Commonly abbreviated as WAF, a web application firewall is used to filter, block, or monitor inbound and outbound web application HTTP traffic. Compared to intrusion detection systems (IDS/IPS), WAFs have a strong focus on the application traffic and have the ability to provide deep data flow analysis. When IDS/IPS serve as gatekeepers of all network traffic, WAF is only looking for attacks that come from applications, monitoring mostly the HTTP/HTTPS protocol. WAFs inspect the traffic as it comes and goes, preventing common attacks that arise from application code vulnerabilities (cross-site scripting (XSS), SQL injection, etc.).
For better understanding WAF, one thing you need to know is the nature of the modern network attacks. Most of the successful ones were performed when attackers managed to find a vulnerability in the code and use it to make malware look like a part of application traffic. As the web applications grow in complexity, the need for systems that can decode and analyze HTTP/HTTPS traffic specifically using the wide specter of parameters and behavioral patterns grow. WAF is meant to recognize “healthy” application traffic, pay attention to the weakest points and even help to perform web application security tests, find vulnerabilities in code and patch them on the firewall level. Since WAF precisely monitors the application traffic, it also serves as a tool for load balancing and keep-alive optimization.
Another strong benefit of using WAF is having protection against zero-day exploits: newborn malware which is not detected by any known behavior analysis. It is the most dangerous and popular type of threat that traditional security measures are not equipped to mitigate or prevent.
How do web application firewalls work?
Web application firewalls are designed to be placed on the application layer, acting as a two-way gatekeeper, and analyzes the HTTP/HTTPS traffic going in and leaving the application; the WAF will then take action whenever it detects malicious traffic. A benefit of WAFs is that they function independently from the application, but can constantly adjust to application behavior changes. That way introducing a new feature in the application will not result in thousands of false positive detections that would have been caused by a new application of data flows.
A WAF can be placed on a dedicated physical server and although it is often thought of as a stand-alone application, it can also be integrated with other networking components. WAF can be set to different levels of scrutiny, usually on a scale from low to high, and this allows the WAF to provide better levels of security and mitigation for the web application depending on your needs. There is also regulatory standards for WAFs, such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Analyzing requests and applying filter rules
WAFs use rules and policies to analyze any traffic or requests that contact the web application, make a determination if the traffic is “healthy,” and then either approve or deny the malicious traffic flow. Rules and policies are essentially guidelines created to help the WAF make an educated decision; these rules and policies function at a higher level than typical firewall rules and exceptions.
WAFs use layers of filters when analyzing traffic, often checking for 0-day attacks automatically, client-side attacks, bot attacks (e.g. DDoS attacks), hidden virus files, and web application vulnerabilities. Most advanced WAFs can decode and analyze HTTPS traffic, XML, JSON, and other popular data transfer formats. It helps them to stop evasion techniques that are meant to go around the firewall, like HPP (HTTP Parameter Pollution), Verb Tampering and other ones.
Types of web application firewalls
Network-based web application firewall
Network-based web application firewalls (NWAF) are traditionally hardware based and provide latency reduction benefits due to the local installation; this means the NWAF is installed close to the application server and is easy to access. Additionally, NWAFs provide rule and setting replication in many instances, which means that deployment across medium or large-scale organizations is feasible; cost is usually the most significant drawback.
Host-based web application firewall
Host-based web application firewalls (HWAF) exist as modules for a web-server. It is a significantly cheaper solution compared to hardware-based WAFs, which are meant for small web-applications. Most of the software WAFs are made to be easily integrated with popular web servers. However, since host-based WAF will drain your application server resources, that can result in performance problems. Also keep in mind that some types of web server attacks can go around WAF and disable its functions “from inside” – for example, when a malicious file was injected on the server directly through unsecured file transfer channels.
Cloud-based web application firewall
Cloud-based web application firewalls provide similar benefits as other software-based WAF solutions, such as the low cost and the lack of on-premises resources that you must manage. Cloud-based solutions are an excellent choice when you don’t want to limit yourself with performance capabilities or are aiming to avoid a system that requires maintenance. Cloud service providers can offer unlimited hardware pool with competent setup and support. But at some point, the service fees might grow pretty steep or you will reach the point when you need a powerful custom solution based on your physical appliance.
Blacklist WAF vs. whitelist WAF vs. hybrid WAF
WAFs can operate under different models, including blacklist (negative security), whitelist (positive security), and hybrid security models.
The blacklist model works by protecting the web application from known attacks or specific signatures; this prevents attacks that exploit these known issues or vulnerabilities. The drawback to this model is that all previous types of blacklists became outdated the moment it was created because of the high percentage of zero-day attacks.
The whitelist model uses signatures as well but also employs logical decision making and permits traffic that meets specific criteria; this means that requests may be allowed from specific URLs and blocked from all others. The weak point of this model is the additional maintenance that is needed every time you introduce a new application feature. You will probably need to tune the WAF core rules to mark the new application behavior as “healthy” and expand a whitelist.
The hybrid model, as the name implies, utilizes both the blacklist and whitelist models.
Web application firewall vs. network firewall
Choosing between a network firewall and a web application firewall can seem confusing, but there are clear differences between the two. It is important to understand how each type of firewall impacts security and usability in different ways.
Network firewall applications are used to control all the access to local network resources, acting as a gatekeeper between the local network and the Internet. Network firewalls have rules in place that are used to determine which web traffic is allowed. Similar to the WAF, these security solutions can come in hardware or software form.
As discussed above, web application firewalls are designed to monitor the traffic going into or coming out of a web app; the illegitimate traffic is inspected individually and then filtered based on whether that traffic is considered harmful or not. With the variable nature of WAFs and the different configurations that can be employed, they are often popular with organizations that provide internet-based services.
Web application firewall vs. intrusion prevention system (IPS)
Web application firewalls and intrusion prevention systems both serve important purposes of digital security; each serves different purposes when it comes to protecting digital assets.
IPS solutions are not designed to have an understanding of the underlying application, which means it is not designed to look for anything that is classified as an attack against the web application; the attack must trigger specific parameters to trigger a response. The WAF, on the other hand, is designed to detect and prevent different attack styles against a web application, but they do not just purely review all the traffic that occurs like an IPS.
Any organization that already has an IPS should consider implementing a WAF to complement the security solution.
Web application firewall benefits and concluding thoughts
Web application firewalls provide an intelligent response, based on web security settings, to potential threats that can impact your network. WAFs are designed to help protect your network from potential threats that have yet to be identified, which means that implementing this solution can protect your organization from 0-day threats, security vulnerabilities, SQL injections, cross-site scripting attacks, and other types of threats.
Well-developed WAFs also engage in mitigation actions when bot attacks or excessive traffic events occur. WAF will keep “clean” application traffic while simultaneously defending all the malicious data flows.
Maximize innovation with PT AF
The Positive Technologies application firewall (PT AF) maximizes innovation for your security needs, providing protection that dramatically exceeds standard WAFs. The PT AF utilizes machine learning to proactively protect web applications from a variety of attacks, both expected and unexpected. Through continuous updates based on security research and logical analysis of attack attempts, the PT AF responds to and mitigates 0-day attacks, DDoS attempts, XSS attacks, and other vulnerabilities and weaknesses that may exist. Additionally, the PT AF uses the automated creation of virtual patches to address identified vulnerabilities without user intervention; this allows the PT AF to respond to threats quickly and efficiently without human interaction or intervention. PT AF is designed with over 15 years of in-depth security research. The culmination of this research provides top of the line security response, and it is constantly updated by Positive Technologies to make sure that new threats are integrated to give the firewall more countermeasures and threat detection standards.