Web Application Firewall
What is WAF?
A web application firewall, or WAF, is a security measure which defines rule sets in order to help protect a web application from attack. The WAF monitors, filters, and blocks unwanted HTTP traffic that is going to and from the web application. Commonly, a WAF is used to protect against attacks such as cross-site scripting and SQL injection, however can also be used to protect against illegal resource access, session highjacking, etc.
How does it work?
A WAF will examine both the
POST requests to and from your origin server. Based on the rules that are configured, the firewall will distinguish between legitimate and illegitimate traffic. A web application firewall is also able to detect unusual behavioural patterns. For example if an attack causes the web application to send back much larger responses than expected, a WAF is able to detect that abnormality, and notify someone that there is an issue.
Another, more widespread, example of a WAF use may be it's ability to distinguish between spammy and legitimate comments on a blog by monitoring particular keywords. These comments will then be flagged as spam and discarded before reaching the comment section of your website.
As described by these examples, a WAF is simply an intermediary between the web application and the client. It can be thought of as a guard for your web application that helps to monitor and prevent traffic threats.
How does WAF differ from IPS?
An IPS or, intrusion prevention system, is similar to a WAF in that it monitors network traffic for any abnormalities. It has the ability to log, alert and react in the event it finds a potential threat in the data from a packet. The main difference between WAF and IPS is a web application firewall is able to analyze Layer 7 web application logic whereas IPS's cannot.
According to InfoSec aXioms, in order to distinguish a WAF from other security solutions, it should have the following capabilities:
- Deep understanding of HTTP: Having the ability to dissect the various parts of the HTTP protocol (parameters, headers, etc) is required for a WAF to effectively perform its tasks.
- Ability to whitelist: In the case that an attack cannot be detected using signatures, having the ability to whitelist allows the WAF to let traffic through that it knows to be valid.
- Session protection: A WAF should work hand-in-hand with the application's session management and protect from session-based attacks.
- Application layer rules: A WAF system should also be capable of a being signature based in order to apply application layer rules. These rules should be generic and able to detect variants of attacks.
- Allow exceptions: Exceptions should be able to be applied to parts of the application in order to avoid the possibility of false positives opening security gaps.
Distributed vs cloud-based web application firewall
There are two distinct forms of web application firewalls, distributed and cloud-based.
A distributed web application firewall (dWAF) is completely software-based and designed as separate components able to exist in various areas of a network. This allows for less strenuous resource consumption as it is able to be spread across a network rather than a single appliance. This type of WAF is desirable for larger virtualized infrastructure cloud models.
The better known cloud-based WAF is different from a dWAF in that is does not require any software to install and is platform agnostic. Most cloud-based WAF providers require a DNS change on your end in order for the website traffic to be directed through the WAF for inspection. This approach is ideal for small to medium sized websites and cloud-based web applications.
A few examples of companies that provide cloud-based web application firewall services include:
As discussed in previous articles, cyberweb attacks, such as DDoS and others mentioned in this article, are quite prevalent in today's age. Making use of a web application firewall can greatly help in decreasing the amount of attacks that may breach your web application, while also giving you piece of mind that your application is more secure.