Web application firewall (WAF)

How does it work

A WAF analyzes Hypertext Transfer Protocol (HTTP) requests and applies a set of rules that define what parts of that conversation are benign and what parts are malicious. The main parts of HTTP conversations that a WAF analyzes are GET and POST requests. GET requests are used to retrieve data from the server, and POST requests are used to send data to a server to change its state.

A WAF can take two approaches to analyzing and filtering the content contained in these HTTP requests or a hybrid combination of the two:

• Whitelisting: A whitelisting approach means that the WAF will deny all requests by default and allow only requests that are known to be trusted. It provides a list of what IP addresses are known to be safe. Whitelisting is less resource-intensive than blacklisting. The downside of a whitelisting approach is that it may unintentionally block benign traffic. While it casts a wide net and can be efficient, it may also be imprecise.
• Blacklisting: A blacklisting approach defaults to letting packets through and uses preset signatures to block malicious web traffic and protect vulnerabilities of websites or web applications. It is a list of rules that indicate malicious packets. Blacklisting is more appropriate for public websites and web applications since they receive a lot of traffic from unfamiliar IP addresses that aren't known to be either malicious or benign. The downside of a blacklisting approach is that it is more resource-intensive; it requires more information to filter packets based on specific characteristics, as opposed to defaulting to trusted IP addresses.
• Hybrid security: A hybrid security model uses elements of both blacklisting and whitelisting.

Regardless of the security model a WAF uses, it ultimately works to analyze HTTP interactions and reduce or, ideally, eliminate malicious traffic before it reaches a server for processing.

Types of web application firewalls

Network-based WAFs are usually hardware-based and can reduce latency because they are installed locally on premises via a dedicated appliance, as close to the application as possible. Most major network-based WAF vendors enable replication of rules and settings across multiple appliances, thereby making large-scale deployment, configuration and management possible. The biggest drawback for this type of WAF product is cost -- there is an upfront capital expenditure, as well as ongoing operational costs for maintenance.

Host-based WAFs may be fully integrated into the application code itself. The benefits of a host-based WAF implementation include lower cost and increased customization options. Host-based WAFs can be a challenge to manage because they require application libraries and depend upon local server resources to run effectively. Therefore, more staff resources, including that of developers, system analysts and DevOps/DevSecOps, may be required.

Cloud-hosted WAFs offer a low-cost solution for organizations that want a turnkey product that requires minimal resources for implementation and management. Cloud WAFs are easy to deploy, are available on a subscription basis and often require only a simple domain name system (DNS) or proxy change to redirect application traffic. Although it can be challenging to place responsibility for filtering an organization's web application traffic with a third-party provider, the strategy enables applications to be protected across a broad spectrum of hosting locations and use similar policies to protect against application layer attacks. Additionally, these third parties have the latest threat intelligence and can help identify and block the latest application security threats.

Advantages

A WAF has an advantage over traditional firewalls because it offers greater visibility into sensitive application data that is communicated using the HTTP application layer. It can prevent application layer attacks that normally bypass traditional network firewalls, including the following:

• Cross-site scripting (XSS) attacks enable attackers to inject and execute malicious scripts in another user's browser.
• Structured Query Language (SQL) injection attacks can affect any application that uses an SQL database and enables attackers to access and potentially change sensitive data.
• Web session hacking enables attackers to hijack a session ID and masquerade as an authorized user. A session ID is normally stored within a cookie or Uniform Resource Locator (URL).
• Distributed denial-of-service (DDoS) attacks overwhelm a network by flooding it with traffic until it is unable to serve its users. Both network firewalls and WAFs can handle this attack type but approach it from different layers.

Another advantage of a WAF is that it can defend web-based applications without necessarily having access to the source code of the application. While a host-based WAF may be integrated into application code, a cloud-hosted WAF is capable of defending the application without having access. In addition, a cloud WAF is easy to deploy and manage and provides quick virtual patching solutions that enable users to rapidly customize their settings to adapt to newly detected threats.

Importance

A WAF is important to the growing number of enterprises that provide products over the internet -- including online bankers, social media platform providers and mobile application developers -- because it helps prevent data leakage. A lot of sensitive data, such as credit card data and customer records, is stored in back-end databases that are accessible through web applications. Attackers frequently target these applications to gain access to the associated data.

Banks, for instance, might use a WAF to help them meet the Payment Card Industry Data Security Standard (PCI DSS), which is a set of policies to ensure that cardholder data (CHD) is protected. Installing a firewall is one of the 12 requirements of PCI DSS compliance. This compliance applies to any enterprise that handles CHD. Since many newer companies employ mobile applications and the growing internet of things (IoT), an increasing number of transactions take place at the application layer using the web. For this reason, a WAF is an important part of a modern business's security model.

While a WAF is important, it is most effective in conjunction with other security components, including IPSes, IDSes and classic or next-generation firewalls (NGFWs). A comprehensive enterprise security model would ideally position a WAF alongside other firewall types, such as NGFWs, and security components, such as IPSes and IDSes, which are often included in NGFWs.

Commercial vs. open source WAFs

There are both commercial and open source WAF options. Popular commercial vendors include F5, Barracuda and Cloudflare. Popular open source vendors include ModSecurity, Naxsi and WebKnight.

WAF vs. firewall

Firewall is a broad term for firmware that defends a computer network by filtering incoming data packets. Within that broad definition, there are several categories that are differentiated by what kind of protection they provide and how they provide it. Some of those designations include packet filtering, stateful inspection, proxy and NGFW.

A WAF is another category of firewall, differentiated by how specifically it filters data packets. The WAF is unique because it focuses on solely web-based attackers at the application layer, whereas other types -- such as packet filtering and stateful inspection -- may not be able to defend against these attacks. A WAF is most like a proxy firewall but with a specific focus on Layer 7 application logic.