2023 has been marred with an astonishing array of cyberattacks – from Clorox to Caesars, cybercriminals are running rings around lackluster security.
It’s never been more important to establish a solid foundation of security for your colleagues, contractors, and customers. This is largely the result of a perfect storm: while international tensions rise, state-sponsored attack actors are keenly primed to take advantage of security oversights, AI developments lend even greater firepower to automated attack campaigns.
The Web Application Firewall plays a significant role in basic protection but continues to be chronically misunderstood. Here’s a rundown on one of the most essential pieces of kit in your security arsenal.
What is a WAF?
A web application firewall – abbreviated to WAF – is designed to filter the data packets traveling to and from a web application or website. WAFs come in three primary forms, depending on whether they’re based on the host, local network, or cloud.
Typically, their protection is positioned at the forefront of an application or website – this also means that multiple sites and applications can be protected by a single WAF, if they face similar attack patterns.
While sitting between external users and web applications, the WAF analyzes all HTTP communication that flows in between. This front-row view allows it to detect and block malicious requests before they reach users or web applications.
Note the difference between a web application firewall and the more traditional network firewall: the latter defines and protects the perimeter of a local-area network, creating a more secure ‘zone’. WAFs, on the other hand, don’t rely on a wholesale barrier between internal and external traffic, but instead analyze the unique data packets themselves, and assess its associated risk.
How do WAFs Work?
Every type of WAF operates off the same core principle: to allow or deny HTTPS requests in accordance with an organization’s security policies. The minutiae of this process can vary dramatically, however – from manually-updated blocklists to highly dynamic, automated whitelisting.
The difference is simple: a WAF employing a blocklist (dubbed a negative security model) safeguards against known attacks. Think of it as a club bouncer with instructions to turn away individuals who do not adhere to the dress code. In contrast, a WAF based on an allowlist (using a positive security model) permits only pre-approved traffic. This is akin to the exclusive party bouncer who allows entry only to individuals on the guest list.
Both blocklists and allowlists have their own merits and limitations, which is why many WAFs provide a hybrid security model that incorporates both approaches.
From there, the following differences are largely dependent on where the WAF is installed.
A Network-based WAF, typically hardware-based, is locally installed to minimize latency. However, it is the costliest type of WAF and demands the storage and maintenance of physical equipment.
A Host-based WAF is fully integrated into an application’s software. It is a more economical option compared to network-based WAFs and offers greater customization. Nonetheless, it places a heavy load on local server resources, entails complex implementation, and can incur significant maintenance costs.
On the other hand, a Cloud-based WAF is an affordable and easily deployed solution, typically not requiring an initial investment. Users typically pay for a security-as-a-service subscription on a monthly or annual basis. Cloud-based WAFs can be regularly updated at no additional cost, without any user effort. However, because you depend on a third party to manage your WAF, it’s crucial to ensure that cloud-based WAFs offer sufficient customization options to align with your organization’s business rules.
With a WAF solution in place, it becomes possible to disrupt some of the following common attacks:
Distributed Denial of Service (DDoS)
An attempt to disrupt a network, service, or server by overwhelming it with a flood of internet traffic. It aims to exhaust its target’s resources and is one of the most publicly disruptive cyberattacks.
WAFs help defend against these by enforcing IP-based request limits – preventing the same device from constantly calling the same service. It also provides geo-filtering that allows you to serve low-resource static web pages suspicious IP address ranges.
SQL injection
SQL Injection is a type of attack that empowers malicious hackers to execute harmful SQL statements, giving them control over the database server supporting a web application. This intrusion allows attackers to sidestep webpage authentication protocols and extract data from the SQL database.
WAFs mitigate this threat by detecting suspicious inputs and cross-referencing them with common attack patterns.
Cross-site Scripting (XSS)
Cross-site Scripting is a vulnerability that allows attackers to compromise user interactions with applications, thereby allowing them to bypass the same-origin policy, which isolates different websites. Consequently, the attacker can pose as a legitimate user and access data and resources for which they shouldn’t have permission.
WAFs prevent this by isolating each application’s attack surface, ensuring that each user is who they claim to be.
Don’t Rely On WAF Alone
While undeniably important, WAFs should only be one part of a cohesive stack of attack identification and mitigation options. After all, depending on your choice of blocklist, WAFs are only adept at targeting published and known exploits. Zero-day attacks can still remain a concern, as unexpected exploit paths can easily slip past the application perimeter.
This is where WAAP and RASP options lend deeper protection throughout the runtime environment. The former – standing for Web Application and API protection – hones in on the increasingly segmented architecture of microservices and APIs. Runtime Application Self-Protection provides attack detection and prevention from your application runtime environment. This can act as a last line of defense against mature attack campaigns, completing the set of tools that keep your attack surface protected.