The Role of Web Application Firewall(WAF) in Security
“A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service.” -Wikipedia
According to the PCI DSS Information Supplement for requirement 6.6, a WAF is defined as “a security policy enforcement point positioned between a web application and the client endpoint.
WAF is an application level firewall that is commonly used to protect web applications. It is located in front of web applications to monitor HTTP traffic coming from internet. It is used for detecting and blocking malicious requests in real time. It forms the first line of defence to protect web environment of users or companies.
Types of WAFs
WAF functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.
Hardware WAF
This type of WAFs comes as part of hardware appliance which can be deployed in the local network where main web servers would be running. This device comes with its own computing resources and suitable for websites that handles heavy traffic.
Software WAF
This software WAF installed normally in a virtual machine setup and maintained. It is much cheaper and flexible compared to hardware WAF but the throughput could be slower than it.
SaaS WAF
This type is managed by cloud service provider and there is no maintenance overhead as it it takes care by service provider. Optimising, patching, and managing is done by cloud service provider. The ease of use and lower cost are the advantages of it.
Core Capabilities of WAF
These are must-to-have features that most of the WAF supports and some commercial ones offer many more advanced features.
Reverse proxy for intercepting the incoming traffic
This is the most crucial feature that every WAF must support. Every incoming request tower server is first intercepted by the WAF which works exactly like reverse proxy.
Rule based logic, Parsing and signatures
Rules or Policies specifies what WAF needs to look out for. They are specific samples in web traffic in the incoming data stream. They also include the blocking action to take on detection of an attack attempt.
Protection against OWASP top 10 security flaws
At a minimum, WAFs must detect the OWASP listed top 10 attacks. The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
The OWASP produces a list of the top ten web application security flaws.
[Picture courtesy:OWASP]Configurable for covering new attacks
Customizable for detecting new types of attacks. Users should be able to customize the rules with simple configuration. This feature help users to modify the configuration on demand.
Blocklists and Allowlists
The feature supports both positive and negative security model against known attacks
Logs for data analysis
Logs helps users to debug and analyze the data stream
Advanced Features
There are many advanced features being offered by commercial WAFs to add value to their offerings.
DDOS protection
Protection against denial of service attacks
UI Console
Intuitive dashboard user interface for viewing stats and other reports. It can used for quick data analysis as well.
Threat intelligence
AI-based machine learning to detect suspicious activity. Detects the latest hacker attack strategies by identifying hacking patterns.
Failover protection
As WAFs become bottleneck and single point of failure in the whole ecosystem, this feature ensures high availability. By handling failure, it rolls new WAF instance in case of crash.
High HTTP throughput
Faster assessments of wide variety risks using distributed WAFs help maintaining good throughput.
Sensitive data protection
This feature alerts on responses containing sensitive data
Plugin to existing web servers
Certain web servers allow extensions to play along to help users extend the capabilities. WAF as plugin to servers make it uniform and easy to configure.
Brute force attack prevention
Protection against brute force is a feature that WAFs use to protect against attacks by automated tools that runs successive attacks to gain control.
Attack analysis
Helping users analyzing attacks adds high value to WAF offerings.
Continuos upgrades
WAFs must continuously upgrade to tackle the new attack types. Every year, there were thousands of new attacks detected. More than 3000 new vulnerabilities are discovered in 2021 year alone.
Is WAF Silver Bullet?
WAFs can only detect attacks at HTTP layer and not in other layers. For example, at network layer there should be separate network firewalls and IPS(intrusion prevention systems).
Inspite of the numerous features, enablers, and detection techniques, there are various tools an techniques used to bypass WAFs today. Some of the known approaches used by hackers to bypass WAFs are browser emulation, obfuscation, encodings, and payload characters modification. As WAFs rules and policies are configured mainly based on regexp, hackers figure innovative ways to bypass it by modifying payloads. There are automated tools used by hackers to speed up the process and tools help them to find out the vulnerable areas inside WAFs.
Conclusion
WAF is not a silver bullet and hackers continuously find new ways to break its protection. One can't relax just by introducing WAF in the infrastructure. The protection process is never ending with everyday hackers finding out new ways to break in. It requires continuous effort to keep updated on the latest security vulnerabilities and upgrading the system for it.
