An often-overlooked element of security is the Web Application Firewall (WAF), especially in cloud computing. In this article, I explain what a WAF does, the different kinds of WAF, and I discuss why you should deploy one or more WAFs in your architecture.
A Web Application Firewall, often referred to as a WAF, is a special kind of firewall that inspects and filters network traffic to web applications. A web application can come in many forms, but it typically is something that presents itself as an HTTP or HTTPS service that is accessed, either on private networks or the Internet, by remote clients. Some examples might include:
There are many ways that malicious actors start attacks on organizations, like:
The job of a WAF is to deal with that last attack vector, which is the one we often think of when we consider IT security. But it’s the vector that many organizations might not protect appropriately.
A Web Application Firewall sits between client devices, like an end user’s PC, and the web application that they want to use (or attack). The WAF is presented to clients in a way that is either transparent or appears to be the actual web server. When a request is made by the client, or the client sends data to the web application, the WAF will be one of the first appliances to see the packets as they enter the network.
The WAF will inspect the traffic. If the request is rated as OK, then it is relayed to the backend web servers. If the request is rated as an attack, then it is acted on in some way, depending on the type of WAF and the options provided by the manufacturer. Typically:
Online services aren’t limited just to e-commerce. E-commerce is bigger than ever and is a juicy target for bad actors. Cloud Computing has become the new norm for many organizations, opening up new opportunities.
Organizations can integrate through the use of cloud-native applications that offer APIs that are presented on the Internet. An event in one organization can be relayed to others through webhooks sent to an HTTPS listener that is shared on the Internet by another organization.
TLS-encrypted (what is often called “SSL”) access to the APIs of cloud-native applications is more agile than sending messages across the VPNs or leased lines of 20 years ago – developers in different organizations can react to the needs of their respective employers and create mutually profitable partnerships without waiting months for a private network connection to be created.
Cloud migration is opening up new ways to share internal services with employees too. Once upon a time, all services needed to be accessed from an office with a wired connection or via a VPN client. Privacy can be achieved through the use of a TLS-encrypted connection to a web application over the Internet. Any web application can be securely and privately shared with employees no matter where they are: head office, a remote branch office, on the road, or working from home.
The need to backhaul client connections to the head office and route them to the server is gone. Performance can be improved, through lower latency, and complexity can be removed by simply allowing clients to connect to modern HTTPS services over the Internet.
The Internet was designed to be resilient. If one route dies, another route can be found – that’s not always strictly true but that’s the theory behind the military origin of the Internet. HTTP or HTTPS handles latency over the Internet better than legacy client/server protocols, making web applications a perfect fit for modern design.
You can understand why the use of web applications has exploded when you consider the benefits of their use. The increased use of web applications requires that we consider suitable protection for this growing attack vector.
The heart of network security is usually a firewall appliance or firewall. The firewall is perfect for dealing with filtering and dealing with general network traffic but it is a generalist that inspects traffic lower in the stack, focusing mostly (but not exclusively) on transport protocols such as TCP, UDP, and ICMP.
The Web Application Firewall is designed to handle one thing: traffic destined for web applications. The WAF understands requests at the application layer (HTTP or HTTPS). The WAF is designed to defend against the misuse of HTTP/HTTPS.
Many networks will include a WAF and a firewall. An example of this scenario might be where:
The specialized role of the Web Application Firewall requires it to provide several essential features.
The primary purpose of the Web Application Firewall is to protect web services from online attacks. Other attacks on the network will come via different vectors that should be protected against using methods such as a network firewall, anti-malware, identity protection, processes, education/awareness, and more.
A malicious actor tries to use the features of HTTP/HTTPS protocol and the web application against the intended victim. These kinds of attacks might include:
An essential task of any firewall is to enable monitoring and logging. The Web Application Firewall, whether it is physical or virtual, on-premises or cloud-based, has some finite throughput capacity. Monitoring the WAF is essential to manage performance.
For example, a WAF might need to have more capacity during a period of abnormally high traffic, such as Black Friday. Without monitoring, one will not understand the demand for resources before the event and be unable to plan capacity availability. During the event, monitoring will ensure that planning was correct or that additional capacity must be provided to avoid loss of service availability, reputation damage, or profitability.
Logs provide a history of requests that pass through the Web Application Firewall and the ability to inspect traffic. This kind of data is essential in troubleshooting. One of the things to consider with a WAF is that it can create “false positives”, incorrectly blocking traffic that the WAF thought was malicious. Logs can assist with determining why the traffic was blocked and allow for remediations to be made either in the WAF or the web application to prevent repeat mistakes.
The WAF is the first (and maybe the only) entry point to the network for many applications. This entry point can be a tripwire for other security systems. Data from these logs can a part of incident detection and unified incident investigations when combined with data from other security systems through the use of a Security Information and Event Management (SIEM) system.
Network traffic analysis uses several tools to inspect live and previous traffic using machine learning and behavioral analysis. Threats can be detected live on the network using an intelligent system that is not based on a set of rigid one-size-fits-all rules.
Application profiling is a feature that learns the typical usage of an application. For example, a data entry field might typically contain a certain type of text. An attacker tries to find vulnerabilities by doing the unexpected, such as placing a complex set of characters into a data field to launch a Bash shell on a Linux machine. Application profiling will understand that this attempt is unusual and block it from ever reaching the web server.
The performance of a web application, particularly one used directly by humans, can have a direct impact on the further use of that site by the client. If an e-commerce site is slow, the customer will go elsewhere. The use of a Content Delivery Network (CDN) places much of the content of a web application in a series of globally dispersed caches that are closer to the client. When a client opens a site with lots of images, then the images are loaded from the local cache instead of being downloaded from a distant web server.
Performance can also impact the service provider. If a media-rich site is receiving a lot of traffic, there can be a need to deploy more web servers. The media can instead be cached in a CDN, allowing the service provider to run fewer web servers and reduce infrastructure costs.
Four kinds of Web Application Firewall might be used.
A Web Application Firewall acts as a security barrier between the client and the webserver to protect against attacks such as SQL Injection or Cross Site Scripting by inspecting the application layer and blocking suspected malicious traffic.
WAAP extends the concept of a Web Application Firewall by building in additional features such as:
Protections are placed in the application instead of at the network edge. One advantage of this method is that the protection systems can monitor the code of the web application. A second advantage is that the protections know the code of the web application and reduce the risk of false positives. However, the protections are at the heart of the web application and not at the network edge and require developers that are skilled in application security.
This is a form of inspection at the network layer that analyses the patterns of traffic passing through the appliance. Much like anti-malware, a frequently updated database describes malicious patterns and these are used to prevent attacks as they happen. IPS is typically a feature of the (network) firewall that brings additional value to the application layer inspection provided by the WAF/WAAP.
A WAF is deployed at the “network edge” but the method of that deployment can vary.
The network-based WAF is deployed on the same network (or collection of networks) as the web application(s) that it protects. The WAF might be in the network core (or hub) or the same subnet/virtual network as the web application.
The WAF is an appliance of some kind with a finite set of instances. Each instance has a finite capacity for CPU, memory and throughput, that affects the scalability of the web application. Capacity can be expanded or reduced based on the demand of the web application.
An advantage of the network-based WAF is that it is at the actual entry point to the network; there is no way to avoid it as an attacker.
A cloud-based WAF is an offering that is provided by a third-party service provider. The DNS names for the web application redirect clients to the cloud-based WAF. The cloud-based WAF will relay permitted traffic to the web application that is hosted elsewhere.
The big advantage of a cloud-Based WAF is that the protection is outside of your network. As a SaaS solution, it means that there is less maintenance for the web application operator to handle. Often, the cloud-based WAF is combined with a CDN, combining security and performance enhancements.
Unlike the other options, the host-based WAF is placed on the web server(s) offering the potential of RASP functionality. By being integrated with the web application, the WAF can truly understand the application. This can mean that protections are uniquely tuned to the profile of the web application and that false positives should be reduced.
There are many players in the WAF market. This section will briefly describe some options.
The Azure WAF is a platform-as-a-service offering from Microsoft for customers of Azure. The Azure WAF falls into the category of WAAP, offering bot mitigation and application layer DDoS protection (with an additional Standard or per-IP protection plan) in addition to a collection of protections from a set of static OWASP rules.
The Azure WAF can be deployed as a network appliance by adding an additional paid-for add-on to the Azure Application Gateway. It can alternatively be deployed with Azure Front Door, which moves the network edge to one of over 170 edge data centers around the world to accelerate application performance by reducing latency and offering CDN functionality.
The Azure WAF can be managed through the Azure Portal and using infrastructure-as-code. It is deeply integrated into Azure Monitor for monitoring/alerting and, therefore, into Microsoft Sentinel (SIEM).
AWS Web Application Firewall is a WAF offering provided by Amazon Web Services (AWS). Users can define custom inspection rules for the attributes of incoming requests, including headers, body content, and URI parameters.
The AWS WAF can be deployed in combination with Amazon CloudFront, Application Load Balancer, and API Gateway. This makes it easy to deploy and able to provide WAF protections across distributed architectures.
AWS CloudWatch provides monitoring of real-time activity and security events.
A WAF can be a complex appliance to manage. A set of pre-built rules attempt to protect the web application, but many application-layer protections have difficulties in discerning between correct and malicious usage. For example, a webhook sent to a listener is easily confused with a SQL injection attack by a rule that expects the number of special characters in a request to be low.
The Fortra Managed WAF is a solution where Fortra deploys, configures, and manages your WAF. The advantage is that developers can focus on coding and security operators can concentrate on dealing with incidents. The complex tasks of configuring a WAF to protect the organization, without shutting down services, are handled by teams of experts.
Built-in defenses include OWASP Top 10, URL tampering, web scraping, buffer overflow attacks, Zero-Day web application threats, and DoS attacks. Behavioral analytics is also used in addition to rules-based protection.
Cloudflare is a well-known service provider in the market for accelerating application performance through a large network of globally dispersed data centers. WAF functionality is provided by a rules-based engine that is boosted by a threat intelligence system using data from millions of websites.
DDoS protection is provided and unmetered – using a third-party cloud for DDoS protection isolates the attacker from your network(s). Some form of bot mitigation is provided depending on the plan that you subscribe to.
Open source solutions will be a primary choice for certain segments that favor free software and open inspection of source code. Some WAF solutions are available as open-source solutions. Some of the options include:
If an organization is going to run web applications with an online presence, then it must use a WAF to protect those and other assets. There are many WAF options on the market so one must know what essential features to look for.
Rules are used by a WAF to measure the risk of requests to web applications. A rule may be written for an ideal world, but not all rules are suitable and can lead to false positives, which result in failed requests.
Customization should be possible to override the rule. However, overrides should be granular when necessary – i.e. associated with a web application or a specific URI or even a part of a request for a URI.
Modern applications are designed to be elastic, taking advantage of cloud scalability and pay-as-you-go consumption models. As demand for a web application grows/shrinks, the WAF must also be able to grow/shrink.
But scalability must also be present at a global level – enabling a web application to be secured closer to the client and allow for a faster user experience.
It should be possible to have a choice of where to deploy the WAF:
Ideally, there should be a similar set of features and operating experience across the different deployment scenarios.
Fortra’s Alert Logic delivers a competitively priced, versatile, enterprise-level, and cloud-ready WAF that comes with a team of experts to eliminate the complexity for you. Managed services experts handle installation and deployment through to configuration, ensuring that the WAF is ready to block threats against your critical web applications.
Features of the WAF-as-a-service include:
Businesses need to distinguish the good traffic from the bad in real-time, and accurately. Fortra’s Alert Logic lets you focus on service development and delivery while Fortra manages your WAF security.