Web Application Firewall / WAF is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. It is able to control applications or services specifically, unlike a network firewall which is – without additional software – unable to control network traffic regarding a specific application.
Web sites are becoming increasingly important for companies and organizations. Crucial information and business processes are managed by Web sites, so that their reliability, usability and overall quality are central issues. Web security is therefore on the management agenda of most public and private organizations as these issues are closely related to IT-security.
Significance of Web Application Firewall / WAF
Web applications are basically software programs which are accessible from the Internet. They play a major part in the overall security of a web site. Even though network firewalls are installed, off-the-shelf software is patched and communication is protected with heavy encryption, there are many ways to attack the logic of the custom-made application code itself. Web applications often access critical data sources and internal systems and are therefore the prime target for more serious attacks.
Web Application Firewall is a tool used to protect web applications from attacks. WAF is deployed in front of a web application (or a web server) and intercepts the traffic between the clients and the applications in order to
- Prevent unwanted user input to reach the application.
- Prevent unwanted content to be leaked by the application.
- Monitor the application traffic flow.
- Log transaction data.
WAF intercepts and monitors all incoming and outgoing application-layer traffic (OSI-layer 7)
How a Web Application Firewall / WAF works?
A WAF can be an appliance like a hardware device that you deploy in front of your web server or a server plugin that you install on your web server.
A WAF operates by using two main models:
- A blacklist or negative model that denies what is known to be bad:
For basic protection, similar with an IPS but with a greater level of application intelligence, a WAF can use generic signatures for preventing well known attacks and specific signatures for attacks exploiting a particular web application’s vulnerabilities. A simple example: deny a certain malicious HTTP GET request and permit everything else.
- A whitelist or positive model that permits only what is known to be good:
For advanced protection, in addition to the signatures, another type of logic is used: rules that define what is explicitly allowed. A simple example: allow just HTTP GET requests for a specific URL and deny everything else
Benefits of Using Web Application Firewall / WAF
- Preventing technical application attacks (e.g.:- XSS, SQL Injection etc.)
- Prevent data leakage
- Compliance with PCI DSS 6.6
- Business logic attacks: Preventing flaws in the logic of a business application that abuses its functionality
- Virtual Patching: fix the security vulnerabilities in your web applications without touching the application.
- Web application hardening: reduce the attack surface.
- Monitoring your web application and detecting when attack occur