Web application firewalls explained: what is WAF?

Websites, web applications, and web servers are prime cyber-attack targets. Some of the most common types of attacks on web servers include SQL injection attacks, cross-site scripting (XSS) attacks, and DDoS attacks. So how can you defend against these? There are two main approaches that can help: developing applications to make them more resistant to attacks, and protecting applications using specially designed web application firewalls.

What is a web application firewalll (WAF) ? 

A web application firewall filters and blocks targeted, malicious traffic on the world wide web from reaching a web application. WAFs are designed to protect HTTP applications from common attacks like SQL injection and cross-site-scripting.j

OWASP has been very active in defining techniques for writing web applications that can make them more resistant to such attacks - this great resource explores the topic in some depth. OWASP provides excellent resources to help developers who are interested in writing secure web applications.

However, not all applications are written with these guidelines in mind, so it's very important that web servers have IPS, IDS, and standard firewalls in their network to prevent attacks as well. Unfortunately, those appliances will not able to prevent XSS attacks, SQL injection, or web session hijacking if your web applications are vulnerable to those kinds of attacks. In order to adequately protect web servers and applications, therefore, you should consider adding specialized web application firewalls to your network.

How do web application firewalls work?

Like other types of firewalls, web application firewalls can be hardware devices, software, or both. Web application firewall software is generally available as a web server plugin or an inline web server. Whether software or hardware, a web application firewall analyzes the GET and POST requests sent through HTTP and HTTPS, and applies configured firewall rules to identify and filter out malicious web traffic. In my recent "Explain How a Firewall Works" post, I identified the three main types of firewalls: stateless, stateful, and application firewalls. Web application firewalls are basically specialized application firewalls that analyze the content of packets, not just their headers.

Web application firewalls catch malicious web traffic that other security appliances might miss before it reaches the actual web server. When properly implemented, they can also help your organization comply with PCI-DSS and HIPAA regulations.  In addition, a web application firewall's logging can be integrated into a SIEM solution so that security administrators can more effectively monitor your web servers' security. (There are HIPAA and PCI-DSS regulations that specifically pertain to web security.

•  HIPAA
•  PCI-DSS

Implementing a properly configured web firewall can aid in compliance with those regulations. 

As part of its operation, a web application firewall can respond to web traffic by blocking packets that have been identified as malicious, it can send a user a CAPTCHA challenge to prove that they're not a bot, and some firewalls can even simulate attacks to help you identify vulnerabilities.

Web application firewall configuration

A web application firewall can be configured according to three basic security models. One model may be more effective than the others according to the specific context of the web server and application.

• A whitelisting model only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for casting a wide metaphorical fishing net for blocking possible cyber-attacks, but just as fishing nets also catch a lot of matter that a fisherman can't sell, whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.
• A blacklisting model uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. For example, if a number of IP addresses send a lot more packets than is typical for that many IP addresses being used to surf a website, a blacklisting firewall can effectively prevent DDoS attacks. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet, because those targets can get a lot of legitimate web traffic from unfamiliar client machines.
• Some web applications can also be configured according to a hybrid security model that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.

Securing web servers requires all sorts of applications and devices, as well as following best practices in developing web applications. But a well implemented web application firewall is an important necessity. Web applications and websites are key targets for cyber attackers, and the proliferation of web attacks will only continue to increase as time goes on.