A web application firewall is a network security solution for commercial use that protects servers from potential cyber attacks that can exploit a web application’s vulnerabilities.
By the definition of the PCI SSC (Security Standards Council), a web application firewall is “a security policy enforcement point positioned between a web application and the client endpoint.”
A WAF is a type of reverse proxy firewall that monitors, filters, and/or blocks HTTPS network traffic between the web and your web app based on a set of rules. It specifically examines web traffic through HTTPS and SSL protocols and can help with load balancing.
Web application firewalls are designed to protect the servers of your web applications from all kinds of attacks like web shells, phishing, malicious payloads, and ransomware while also preventing unauthorized data from leaving the web app.
How a Web Application Firewall Works
To secure your web application from malicious traffic, the web application firewall inspects HTTP/S traffic to and from your web service applications via a reverse proxy firewall.
If a standard proxy server functions only as an intermediary to protect a user’s private network, a reverse proxy — in this case, the modus operandi of WAF — does the same for a web app.
By inspecting HTTP requests through user-defined policies, a WAF filters data packets and is solely focused on protecting against web-based application attackers.
A good example is the CAPTCHA test, which is a part of WAF that can filter out and block bots or other malicious programs while allowing access for humans.
Web application firewalls are usually deployed as a software, hardware, or as a waf-as-a-service package with tailor-made policies that fit your website’s needs.
Analyzing HTTP and Rulesets
As we mentioned, a WAF protects web-based applications in a way that it analyzes HTTP (Hypertext Transfer Protocol) requests.
By applying a set of rules, it can differentiate which parts of an HTTP conversation are malign and which parts are benign.
Mainly, an HTTP conversation consists of GET and POST request methods:
- GET is the most common way requests are handled on the web. GET includes all required data and values in the URL, and the length of the values is limited to 255 characters. GET requests are cacheable and are used to retrieve data from the server.
- In comparison, the POST method is usually used for writing data, uploading, or submitting forms. This request method works via HTTP by requesting a web server to accept and store the data in the request message.
What are WAF Rules?
WAF rules are a list of policies and characteristics in a web traffic’s data stream, which a certain firewall needs to comply with. Simply put, it’s a listed manual for the WAF to respond with given instructions.
A set of rules can execute validation procedures, find malicious activities, and decide what to do when an exploit is detected.
Depending on the ruleset, it can include all kinds of actions like granting/denying access, responding to specific traffic in various ways, etc.
Constructing a ruleset can be very difficult, but WAF experts can resort to a wide variety of resources and implement solutions. One such resource is the OWASP (Open Web Application Security Project), which has a regularly-updated list of web application security flaws.
While many WAF packages are regularly updated for new vulnerabilities, there are also advances in automation, AI, and machine learning which might make it easier to assess threat landscapes in the future.
The Importance of WAF Rules
Ultimately, the true potential of a WAF generally lies in the ruleset that reacts to user responses.
A good set of rules includes an up-to-date security strategy that can block familiar attack strategies. But, an even better one can greatly reduce false positives. These rules are usually tailor-made by cybersecurity experts.
For example, if a company fails to scan and detect potentially malicious/faulty codes and external plug-ins, they can be subjected to security oversights called “zero-day threats.”
Left unchecked, a zero-day vulnerability may grant cyber criminals unseen access to your web server; something a WAF cannot cover unless you construct a flexible ruleset that can apply to user responses for your server.
There are three ways a WAF approaches inspecting and filtering content in the HTTP requests:
- When whitelisting (or allowlists/positive security model), a WAF denies all requests by default, allowing only trusted, pre-approved requests, and ensures the client is using a safe IP address. Simply put, think of a club bouncer that checks if your name is on the list.
- On the flip side, via blacklisting (or blocklists/negative security model), the WAF defaults to allowing packets through, but with preset signatures or a ruleset that can block potentially dangerous web traffic and malicious packets. This bouncer rejects club-goers that violate the dress code.
- Hybrid security essentially combines the two, and a good WAF almost always employs a system of both blacklisting and whitelisting.
Each of these security models has its advantages and disadvantages in analyzing HTTP interactions. Regardless of which one you choose, all of them are effective in preventing malicious traffic before it can reach your server.
Types of Firewalls
There are multiple ways to categorize firewalls. But, according to how they filter data packets and their use cases, we can differentiate between six types of firewalls:
1. Packet Filtering
These firewalls inspect the technical characteristics of every data packet that enters and exits a network. It filters out incompatible data packets that don’t meet with certain rulesets and patterns or if they match blacklisted parameters.
2. SPIs (Stateful Packet Inspection)
Dynamic packet filtering, also called SPIs, are firewalls that function on a network layer. In contrast to regular packet filters, it records every packet individually to prevent attacks that may be dispersed between multiple packets.
3. Proxy Server Firewalls
Also called web application firewalls or application-level gateway, proxy server firewalls operate at an application layer instead of a network layer. WAFs switch the protected server’s IP address with their designated address, as traffic is directed through the WAF before it reaches the server.
4. Circuit-Level Gateway
Control network traffic by providing UDP (User Datagram Protocol) network security, relaying TCP (Transmission Control Protocol), and monitoring TCP handshaking between trusted servers and untrusted hosts to establish whether or not a requested session is valid. In contrast to application gateways, circuit-level gateways operate at a session-level layer of the OSI model, which is between the application-level layer and the transport-level layer.
5. Next-Generation Firewall
Next-generation firewalls, or NGFWs, combine techniques and may use features like anti-viruses, anti-malware, and URL filtering. NGFWs add more context to network security and are placed at the gateway between the internet and your network. They track and record network activity that goes out to the internet (web sites, email accounts, and SaaS) instead of just inspecting packets.
Data packet filtering, stateful inspection, or other NGFW (Next-Generation Firewalls) cannot protect the system from web-based attacks. This is what sets WAFs apart from the rest of the firewall types.
6. IPS (Intrusion Prevention Systems)
Besides WAFs and next-generation firewalls (NGFWs), there are other types of network protection categories that enhance cyber defense systems like intrusion prevention systems.
An IPS or intrusion prevention system is a more broadly focused security solution. It’s an upgraded security form of an Intrusion Detection System (IDS) that only detects suspicious activities.
Based on the policies and database signatures, the signatures and policies are regularly updated as new vulnerabilities pop up.
IPS typically operates and protects network and session Layers 3 and 4, but some IPS may offer limited protection at the application layer (Layer 7).
IPS serves to protect traffic across a wide spectrum of protocols like DNS (Domain Name System), FTP (File Transfer Protocol), RDP (Remote Desktop Protocol), SSH (Secure Shell), SMTP (Simple Mail Transfer Protocol), and TELNET, among others.
Open Systems Interconnection (OSI) Models
WAFs operate with a reverse proxy configuration; regular firewalls are integrated into a computer network interface. But, there are also other ways to differentiate between them.
The main difference between WAFs and network firewalls is how their security levels function via the Open Systems Interconnection (OSI) models.
The OSI Model can be seen as a universal language for computer networking. It provides a standard for diverse computer systems to communicate with each other via regular protocols.
OSI Model Layers 3 and 4
Network and endpoint firewalls operate at OSI model Layers 3 and 4 (Network Layer logic), which protect data transfer and network traffic.
Without a network firewall, a computer with a public IP address (internet protocol) can be accessed outside the network from potential cybercriminals.
Network firewalls prevent attacks and secure local-area networks by dividing a secured zone from a potentially dangerous zone and managing the HTTP communications between them.
Traditional firewalls cannot detect attacks unique to the security flaws in web applications because they do not understand Hypertext Transfer Protocol (HTTP) which occurs at Application layer 7.
OSI Model Layer 7
Reverse proxy firewalls like WAFs commonly protect against attacks and examine traffic characteristics at an Application Layer 7, defined as OSI model Layer 7.
This application level, according to the OSI, is typical for application-based firewalls and encompasses protection against attacks that target web application protocols like HTTP and HTTPS, which are used to connect web browsers and web servers.
How to Deploy a Web Application Firewall
A WAF can be deployed via software or hardware or integrated via a server on a specific operating system into other network components.
While their operating modes may be different, WAFs can be deployed in three different ways.
WAF Deployment Models
Today, WAFs come in a plethora of packages and consumption models that offer the same services in a different method of deployment.
They can be as a stand-alone hardware device, software-based, or integrated via server as a cloud-hosted service.
- Hardware-Based (Appliance-Based) WAFs, sometimes called network-based firewalls, are self-contained appliances that act as a secure gateway between devices inside a network and devices outside. Ideal for big companies that seek to protect multiple devices, they don’t consume much processing power of other resources of the host devices.
In contrast to host-based firewalls, they’re installed as on-premises devices and run with reduced latency but are difficult to set up, configure, and maintain.
- Software-based (host-based) WAFs are firewalls with cost-efficient pricing that run on servers and can be customized and fully integrated into a company’s application code. They require specific libraries on your application server, they need to be set up on each device separately, and they consume more server resources (CPU and RAM) to function properly. In order to function properly, host-based WAFs require more resources and the expertise of developers and DevOps (Software Development and IT Operations).
- Cloud-based, cloud-native, or cloud-hosted firewalls are known as firewalls as-a-service that can be MSSP-ed or managed by security service providers. That makes them a great choice for larger organizations looking for tight security as well as smaller companies with insufficient expertise in WAFs.
In contrast to other types, a cloud-based firewall service is able to track internal network workloads and third-party on-demand environments. Cloud-based firewalls operate with an enhanced threat intelligence and offer real-time monitoring during an attack.
What Does WAF Protect Against?
A WAF can protect your business’ server and its content from web-based cybersecurity threats.
They have an advantage over traditional firewalls because they offer better monitoring of sensitive application data on an HTTP application layer.
List of the most critical web application security risks. Source: Owasp.org
File inclusion, improper system configuration, patching issues, cloud vulnerabilities, sensitive data exposure… These are all potential vulnerabilities that can target applications. But, having the OWASP list in mind, the most common attacks and vulnerabilities include:
Enumeration Attacks, or Broken Access Control, occur when hackers try to check via brute force if a web server database holds certain data like passwords.
A well-planned and calculated attack could reveal DNS details and usernames and can even check if the network has poor setting configurations that could be vulnerable to other threats.
The login page and the password reset page are the most targeted parts.
SQL (Structured Query Language)
Structured query language attacks, or SQL injection attacks, allow cybercriminals to execute harmful SQL statements and queries via user authentication.
Web apps with an SQL database are vulnerable to this attack. Attackers can steal, modify, and tamper with content from an SQL database via bypassing web page authentication.
The SQL injection attack is on the OWASP Top 10 list of the biggest threats to web applications for 2017.
However, if the SQL injection vulnerability is in open-source code, sWAFs can provide temporary protection against newer vulnerabilities.
XSS (Cross-Site Scripting)
Cross-site scripting, or XSS, is when attackers inject and execute scripts via HTML code to another user’s web browser input field.
This is done via bypassing the same-origin policy that can segregate different websites, which allows the attacker to pose as an authenticated user.
A direct denial-of-service, or a DDoS attack, attempts to overload a network by flooding its traffic with unnecessary requests, effectively wearing out the target’s resources and rendering the network unavailable.
Distributed denial-of-service, or DDoS attacks, overwhelm a network by flooding it with traffic until it is unable to serve its users. The requests come from multiple sources at the same time, which makes it very difficult for the system to execute a timely cybersecurity response.
Both network firewalls and WAFs can handle this attack type but approach it from different layers.
Application Layer-Attacks (Layer 7 DoS Attacks)
One of the most common and dangerous threats is the Layer 7 DDoS attack, which targets the top of the OSI model where there’s high traffic in packets.
The Layer 7 DDoS attack sends a flood of traffic to the server layer, where web pages are generated and delivered in response to HTTP requests. Basically, it overwhelms a web server by recursive application activity.
By acting as a reverse proxy and filtering requests to identify a DDoS threat, a WAF can help with Layer 7 DDoS attack mitigation and protect the server from malicious traffic.
Why You Should Use a WAF
With cyberattacks advancing and becoming increasingly more complex, businesses and organizations must find new ways to be on par with the latest threats and protect themselves and their precious data from malicious attacks.
Back-end databases used by corporations and businesses hold sensitive data that can be easily accessed by hackers via faults in your web applications.
A WAF solution can be a crucial component of an organization’s network security strategy by preventing data leakage. Much like antivirus software, a WAF needs to be revised, maintained, and updated with the latest cybersecurity enhancements.
Financial institutions and other e-commerce companies that use transactions via web applications and APIs (application programming interfaces) can greatly benefit from WAFs. A WAF may help them with meeting PCI DSS (Payment Card Industry Data Security Standards), CHD (cardholder data) protection, and other policies and compliances.
Though web app firewalls can be costly and complex for certain organizations, it’s crucial to understand how they work, how they differ from other firewalls, and how they can be implemented if you want to maximize their safeguarding potential.