Does your company use web applications? Then a Web Application Firewall (WAF) is an essential tool for protecting your business. After all, the volume and complexity of cyberattacks against this kind of application have never been higher, and with all the sensitive data that may be stored in them, security is essential.
The network firewall you already use plays a vital role in your defense but is useless when dealing with attacks against the application layer. You need tools specially designed to fight these threats, like a WAF.
What is a Web Application Firewall?
A WAF is a firewall that protects web applications by controlling and monitoring HTTP and HTTPS traffic. By using it, you can create a set of instant traffic analyses so that threats such as Cross-Site Scripting, SQL injections, and DDoS are identified and mitigated before reaching your application.
Unlike a traditional firewall, which operates on the network layer and aims to avoid unauthorized access or attacks on private networks following a logic previously implemented by the firewall administrator—which we call “stateless”—, the WAF protects the application components exposed to the web using a different approach.
Therefore, the WAF does not replace a network firewall but works as a complement. The WAF performs a real-time evaluation of whether a request fits into known attack patterns from an independent base of administrator actions—a type of logic known as “stateful.” In it, the WAF considers all pre-configurations of defined traffic profiles and performs their classification.
How Does a Web Application Firewall Work?
The implementation of a WAF happens between the web application and the Internet. When a request crosses the network and transport layers (3 and 4) and reaches the application layer (7), the WAF, following a set of rules, filters the traffic, blocking requests that represent potential threats.
Imagine your application as a concert or a sporting event. To be admitted, participants must first go through access control, where they identify themselves, show their tickets, go through a metal detector, etc.
However, there’s a sector reserved for guests, and they must meet some criteria to gain access, otherwise their entry will be denied. Concerning web applications, when a user doesn’t meet the requirements that qualify them as legitimate, their request is blocked.
What Are the Implementation and Security Models for Existing WAFs?
Usually, a network-based web application firewall is implemented in hardware. Being locally installed contributes to a lower latency; however, this requires maintenance and storage of a physical appliance.
This kind of WAF is distributed by service providers that offer a Security-as-a-Service (SECaaS) solution and are responsible for managing all resources, so the customer is only concerned with use.
Many of the world’s major web applications are stored and executed in a cloud infrastructure, which leads cloud computing providers to offer WAF solutions in a SECaaS model, whose management can be done by a third party or by the customer.
Security models define how the web application firewall protects an application, whether in a positive, negative, or hybrid way.
Positive Security Model (Permission List)
The positive security model is characterized by the use of permission lists (allowlists). In this case, the WAF will only accept pre-approved traffic from a list of preconfigured IP addresses.
Negative Security Model (Blocklists)
The negative security model is based on blocklists, preventing known IP addresses from accessing the application.
Hybrid Security Model
The hybrid security model uses allowlists and blocklists and is used by most WAF providers. You may also find solutions that allow for the creation of “grey lists,” which block users temporarily. Thus, access is only allowed upon confirmation that the traffic is legitimate and trustworthy.
What Kinds of Attacks Can a WAF Prevent?
OWASP TOP 10
The OWASP (Open Web Application Security Project) initiative maintains a document popularly known as the “OWASP Top 10”, which “represents a broad consensus about the most critical security risks for web applications,” besides being “globally recognized by developers as the first step to more secure coding”.
The OWASP list covers attack vectors that represent the largest share of cybersecurity events, like SQL injections, Cross-Site Scripting (XSS) e XML External Entities (XXE). Therefore, a WAF’s ability to prevent risks and threats related to the OWASP Top 10 should be considered a requirement.
Attacks from bots are characterized by automation; they are software programmed to execute a diverse set of malicious practices and techniques, like account takeover (ATO), API abuse, and DDoS. Nowadays, sophisticated bots can emulate human behavior to the point of raising doubts if an attack is really happening.
Is your website protected against bad bots? We have a free report that can help you find the answer.
Attacks that exploit a recently discovered vulnerability to attack a system. Cases like Log4Shell illustrate the effect of a zero-day attack and its worldwide repercussions. After all, the longer it takes to fix a vulnerability, the greater the risk of suffering a potentially catastrophic attack.
As mentioned above, DDoS attacks on the application layer can be caused by bots, and differentiating legitimate and malicious requests is a hard task. Usually, the aggressor’s goal is to bring down a web server using volume-based methods by directly exploiting a vulnerability in the target system.
Vulnerabilities don’t pop into existence when they are discovered. Existing but still unknown vulnerabilities in your application, including the operating system on which it runs and its third-party components, represent a risk that can result in a zero-day attack.
Not every kind of WAF is capable of protecting your application in those situations. Since the vulnerability itself has no “signature,” a signature-based WAF will not solve this type of problem.
Seven Questions to Ask Before Choosing a WAF Solution
1. What Are Its Capabilities and Functionalities?
Ask the vendor if the solution is capable of minimizing false positives, accurately distinguishing between humans and bots, blocking zero-day attacks and other complex threats, and how it does all that. Weigh it all when analyzing the options on the market.
2. Does It Have Automation Capabilities?
Automating as many security tasks as possible helps your team to be more productive and active in operations with a higher degree of criticality and complexity.
For the IT team as a whole, it is interesting to integrate the WAF rules into the CI/CD workflow to speed up secure software development and strengthen the SecDevOps culture between teams.
3. Is It Compatible with Legacy Systems?
You must be sure you won’t have problems integrating the WAF with your legacy systems and infrastructure. Consider WAF solutions compatible with your existing computing model, systems, and infrastructure so they can meet your current and future needs.
4. Does It Offer Observability Features?
The WAF should be able to integrate with analytics platforms, like SIEM and Big Data, so your team can get insights that enhance the intelligence against cyber threats. This will enable advantages like data-based threat tracking, automated incident response, and more insightful cybersecurity audits.
5. Which Method Is Used for Threat Detection?
Another point of concern is the method used to detect threats. A signature-based WAF poses obstacles in identifying zero-day threats. In contrast, scoring-based solutions are immune to the time factor, as they identify attack vectors based on traffic anomalies and suspect behaviors from your users.
6. Does It Simplify Compliance?
Personalized sets of rules are essential for organizations that must meet compliance requirements. That’s why it’s crucial to check if the solution meets your business needs and whether the supplier complies with internationally recognized security standards such as PCI-DSS and SOC.
7. Does It Block “WAF Bypass” Attacks?
In December 2022, a security research team from Claroty presented a new generic way to bypass WAFs from various popular vendors. According to Noam Moshe, a member of the research team, criminals could use it to access a database in the back-end and use vulnerabilities and additional exploits to extract information.
In conclusion: solutions that are vulnerable to the WAF bypass aren’t prepared to prevent zero-day attacks or threats that exploit recently discovered vulnerabilities.
Why Use Azion’s WAF?
With Azion’s Web Application Firewall, you have scoring algorithms that guarantee more precise mitigation against sophisticated threats, and advanced resources for
- Data streaming that can be integrated with the main analytics platforms.
- Incident response automation.
- Implementation into CI/CD pipelines to accelerate software validation.
- Personalized rules that simplify compliance with PCI-DSS and other security standards;
- Really fast integration and setup (in just 30 minutes).
You can also complement the protection offered by Azion’s Web Application Firewall with other modules of our Edge Firewall—including DDoS Protection—and with third-party solutions available in the Azion Marketplace. Get a closer look at these benefits by subscribing to a free trial or checking our documentation.