Web Application Firewall

What is a Web Application Firewall?

A Web Application Firewall (WAF) protects web applications from threats like SQL injection, cross-site scripting, parameter or URL tampering, and session hijacking. It does this by monitoring HTTP traffic (at Layer 7) before it reaches the web application and only allowing through valid requests as determined by a set of rules. A WAF is aware of the context of requests and responses to the application, whereas an IPS monitors the packet flow, inspects protocols, and searches for known attacks at the packet level.
Web Application Firewall in a Network

Why do I need a Web Application Firewall?

Many threats to web applications exploit the fact that they are considered as valid traffic. A WAF can detect unknown attacks by watching for unusual or non-standard traffic (typically defined in a security policy). WAF’s should be used together with other protection products such as IPS and URL filtering.

Web Application Firewalls help to address some of the security issues that could otherwise jeopardise PCI Compliance for web sites that handle financial transactions. More generally, they help protect a web site from infections that could lead to search engine black listing, or attacks that could lead to information leakage.

What can a WAF do that an ordinary firewall cannot do?

The WAF is able to follow the data flow, for example validating user input per a specific web form.
The IPS on the other hand, does not really understand that the web form should be submitted using POST and that only numbers are supposed to be considered valid user input; or the IPS cannot proactively mitigate Cross-site Request Forgery vulnerabilities.

What kind of web application attacks are there?

The following tactics are often used to attack web applications:

  • SQL Injection
  • Cross Site Scripting
  • Session Hijacking
  • https://evergreenoak.se/wp-admin/edit.php?post_type=page

  • Parameter or URL Tampering
  • Remote Command Execution
  • Path Traversal

What can I do to protect my web applications from attacks?

  • Fix code
  • Virtual Patching
  • Web Application Hardening
  • Web Server Hardening
  • HTTP Protocol Validation

How does a WAF protect web applications?

A WAF monitors traffic intended for the application, analyses it, and passes on approved / correct requests.

What factors should I consider when selecting a WAF?

  • Very low % of false positives
  • Vulnerability / attack protection
  • How easy is it to setup and configure
  • Out-of-the-box effectiveness
  • Ease of ongoing administration and fine tuning
  • Session protection
  • Software versus hardware
  • Reverse-proxy architecture
  • How does it fit into my overall security scheme?
  • Support for scalability and fail-over (high availability)

What are the advantages of a WAF that acts as a Reverse-Proxy?

  • It creates a protocol break
  • Provides infrastructure masking
  • Able to support pooling mode and Multi-DMZ
  • Provides termination for SSL tunnels
  • Able to provide caching and compression

Further Reading