An Introduction to a Web Application Firewall or WAF
A web application firewall (WAF) provides web security for online services from malicious security attacks such as SQL injection, cross-site scripting (XSS). WAFs detect and filter out threats which could degrade, compromise, or expose online applications to denial-of-service (DoS) attacks. WAFs examine HTTP traffic before it reaches the application server. They also protect against unauthorized transfer of data from the server.
In recent years, web application security has become increasingly important, especially after web application attacks ranked as the most common reason for breaches, as reported in the Verizon Data Breach Investigations Report. WAFs have become a critical component of web application security, and guard against web application vulnerabilities while providing the ability to customize the security rules for each application. As WAF is inline with traffic, some functions are conveniently implemented by a load balancer.
According to the PCI Security Standards Council, WAFs function as “a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.”
How Web Application Firewalls Work
WAFs can be built into hardware appliances, server-side software plugins, or filter traffic as-a-service. WAFs protect web applications from malicious endpoints and are essentially opposites of proxy servers (i.e. reverse proxies), which protect devices from malicious applications.
To ensure security, WAFs intercept and examine all HTTP requests. Bogus traffic is simply blocked or tested with CAPTCHA tests designed to stump harmful bots and computer programs.
The fine print of WAF administration is based on security procedures that are built upon customized policies, which should address the top web application security flaws listed by the Open Web Application Security Project (OWASP).
Traditionally, these policies can be elaborate, requiring specialized administrators to configure the WAF in accordance to the company’s security policy. These administrators are responsible for correctly placing, configuring, administering, and monitoring WAFs to ensure maximum security.
Attacks That WAFs Prevent
WAFs can prevent many attacks, including:
- Cross-site Scripting (XSS) — Attackers inject client-side scripts into web pages viewed by other users.
- SQL injection — Malicious code is inserted or injected into an web entry field that allows attackers to compromise the application and underlying systems.
- Cookie poisoning — Modification of a cookie to gain unauthorized information about the user for purposes such as identity theft.
- Unvalidated input — Attackers tamper with HTTP request (including the url, headers and form fields) to bypass the site’s security mechanisms.
- Layer 7 DoS — An HTTP flood attack that utilizes valid requests in typical URL data retrievals.
- Web scraping — Data scraping used for extracting data from websites.
Web Application Firewall Deployment
The WAF is a proxy to the application server. Therefore, device traffic goes directly to the WAF.
Transparent Reverse Proxy
A reverse proxy with transparent mode. As a result, the WAF separately sends filtered traffic to web applications. This allows for IP masking by hiding the address of the application server. Performance latency is a potential downside during translation.
HTTP traffic goes directly to the web application.
As a result, this makes the WAF transparent between the device and the server.
WAF Security Models
WAFs can follow either positive and negative security models, or a combination of both. A positive security (also known as “whitelist”) rejects everything not named as allowed. A negative security model (also known as “blacklist”) has a list of banned items and allows everything not on that list.
Positive and negative security models have their parts in different application security scenarios. For example, when performing input validation, the positive model dictates that you specify the allowed inputs, as opposed to trying to filter out bad inputs. The benefit of using a positive model is that new attacks, not anticipated by the developer, will be prevented. The negative model is easier to implement but you’ll never be quite sure that you’ve addressed everything. You’ll also end up with a long list of negative signatures to block that has to be maintained.
WAFs follow rules or policies customized to specific vulnerabilities. Creating the rules on a traditional WAF can be complex and require expert administration. The Open Web Application Security Project (OWASP) maintains a list of the top web application security flaws for WAF policies to address.
WAFs address the most common pain-points for application security teams by providing visibility to traffic flows that match security rules.