Web applications are essential for driving digital transformation, enabling remote work, enhancing employee productivity, and improving customer interactions. By providing online access to key applications, these tools allow teams to collaborate efficiently, whether in real-time or asynchronously, while ensuring continuous availability of products and services.

A typical web app consists of several interconnected components, typically classified into presentation, application, and storage tiers. Due to their support for critical business functions, ensuring the security and continuous availability of these applications is paramount.

To maximize accessibility, web apps most often are internet-facing, which makes them attractive targets for threat actors seeking to exploit access points to a company’s data, networks, and systems. A web application firewall (WAF) helps protect these applications from attacks that target the application layer. WAFs complements other security technologies as part of a comprehensive defense strategy.

What is a WAF?

A web application firewall is a filter for web traffic that applies rules for HTTP/HTTPS communications to filter, monitor, and block malicious traffic. A WAF monitors all the traffic entering and leaving a web application. Think of it as a shield or a set of thick gates raised up or down, depending on the traffic it deems safe. This is important because the internet is made up of data packets — clustered information sent between nodes in a network. These packets can hide malicious activity, usually exploits creating backdoor access via a webshell posing as harmless data. A firewall assesses them, one at a time, against pre-configured security rules. When it approves them, they get in, and when it doesn’t, the packets are dropped. This ensures the integrity of the web application by preventing malicious requests from reaching the application, keeping it protected, even if it was susceptible to the blocked exploit. This level of scrutiny is known as application layer filtering.

WAFs also can prevent the exploitation of misconfigurations, missing security patches, insecure building practices, and third-party or open-source plugins. They can be host-based, network-based, or cloud-based, ultimately serving as a reverse proxy that sits in front of your web apps.

What is the Difference Between a WAF and a Firewall?

Although both WAFs and firewalls monitor for malicious traffic, they operate differently.

Firewalls

Traditional firewalls primarily filter traffic based on its origin and destination. They operate at layer 3 of the OSI model, focusing on IP addresses, destination, and ports. Organizations set up a list of approved IP addresses and ports, and the firewall blocks any traffic that doesn’t match this list. However, attackers can bypass these defenses by spoofing packet headers. In contrast, next-generation firewalls (NGFWs) offer a more advanced approach, filtering traffic at the application layer for deeper inspection and enhanced security.

The rise of cloud led to the development of next-generation firewalls that go beyond traditional traffic filtering by inspecting content at layer 7 to examine the contents of the traffic for malicious activity, not just the direction of travel.

Both traditional and next-gen firewalls protect large networks as a whole, and:

  • Limit access to risky websites
  • Segment networks
  • Record events
  • Alert organizations to potential intrusions

To eliminate any confusion over the differences of layer 3 and layer 7 inspection, think of a letter in a sealed envelope:

  • The address and return-to-sender address on the envelope represent layer 3
  • The contents contained within the letter represent layer 7

While identifying a suspicious sender address or unauthorized destination on an envelope can be useful, the only real way to know if the contents of the envelope are malicious is to open it and inspect what is inside.

Firewalls sit at the network and transport layers. Consequently, they only monitor network traffic coming into and out of nodes and destination hosts. These layers are closer to the public internet.

Web application firewalls

Like a NGFW, a WAF sits at the application layer (7) where the user interacts with the software and network. WAFs traditionally sit between an application or server and the traditional firewall. This means malicious traffic needs to get through two different firewalls before reaching the application itself. As a WAF usually protects a few web applications, the policies applied can be much more granular and targeted, versus NGFWs or firewalls which serve large segments of a network.

Think of a firewall as security around the perimeter of an entire hotel, whereas a WAF is security for a single room within the same hotel.

Why take the extra precaution of combining a WAF and a firewall? Web apps are an organization’s most targeted asset, accounting for 53% of all attacks. Shouldn’t the most targeted asset be the focus of your security strategy?

Web apps are also an obvious gateway into your environment and sensitive data. Undoubtedly, you need to protect the data connected to your web application as well as your wider network from a breach, by preventing your web app from becoming a stepping-stone for lateral movement leading to further data exfiltration or ransomware.


What Attacks Does a WAF Guard Against?

Your web apps perform critical business functions and are an exposed entry points to your network. This combination of high exposure and potential impact warrants targeted protections. When you deploy a WAF, you stay vigilant against serious attempts to steal your data, hold it hostage, or disrupt business practices.

WAFs protect against attacks such as:

  • Malware uploads which exploit a web app vulnerability to upload malicious code, including:
    • Trojans that steal your users’ information.
    • Ransomware that can spread to your whole network, crippling digital operations until you pay out.
    • Webshells that create backdoor access and facilitates further malicious actions.
  • SQL injection where an attacker exploits vulnerabilities in web app login tables, or poor sanitization configuration to connected datastores, to gain access by stealing credentials or dump sensitive data.
  • Cross-site scripting (XSS) which injects malicious code into your app and spreads it to users’ browsers and computers.
  • Denial of service (DoS) attacks which overwhelm your application by sending it into an infinite logic loop.
  • Credential-based attacks where stolen usernames and passwords attempt to gain user or admin access. Stolen credentials in brute force or credential stuffing attacks account for approximately 75% of web application compromises.
  • Man-in-the-middle attacks where a threat actor positions themselves between the user and the app. Next, they intercept and even modify information without the knowledge of the user.

DDoS protection is another use case of WAF. Some WAFs have DDoS mitigations embedded within them, while in some scenarios a complimentary technology — content delivery network (CDN) — is preferred.

How Does a WAF Work?

A WAF is your first line of defense against application layer attacks. It does this with a reverse-proxy server, which stands as an intermediary to safeguard a web client’s identity. The WAF functions as a wall around the web app, preventing harmful clients from progressing to the app.

Policies

WAFs usually use algorithms to detect known malicious types of traffic. Organizations need to set policies telling the WAF what is suspicious before it can protect against a security incident.

These rules tell the WAF what type of requests or traffic behavior present risks to an organization. They also tell the WAF what action to take when it detects one of these types.

Good WAF policies must minimize false positives. False positive blocks may prevent legitimate users from using the application for its intended purpose. As web apps tend to be dynamic and continuously developed, regular review of policies is crucial to maximize protections and limit false positive blocks.

Inspection

The WAF analyzes HTTP(s) requests to identify legitimate traffic and block threats using predefined policies. It analyzes the headers and content of all packets. Occasionally, it requires additional verification, like CAPTCHAs, to confirm the activity is human-generated and not from a bot.

Blocking

If the WAF detects malicious requests, it blocks the activity by dropping the request. For example, if the requestor fails to appropriately respond to the challenge question, the WAF blocks further requests. This prevents future connections from the identified bot looking to exploit or scrape the application.

WAF Security Models

Organizations using a WAF can go with a positive, negative, or hybrid security model.

Positive security model

A positive security model is one where the organization’s policies take a “deny all” approach, allowing requests based on specific inputs. All HTTP(s) traffic is blocked, except for requests that match deployed policies created to identify legitimate traffic. This model is established by defining all characteristics of expected traffic, such as approved characters, IP addresses, and filetypes. This model maximizes security coverage and can block emerging threats. However, maintaining this model is not doable for every organization or application.

Challenges

The positive security model is stringent and inflexible. Although it enhances security by rejecting any requests not explicitly permitted, it can also pose difficulties by potentially denying legitimate requests:

  • Dynamic applications: Web applications that produce frequently changing variables like users, URLs, directories, parameters and cookies, require constant, manual rule-based tuning to account for these changes.
  • Constant management: Failure to stay on top of this policy type will result in high level of false positives, preventing users from accessing the app with legitimate intentions.

Negative security model

With this model, all HTTP(s) traffic is allowed, except for requests matching deployed policies created to identify malicious traffic. This method keeps a library of known and probable threats using the latest threat intelligence.

For example, a deny-listing firewall spots malware, spyware, and injection code contained within the requests by scrutinizing content and traffic behavior. Access is the default unless traffic matches any defined criteria where it is dropped.

Challenges

Although the negative security model minimizes the risk of blocking legitimate user requests, it may fail to detect unexpected or emerging threats, such as zero-day vulnerabilities. Additionally, policies must be regularly updated with the latest threat intelligence to ensure coverage of known threats.

Hybrid security model

In this model, the organization uses a combination of positive and negative security measures. This model looks to combine the best elements of each. Hybrid security selects overly restrictive rulesets in areas of high risk or consistent traffic, while uses less restrictive rules on dynamic sections or areas of lower risk.

Challenges

A hybrid model is tough for many in-house security teams. For instance, if you can’t get the balance right, the application may reject some requests or open backdoors not planned for. It’s another plus for managed web application security. With WAFs, you need precise expertise to build the kind-of firewall you need.

Types of WAFs

A WAF can be configured in one of three modes before it starts defending against web application attacks:

Hardware

Installed via LAN and held on a physical component, the firewall retains high performance because it’s near the web server. Hardware models can be expensive and inflexible. With this choice, you invest in more high-computing equipment.

Virtual

With lower costs than hardware setup, a virtual appliance or software-based firewall can suit a wider variety of businesses. Virtual appliances can be scaled up or down manually or respond automatically demand with autoscaling features.

Cloud

A service provider manages cloud WAFs in the form of software-as-a-service. While lower costs and ease of deployment make this an appealing to organizations with limited resources, cloud WAFs have drawbacks. These include limited and/or costly scaling, higher latency, insufficient granularity in controls, and an inability to handle complex architectures.

Benefits of a Managed WAF

A managed WAF eliminates the hassle of WAF management and configuration so your team can focus on providing the best business value of your applications. Fortra Managed WAF delivers a competitively priced, highly versatile, enterprise-level, cloud-ready WAF with a team of web security experts to eliminate the complexity for you. Schedule a demo to learn more.

Additional WAF Resources

 

Josh Davies
About the Author
Josh Davies
Josh Davies is the Principal Technical Product Marketing Manager at Alert Logic. Formerly a security analyst and solutions architect, Josh has extensive experience working with mid-market and enterprise organizations, conducting incident response and threat hunting activities as an analyst before working with businesses to identify appropriate security solutions for challenges across cloud, on-premises, and hybrid environments.

Related Post

Ready to protect your company with Alert Logic MDR?