Web Application Firewall

Web Application Firewall WAF Definition

WAF is an appliance or software that monitors HTTP/HTTPS traffic and can block malicious traffic to and from a web application. It differs from a traditional edge firewall in that it targets the content from specific web applications and at the application level, while edge firewalls fashion secure gateways between the local area network and outside servers at the network level. Specifically, by inspecting HTTP traffic, a WAF can stop attacks originating from web applications security flaws, such as SQL injection, cross site scripting, file inclusion, and security misconfigurations.

Pre WAF Era

The ancestor of the WAF is the application firewall that was first developed in the 1990s. Although largely a network based firewall, it could target some applications or protocols, such as File Transfer Protocol FTP and Remote Shell RSH, which is a command line computer program. The debut of the World Wide Web in 1991 was the big bang of the internet universe, which has been expanding at an accelerated pace ever since. The very accessibility and openness of the internet permitted anyone to search and explore, but it also permitted bad actors to use it for their own sordid purposes. As more people and organizations became victim to espionage, theft, and other crimes, developing a defense against HTTP-based cyberattacks became a foremost priority. WAF couldn't rely on traditional edge firewall methods that based decisions on a block list of network addresses, and blocked certain protocols and port numbers. As all web applications used HTTP and either port 80 or 443, this approach wasn't very useful.

SQL Injection

Let's look at a common attack method called SQL injection. Imagine you run an online business and customers and partners log onto your site to buy products and services. A typical login page asks for a user ID and password. An individual, let's call him John Smith, types his user ID - jsmith and his password. This information is verified on a backend database. If the password is true, John Smith gets in, but if the password is false, he does not.

Now, a bad actor probably doesn't know John's password. He could always guess, but that might take a very long time. Instead, for the password, the bad actor types "abc123 or 2+2=4". When John's credentials are sent back to the database for verification, it is likely that the password "abc123" is false; however, the expression "2+2=4" is true. Due to this flaw, the bad actor was able to break in to some sites. The first generation of WAFs used Block list and Signature based HTTP attributes to alert the firewall of an attack, so a SQL attack, like this, was no longer successful.

Next Generation WAF

With internet popularity soaring, soon the sheer number of web applications and their growing complexity made the signature based approach obsolete. As well, the number of false positives alerts of attacks that were in fact legitimate connections grew to proportions beyond the capacity of IT security teams. In the next generation, WAF became more intelligent, there was an element of learning by the firewall. The WAF would learn the behavior of the application to create a baseline it could use to evaluate whether attempts to access the applications were normal or irregular, and therefore suspect. It could also introduce session monitoring and heuristics, which permitted the firewall to detect variants of known signatures. This was a step forward, but because application learning was overseen by IT security, defense could not keep up with the ever expanding number of mutation of existing methods or new exploits. Moreover, there was no defense against zero-day exploits, which exploited an unknown weakness in the code of an application. The logical turn in WAF development was Machine learning unencumbered by human supervision. Now, behavior analysis could be done at machine speed and could adapt to the ever-changing attributes of the threat. Other security features were augmented to the firewall. Among these assets were:

• Distributed Denial of Service DDoS defense

• IP reputation

• Antivirus

• Data Loss Prevention DLP

The firewall could Monitor HTTP and stop any action that violated acceptable behavior. It could identify the user and correlate the action they were attempting to do with their permissions, and stop any action that went beyond the scope of their role. The WAF was also designed to share information and collaborate with other security devices in the network, such as other firewalls and sandboxes. This served to integrate the firewall into an interlocking collective defense as opposed to working independently. And sandboxing allowed suspicious material to be tested safely in insolation from the network. Zero-day attacks could be exposed and quarantined in these sandbox environments, and their signatures could be shared with other devices in the network. In addition, these new discoveries could be uploaded to a threat intelligence center on the internet, where they could be communicated to other networks.