An Introduction to a Web Application Firewall or WAF
A web application firewall (WAF) provides web application security for online services from malicious security attacks such as SQL injection, cross-site scripting (XSS). WAF security detects and filters out threats which could degrade, compromise, or expose online applications to denial-of-service (DoS) attacks. WAF security examines HTTP traffic before it reaches the application server. They also protect against unauthorized transfer of data from the server.
In recent years, web application security has become increasingly important, especially after web application attacks ranked as the most common reason for breaches, as reported in the Verizon Data Breach Investigations Report. WAFs have become a critical component of web application security, and guard against web application vulnerabilities while providing the ability to customize the security rules for each application. As WAF is inline with traffic, some functions are conveniently implemented by a load balancer.
According to the PCI Security Standards Council, WAFs function as “a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.”
How Web Application Firewalls Work
WAFs can be built into hardware appliances, server-side software plugins, or filter traffic as-a-service. WAF security protects web applications from malicious endpoints and are essentially opposites of proxy servers (i.e. reverse proxies), which protect devices from malicious applications.
To ensure security, WAFs intercept and examine all HTTP requests. Bogus traffic is simply blocked or tested with CAPTCHA tests designed to stump harmful bots and computer programs.
The fine print of WAF administration is based on security procedures that are built upon customized policies, which should address the top web application security flaws listed by the Open Web Application Security Project (OWASP).
Traditionally, these policies can be elaborate, requiring specialized administrators to configure the WAF in accordance to the company’s security policy. These administrators are responsible for correctly placing, configuring, administering, and monitoring WAFs to ensure maximum security.
Attacks That WAFs Prevent
WAF security can prevent many attacks, including:
- Cross-site Scripting (XSS) — Attackers inject client-side scripts into web pages viewed by other users.
- SQL injection — Malicious code is inserted or injected into an web entry field that allows attackers to compromise the application and underlying systems.
- Cookie poisoning — Modification of a cookie to gain unauthorized information about the user for purposes such as identity theft.
- Unvalidated input — Attackers tamper with HTTP request (including the url, headers and form fields) to bypass the site’s security mechanisms.
- Layer 7 DoS — An HTTP flood attack that utilizes valid requests in typical URL data retrievals.
- Web scraping — Data scraping used for extracting data from websites.
A cloud WAF – also known as a cloud-based WAF or cloud-native WAF – provides modern web application security at a much lower cost than traditional appliance-based web application firewalls while offering some distinct advantages. Cloud based WAF services offer more responsive, elastic, and customizable application security options based on predefined security policies that scale and react automatically to threats per application or tenant.
The customization and flexibility of such cloud WAF services saves administrators from time-consuming manual tuning of security software or hardware on their systems, allows for proactive rather than responsive threat detection, enables real-time app security insights and visibility, and ensures compliance (GDPR, HIPAA and PCI), all while providing centralized application security across multi-cloud, hybrid-cloud or on premise application environments.
Web Application Firewall Deployment
The WAF is a proxy to the application server. Therefore, device traffic goes directly to the WAF.
Transparent Reverse Proxy
A reverse proxy with transparent mode. As a result, the WAF separately sends filtered traffic to web applications. This allows for IP masking by hiding the address of the application server. Performance latency is a potential downside during translation.
HTTP traffic goes directly to the web application.
As a result, this makes the WAF transparent between the device and the server.
WAF Security Models
WAFs can follow either a positive security model, a negative security model, or a combination of both. A positive security model WAF (also known as “whitelist”) rejects everything not named as allowed. A negative security model (also known as “denylist”) has a list of banned items and allows everything not on that list.
Positive and negative WAF security models have their parts in different application security scenarios. For example:
Positive Security Model
When performing input validation, the positive model dictates that you specify the allowed inputs, as opposed to trying to filter out bad inputs. The benefit of using a positive security model firewall is that new attacks, not anticipated by the developer, will be prevented.
Negative Security Model
The negative model is easier to implement but you’ll never be quite sure that you’ve addressed everything. You’ll also end up with a long list of negative signatures to block that has to be maintained. The negative security model approach initially allows all traffic to come through, although as additional restrictions are implemented, security improves. This method can save time for departments that consistently make new network changes, so the network does not continue to be blocked.
WAFs follow rules or policies customized to specific vulnerabilities. Creating the rules on a traditional WAF can be complex and require expert administration. The Open Web Application Security Project (OWASP) maintains a list of the top web application security flaws for WAF policies to address.
WAF security addresses the most common pain-points for application security teams by providing visibility to traffic flows that match security rules.