A Web Application firewall (WAF) is the protective barrier that monitors, filters and, if need be, blocks Hypertext Transfer Protocol (HTTP) traffic as it travels both to and from a particular web service. WAFs can be network-based, host-based, or cloud-based. In all cases, like other application firewalls, a WAF typically operates according to a series of predefined rules. Like a security guard checking who should be allowed into and out of restricted areas, these predefined rules govern how the WAF functions.
When web traffic attempts to reach a web application, the WAF examines the requests and applies its ruleset to try and determine whether the request is looking to exploit a certain vulnerability. If so, it will block it. If not, it will let it through to the application server. It will similarly safeguard against any unauthorized data transfer from the server in question.
WAFs can protect against vulnerabilities such as cross-site scripting (XSS) attacks (in which hackers inject malicious side-scripts into web pages to get around certain access controls), SQL injections (malicious code entered into a web entry field), Layer 7 DoS attacks (a type of HTTP flood attack), brute force attacks, and many other types of potentially devastating cyber attack. They should address the most pressing web application security flaws as laid out by the Open Web Application Security Project (OWASP).
As companies have increasingly come to rely on web applications that store massive amounts of data, the need for WAFs has only increased. Don’t look for that trajectory to reverse any time soon…
A few challenges on the horizon
But not all WAFs are a flawless solution in every scenario. Cyber security is a cat and mouse game between those that want to inflict harm and those who want to protect users against it. As the old saying goes, rules are made to be broken — or, at least, gotten around. Increasingly, hackers find ways to sidestep WAF protocols when they make their attacks; discovering innovative (but certainly not innocent) ways of circumventing application layer firewalls.
There are a number of common problems that WAFs face. One is the challenge of zero-day attacks. These refer to a computer software vulnerability that has not yet been brought to the attention of cyber security professionals. Because vulnerabilities can only be protected against if they have been disclosed, hackers that are able to find zero-day flaws can exploit these until they are found and patched. (The term “zero day” originally referred only to brand new software released to the public, but the term is now used in this broader sense.)
A related challenge is simply the problem of ensuring that WAFs are kept up to date and properly maintained. New features demanded by users or implemented by perfection-seeking developers, new vulnerabilities that are disclosed, and the overall ever-shifting computing landscapes means that WAFs can have blind spots that make them unable to deal with certain types of attack. In some cases, WAFs may go the opposite way: avoiding the risk of false positives (i.e. blocking legitimate web traffic that should have been allowed through) by stripping down the number of rules to a minimum. While this still means that the biggest, loudest attacks will probably get blocked, it also means that others may fly under the radar. More importantly, the simpler the rules that are designed and implemented, the easier it is for hackers to work around them.
Choose the right WAF
The answer isn’t to throw in the towel on WAFs, however. Instead, users who rely on them should seek out high-end managed WAFs that are capable of dealing effectively with whatever is thrown at them. WAFs should be fully integrated into other security systems you might have so that they are able to work to the best of their ability. Cloud WAFs promise to save administrators from the laborious and time-consuming process of carrying out manual training for security software and hardware. High end WAFs use correlated attack validation and dynamic application profiling to more accurately detect attacks, while also minimizing false positives. This means aggregating and analyzing individual violations through the stack, while also learning all aspects of web applications, such as directories, parameters, URLs, and acceptable user inputs. In their totality it means that these WAFs should be able to detect attacks with unprecedented accuracy, while blocking only the bad traffic that’s out to cause you, the user, harm.
Web Application Firewalls have been a part of cyber security since the 1990s when attacks on web servers started to become commonplace. Since then, what we expect from a WAF has advanced significantly — although the fundamental concept driving the technology remains very solid. Alongside other modern cyber security tools, such as advanced DDoS protection, pro-level WAFs are an essential part of any enterprise protection methodology.
It’s just important to ensure that whichever solution you choose is capable of dealing with as many of the challenges mentioned above as possible. Choose wisely, and this isn’t a decision any business or organization will come to regret.