program cannot.
Traditionally, the customization of WAF security rules is complex and can be difficult to achieve without expert knowledge. Customized WAFs also require maintenance as each application is modified.
WAFs come in the form of hardware appliances, server-side software plugins, or filter traffic as-a-service. WAFs can be considered as reverse proxies i.e. the opposite of a proxy server. Proxy servers protect devices from malicious applications, while WAFs protect web applications from malicious endpoints.
Attacks That WAFs Prevent
WAFs can prevent many attacks, including:
- Cross-site Scripting (XSS) — Attackers inject client-side scripts into web pages viewed by other users.
- SQL injection — Malicious code is inserted or injected into an web entry field that allows attackers to compromise the application and underlying systems.
- Cookie poisoning — Modification of a cookie to gain unauthorized information about the user for purposes such as identity theft.
- Unvalidated input — Attackers tamper with HTTP request (including the url, headers and form fields) to bypass the site’s security mechanisms.
- Layer 7 DoS — An HTTP flood attack that utilizes valid requests in typical URL data retrievals.
- Web scraping — Data scraping used for extracting data from websites.
Web Application Firewall Deployment
Reverse Proxy – The WAF is a proxy to the application server. Therefore, device traffic goes directly to the WAF.
Transparent reverse proxy –
A reverse proxy with transparent mode. As a result, the WAF separately sends filtered traffic to web applications. This allows for IP masking by hiding the address of the application server. Performance latency is a potential downside during translation.
Transparent bridge – HTTP traffic goes directly to the web application.
As a result, this makes the WAF transparent between the device and the server.
WAF Security Models
WAFs can follow either positive and negative security models, or a combination of both. A positive security rejects everything not named as allowed. A negative security model has a list of banned items and allows everything not on that list.
WAFs follow rules or policies customized to specific vulnerabilities. As a result, this is how WAFs prevent attacks. Creating the rules on a traditional WAF can be complex and require expert administration. The Open Web Application Security Project (OWASP) maintains a list of the top web application security flaws for WAF policies to address.
WAFs address the most common pain-points for application security teams by providing visibility to traffic flows that security rules.