White paper written by Joel Engardio for Avi Networks
Web Application Firewall 101
An introduction to a Web Application Firewall or WAF
A Web Application Firewall (WAF) provides security for online services from malicious Internet traffic. WAFs detect and filter out threats which could degrade, compromise, or knock out online applications. WAFs examine HTTP traffic before it reaches the application server. They also protect against unauthorized transfer of data from the server.
The PCI Security Standards Council defines a WAF as “a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.”
How WAFs Work
WAFs intercept and inspect all HTTP requests using a set of customized policies to weed out bogus traffic. WAFs block bad traffic outright or can challenge a visitor with a CAPTCHA test that humans can pass but a malicious bot or computer program cannot.
Traditionally, the customization of WAF security rules is complex and can be difficult to achieve without expert knowledge. Customized WAFs also require maintenance as each application is modified.
WAFs come in the form of hardware appliances, server-side software plugins, or filter traffic as-a-service. WAFs can be considered as reverse proxies i.e. the opposite of a proxy server. Proxy servers protect devices from malicious applications, while WAFs protect web applications from malicious endpoints.
Attacks That WAFs Prevent
WAFs can prevent many attacks, including:
- Cross-site Scripting (XSS) — Attackers inject client-side scripts into web pages viewed by other users.
- SQL injection — Malicious code is inserted or injected into an web entry field that allows attackers to compromise the application and underlying systems.
- Cookie poisoning — Modification of a cookie to gain unauthorized information about the user for purposes such as identity theft.
- Unvalidated input — Attackers tamper with HTTP request (including the url, headers and form fields) to bypass the site’s security mechanisms.
- Layer 7 DoS — An HTTP flood attack that utilizes valid requests in typical URL data retrievals.
- Web scraping — Data scraping used for extracting data from websites.
WAF Security Models
WAFs can follow either positive and negative security models, or a combination of both. A positive security rejects everything not named as allowed. A negative security model has a list of banned items and allows everything not on that list.
WAF Rules
WAFs follow rules or policies customized to specific vulnerabilities. As a result, this is how WAFs prevent attacks. Creating the rules on a traditional WAF can be complex and require expert administration. The Open Web Application Security Project (OWASP) maintains a list of the top web application security flaws for WAF policies to address.
Traditional Firewalls Versus Web Application Firewalls (WAFs)
A traditional firewall protects the flow of information between servers while WAFs are able to filter traffic for a specific web application. Network firewalls and web-application firewalls are complementary and can work together.
Traditional security methods include network firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS). They are effective at blocking illegitimate traffic on a low Open Systems Interconnection (OSI) model. Traditional firewalls cannot detect attacks unique to the security flaws in web applications because they do not understand Hypertext Transfer Protocol (HTTP). They also only allow the port that sends and receives requested web pages from a HTTP server to be open or closed. This is why WAFs are important for preventing attacks like SQL injections, session hijacking and Cross-site Scripting (XSS).
History of Firewalls and WAFs
Technically, the term firewall was coined in 1851 as a physical wall to prevent the spread of fire. In modern times, the Morris virus — unleashed in 1988 — was was one of the first Internet viruses that created the need for a virtual firewall. In the early 1990s, a network-based firewall was developed that could specifically protect FTP traffic. This was the beginning of firewalls being able to control access to applications or services. By the end of the 1990s, with the increase in online activity, the hacking of web servers became problematic, and the focus turned to development of Web Application Firewalls (WAFs).
The first dedicated WAFs protected e-commerce websites against common attacks such as:
- Hidden field manipulation — Manipulation of hidden fields to alter data stored in those fields.
- Cookie poisoning — Modification of a cookie to gain unauthorized information about the user for purposes such as identity theft.
- Parameter tampering — Parameters exchanged between client and server are manipulated to change application data.
- Buffer overflow — A bug that overwrites adjacent memory locations while writing data to a buffer.
- Cross-site Scripting (XSS) — Attackers inject client-side scripts into web pages viewed by other users.
- SQL injection — Malicious code is inserted or injected into an web entry field that allows attackers to compromise the application and underlying systems.
- Remote code execution — Attacking a computing device and making changes, regardless of the device’s geographic location.
- Forced browsing — Attack accessing resources that are not referenced by the application, but are still accessible. For example, directory listings.
By 2002, WAFs were in greater use and an open source project called ModSecurity created a core set of WAF security rules. In 2003, the Open Web Application Security Project (OWASP) began to further expand and standardize the capability of WAFs. Every three or four years, the OWASP TOP 10 list of web security vulnerabilities is published for the compliance industry to address.
WAF Benefits vs Weaknesses
Web Application Firewall Benefits
WAFs prevent attacks that try to take advantage of the vulnerabilities in web-based applications. The vulnerabilities are common in legacy applications or applications with poor coding or designs. WAFs handle the code deficiencies with custom rules or policies.
Intelligent WAFs provide real-time insights into application traffic, performance, security and threat landscape. This visibility gives administrators the flexibility to respond to the most sophisticated attacks.
When the Open Web Application Security Project (OWASP) identifies the most common vulnerabilities, WAFs allow administrators to create custom security rules to combat the list of potential attack methods. A smart WAF analyzes the security rules matching a particular transaction and provides a real-time view as attack patterns evolve. Based on this intelligence, the WAF can reduce false positives.
Web Application Firewall Weaknesses
WAFs sit in-line between users and applications. Therefore any delay or latency can impact the end user experience. Since the inspection of requests and responses is compute-intensive, WAFs do introduce traffic latency. The extent of that delay, and whether it would even be tolerable to an end user depends on the WAF’s performance, policy complexity and the application in use. This can put organizations in a compromising situation: over-provision their WAFs to ensure minimal impact, which comes at a higher cost; or set security policies to a minimum to reduce inspection time, which compromises safety.
WAFs can also be complex to deploy given the need to establish efficient policies. They also require regular maintenance when applications have additions or updates.
WAF Capabilities
The most effective and efficient WAFs offer the following capabilities:
- Input protection
- HTTP validation
- Data leakage protection
- Automated attack blocking
- Policies tailored to widely used applications
- Granular security insights on traffic flows
- Point-and-click policy configurations, customizable for each application
- Central, scalable policy management