IT article on cybersecurity with tips for website owners. Types and benefits of web application firewalls.
As companies continue to build more web applications that range in complexity, keeping a high level of security requires better solutions. This solution must minimize business risk while ensuring ease of use and productivity, which is what a web application firewall (WAF) does.
A WAF is a protection system that filters, detects, and blocks HTTP traffic. By doing so, it mitigates attempts that could potentially compromise the system or leak data.
When a WAF is not in use, a business is at risk of being affected in one or more ways:
A WAF works through a set of rules. WAFs are located between the server and client and oversee application-layer traffic for irregularities stated in the policy.
The benefit of a WAF derives from the speed and efficiency with which its policy changes can be realized by providing a faster response to different attack vectors. To alter a WAF according to a particular situation, you can change the profile provided by machine learning. By combining the centralized management system and machine learning, you significantly cut down computing overhead and the frequency of slips.
A WAF covers a wide range of attacks such as:
Conventionally, WAFs would be set up on-premise, in the data center. However, security teams now face a demand to make it work beyond the data center. When choosing a WAF, make sure you compare where they reside.
Network-based WAFs (NWAF) are usually hardware-based and set up locally so that they can be closer to the applications. Thanks to interconnection agreements between network-based firewall providers, the policies can be replicated across other appliances to ensure consistency in deployment and configuration. The biggest disadvantage of this type is the cost.
Host-based WAFs (HWAF) run on a single host and monitor activity for that host only. They are associated with a lower cost and can be adapted for individual circumstances using custom rules. However, HWAFs use local libraries, so there is a requirement that local servers run successfully at all times.
Cloud-based WAFs are centrally organized, which means all tenants are provided with threat detection and response solutions, even if the incident occurred on a different hosting location. This works towards developing advanced analytics for exploitation mitigation. The biggest perks of this type of WAF are the low cost and no need for on-premises services.
However, using a Cloud-based WAF typically means that you pass the SSL certificate to the provider. By passing on variables of the encryption, you essentially give the provider an upper hand. Also, subscription-based fees tend to go up significantly, which could eventually force you to need to find another option.
A whitelist WAF determines what should pass the policy. A good example would be an internal corporate portal that you only want company employees to be able to access. In this case, simply enter the IP address for the company network, and the WAF will only allow employee traffic.
You can add the following items to the whitelist:
A blacklist WAF is the complete opposite and uses a list of inadmissible things that shouldn’t pass the firewall processor. It depends on the provider’s awareness of exploitations and won’t be able to stop attackers from attempting new ways. Sometimes it is easier to specify what should be allowed, rather than continually be updated on new possible attacks.
Both models have their pros and cons, which creates a demand for a hybrid. Nowadays, a combination of both models is the most common technique used by modern firewalls.
An Intrusion Prevention System (IPS) reads the content of a single packet, inspects it against known weaknesses and exploits, and matches attack signatures against the traffic. However, HTTP is a layer 7- an application layer protocol. Therefore, an IPS cannot be effective against all potential application vulnerabilities.
If you use only IPS or only WAF, it may cause too many false positives, which in turn yields one of two possible reactions:
An IPS looks at signatures and anomalies; a WAF looks at behavior and logic and inspects traffic in both directions. Ultimately, instead of trying to outmatch each other, they should be implemented in a complementary manner to achieve the best results.
No matter how unlikely a hack may seem, anyone could be a target. Having strong passwords and an SSL certificate isn’t enough to keep an application secure. So, a WAF applies a set of defined rules to cover as much as possible. This includes:
In many ways, a WAF is a small price to pay to protect your company from significantly bigger expenses down the road.