This piece was originally published on Fortra’s AlertLogic.com Blog.
A Comprehensive Guide to Understanding WAFs: How it Works, Types, and Security Models
Web applications drive digital transformation, remote work, employee productivity, and consumer interactions. The ability to connect to critical applications over the internet gives workforce members a way to work synchronously and asynchronously, while also making products or services easily available to consumers.
A web app usually consists of multiple, connected components, generally categorized within presentation, application, and storage tiers. Web apps tend to serve critical business functions, requiring the app is always secure and available for use.
To maximize access, web apps are internet facing, making them obvious targets for threat actors who seek to exploit access points to a company’s data, networks, and systems. A web application firewall (WAF) protects applications from attacks that exploit the application layer, supporting other security technologies as part of a defense in depth strategy.
What is a WAF?
A web application firewall is a filter for web traffic that applies rules for HTTP/HTTPS communications to filter, monitor, and block malicious traffic. A WAF monitors all the traffic entering and leaving a web application. Think of it as a shield or a set of thick gates that are raised up or down, depending on the traffic it deems safe. This is important because the internet is made up of data packets — clustered information sent between nodes in a network. These packets can hide malicious activity, usually exploits creating backdoor access via a webshell, posing as harmless data. A firewall assesses them, one at a time, against pre-configured security rules. When it approves them, they’re let in, and when it doesn’t, the packets are dropped. This ensures the integrity of the web application by preventing malicious requests from reaching the application, keeping it protected, even if it was susceptible to the blocked exploit. This level of scrutiny is known as application layer filtering.
WAFs also can prevent the exploitation of misconfigurations, missing security patches, insecure building practices, and third-party or open-source plugins. They can be host-based, network-based, or cloud-based, ultimately serving as a reverse proxy that sits in front of your web apps.
What is the Difference Between a WAF and a Firewall?
Although both WAFs and firewalls monitor for malicious traffic, they protect different assets and work differently.
Traditional firewalls filter based only on the origin and destination of a request; however next-generation firewalls can filter at the application layer. Traditional firewalls assess traffic at layer 3, meaning they can only scrutinize origin, destination, and port. An organization sets a list of approved IP addresses and ports. Then the firewall denies requests and data transfers from anything not on the list. However, a determined attacker can circumvent these controls by spoofing the packet headers.
The rise of cloud led to the development of next-generation firewalls (NGFWs) that go beyond traditional traffic filtering by inspecting content at layer 7 to examine the contents of the traffic for malicious activity, not just the direction of travel.
Both traditional and next-gen firewalls protect large networks as a whole, and are used to:
- Limit access to risky websites
- Segment networks
- Record events
- Alert organizations to potential intrusions
To eliminate any confusion over the differences of layer 3 and layer 7 inspection, think of a letter in a sealed envelope:
- The address and return-to-sender address on the envelope represent layer 3
- The contents contained within the letter represent layer 7
While identifying a suspicious sender address, or unauthorized destination on an envelope can be useful, the only real way to know if the contents of the envelope are truly malicious is by opening it up and inspecting what is inside.
Firewalls sit at the network and transport layers, meaning they only monitor network traffic coming into and out of nodes and destination hosts. These layers are closer to the public internet.
Web Application Firewalls
Like a NGFW, a WAF sits at the application layer (7) where the user interacts with the software and network. WAFs traditionally sit between an application or server and the traditional firewall. This means that malicious traffic needs to get through two different firewalls before getting to the application itself. As a WAF usually protects a few web applications, the policies applied can be much more granular and targeted, versus NGFWs or firewalls which serve large segments of a network.
Think of a firewall as security for an entire building, whereas a WAF is security for a single room within the same building.
Why take the extra precaution of combining a WAF and a firewall? Web applications are an organization’s most targeted asset, accounting for 53% of all attacks. Shouldn’t the most targeted asset be the focus of your security strategy?
Web apps are also an obvious gateway into your environment and sensitive data. You not only need to protect the data connected to your web application, but also protect your wider network from a breach, by preventing your web application from becoming a stepping-stone for lateral movement leading to further data exfiltration or ransomware.
As web applications perform critical business functions and require internet access, the elevated exposure and high potential impact from a successful attack warrants a dedicated set of continuously managed policies and a defense in depth strategy to maximize protections.
Which Attacks Can a WAF Protect Against?
Your web applications perform critical business functions and are an exposed entry point to your network; this combination of high exposure and potential impact warrants targeted protections. When you deploy a web application firewall, you’re staying vigilant against many serious attempts to steal your data, hold it hostage, or disrupt business practices.
WAFs protect against attacks such as:
- Malware uploads which exploit a web application vulnerability to upload malicious code, such as:
- Trojans that steal the information of your users, including PII, credentials, and payment information.
- Ransomware that can spread to your whole network, crippling day-to-day digital operations until you pay out.
- Webshells create backdoor access and facilitates further malicious actions.
- SQL injection where an attacker exploits vulnerabilities in web app login tables, or poor sanitization configuration to connected datastores, to gain access by stealing credentials or dump sensitive data.
- Cross-site scripting (XSS) which injects malicious code into your application and spreads it to users’ browsers and computers.
- Denial of service (DoS) attacks used to overwhelm you application by sending it into an infinite logic loop.
- Credential-based attacks where stolen usernames and passwords attempt to gain user or admin access. Stolen credentials in brute force or credential stuffing attacks account for approximately 75% of web application compromises.
- Man-in-the-middle attacks where a threat actor positions themselves between the user and the application, intercepting and even modifying information, without the knowledge of the user.
Protecting against DDoS can also be a use case for WAF. However, DDoS protection usually is performed by a complimentary technology bundled with a web application firewall, like a content delivery network (CDN) which delivers cached web page content at the network edge.
How Does a WAF Work?
A web application firewall is your first line of defense against application layer attacks. It does this with a reverse-proxy server, which stands as an intermediary to safeguard a web client’s identity. The WAF functions as a wall around the web application, preventing harmful clients (whoever is trying to send nefarious requests to the application) from progressing to the app.
WAFs usually use algorithms to detect known malicious types of traffic. Organizations need to set policies that tell the WAF what is considered suspicious before it can protect the organization from a security incident.
These are the rules that tell the WAF what type of requests or traffic behavior that present risks to an organization. They also tell the WAF what action to take when one of these types is detected.
Good web application firewall policies must minimize false positives, as false positive blocks will prevent legitimate users form using the application for its intended purpose. As web apps tend to be dynamic and are continuously developed, policies must be regularly reviewed and modified to maximize protections and limit false positive blocks.
The WAF scans all requests sent to the web application. It inspects the entirety of each HTTP(s) request to determine what is legitimate, harmless web traffic and what is a targeted threat that should be blocked, as defined in the policies. The WAF looks at the headers and content of all packets. In some cases, it can require additional challenge requests, like CAPTCHAS, that prove the activity comes from a human and not a bot.
If the WAF detects malicious requests, it blocks the activity by dropping the request. For example, if the requestor fails to appropriately respond to the challenge question, the WAF will block any further requests, preventing future connections from the identified bot that may be looking to exploit or scrape the application.
WAF Security Models: Positive vs. Negative
Organizations using a WAF can choose a positive, negative, or hybrid security model when trying to mitigate web application attack risks.
Positive Security Model
A positive security model is one where the organization’s policies take a “deny all” approach, allowing requests based on specific inputs. All HTTP(s) traffic is blocked, except for requests that match deployed policies created to identify legitimate traffic. This model is established by defining all the characteristics of expected traffic, such as approved characters (e.g., a-z & 1-9 only), IP addresses, filetypes, and more. This model maximizes security coverage and can block emerging threats, not yet known to those in charge of maintaining the policy set. However, maintaining this model is not possible for every organization or application.
Challenges: The “positive security model” is strict and uncompromising. While it provides heightened security by rejecting requests not specifically approved, it also presents the following challenges that can lead to the denial of legitimate requests:
- Dynamic Applications: Web applications that produce frequently changing variables like users, URLs, directories, parameters and cookies, require constant, manual rule-based tuning to account for these changes.
- Constant Management: Failure to stay on top of this policy type will result in high level of false positives, preventing users from accessing the app with legitimate intentions.
Negative Security Model
With a negative security model, all HTTP(s) traffic is allowed, except for requests that match deployed policies created to identify malicious traffic. This method keeps a library of known and probable threats using the latest threat intelligence. For example, a black-listing firewall can spot malware, spyware, and injection code contained within the requests by scrutinizing the content and behavior of traffic. Access is the default unless traffic matches any defined criteria where it is dropped.
Challenges: While the “negative security model” reduces the likelihood of blocking legitimate user requests, there is a possibility that it will miss unanticipated or emerging threats, like zero-days. Also, policies must be regularly updated using latest threat intelligence to maintain coverage of known threats, which can be burdensome.
Hybrid Security Model
In this model, the organization uses a combination of positive and negative security measures. This model looks to combine the best elements of each and selects overly restrictive rulesets in areas of high risk or consistent traffic, while using less restrictive rules on dynamic sections or areas of lower risk.
Challenges: A hybrid model is tough for many in-house security teams; if you can’t get the balance right, the application may reject some requests or open backdoors you haven’t planned for. It’s another reason to pursue fully managed web application security. You’ll have the precise expertise to build the kind-of firewall you’ve been waiting for.
Types of WAFs
A WAF can exist in one of three ways before it begins defending against web application attacks:
Installed via LAN and held on a physical component, the firewall retains high performance because it’s near the web server. Hardware models can be expensive and inflexible. You’re investing in more high-computing equipment.
With lower costs than hardware setup, a virtual appliance, or software-based firewall can suit a wider variety of businesses, including those that are relatively small but growing fast. Virtual appliances can be scaled up or down manually or respond automatically demand with autoscaling features.
Cloud WAFs are managed by a service provider in the form of software-as-a-service. While lower costs and ease of deployment make this an appealing choice for organizations with limited resources, cloud WAFs can present several drawbacks including limited and/or costly scaling, higher latency, insufficient granularity in controls, and an inability to handle complex architectures.
Expert Managed WAF
Enterprise-level WAF management and configuration
Managed WAF eliminates the hassle of WAF management and configuration so your teams can focus on providing the best business value of your applications. Fortra’s Alert Logic delivers a competitively priced, highly versatile, enterprise-level, cloud-ready WAF that comes with a team of web security experts to eliminate the complexity for you.
Alert Logic delivers:
- Managed deployment that aligns project managers and technical experts, setting up the firewall rapidly on your behalf with all the right presets.
- An extensive signature set drawing on some of the most complex notifiers for web traffic attacks and bot management.
- Credential attack coverage protects against credential-based attacks like brute force or credential stuffing, which account for approximately 75% of web application compromises (Verizon DBIR 2022).
- 24/7 support* from web security experts. Get back to the operations that need your full attention to help reduce the burden on your security teams.
- Ongoing tuning and management, adjusting the web application firewall with the evolving nature of your business and the threats surrounding it.
- Extensive defensive tactics like rate limiting, data masking, connection throttling, and end-to-end encryption. You’re never short of appropriate measures.
- Auto-scaling in the cloud to handle unpredictable traffic throughput and so variable loads are matched by what you’re actually paying for. We always charged based on use, not security seats.
- Application delivery controls that simplify and streamline network performance. These include smart load balancing, caching, acceleration, and virtual hosting.
- Proven zero-day emerging threat detection: Forward-thinking security policies informed by our global threat research and SOC teams, that have proven success in blocking zero-day attacks such as Log4J .
- Virtual patching: Coverage provided 100+ applications and emerging threats to ensure you stay secure between patch management cycles.
*subject to SLA