How Web Application Firewall Works?

In a span of a few years, we are experiencing rapid technological advancements that are revolutionizing the way the world functions. It is not just businesses who have benefitted from these advancements, even cybercriminals and crime syndicates have leveraged these to make financial and other gains in the process. Websites, web applications and servers, which are critical parts of the businesses of today, are high up on the hit list of cyber-attackers who find new and ingenious ways to orchestrate attacks. The most common attacks faced by web applications are SQL injection, cross-site scripting (XSS), CSRF and DDoS attacks. Accordingly, there is a strong need for web app security measures and strategies to combat these attacks and web application firewall or WAF has come to occupy an indispensable place in such strategies.

Securing web applications

Web applications can be protected against vulnerabilities, cyber-risks, and attacks in two important ways. One, they must be developed on the right frameworks that have a good security track-record, so that they are more resistant to attacks. Second, as mentioned earlier, is to have strong web app security strategies and measures in place along with a custom-designed web app firewall. The first measure may not be adequate by itself and does need to be strengthened with the second measure.

What is WAF?

WAF or web app firewall, as you may be aware, is the first line of defense between the app and the internet traffic. It monitors and filters internet traffic to stop bad traffic and malicious requests. WAF is one of the best and cost-effective ways to identify vulnerabilities in the application and secure them before malicious actors can find them. They effectively detect those vulnerabilities that other security measures such as web scanners miss. When it is a managed web app firewall like the one offered with AppTrana, it allows custom rules, prevents business logic flaws, assures zero false-positives and protects your applications against zero-day threats and DDoS attacks.

How does WAF work?

WAFs are deployed as hardware devices, software, both or through the cloud and operate with a specific set of rules called policies. These policies tell the WAF what vulnerabilities/ loopholes/ traffic behavior to look for, what to do in the event of vulnerabilities being detected and so on. In other words, the policies are what enable WAF to secure the web applications and servers from attacks.

So, based on these policies, the web app firewall will keep scanning the web applications and the GET and POST requests it receives to identify and filter malicious activities and requests. The important thing to note is that WAFs analyze not only the headers but the content of all packets to block illegitimate requests and intelligent WAFs even challenge requests to make the actor prove they are human and not a bot.

When it finds loopholes in the application itself, the web app firewall instantaneously patches them to automatically block attackers and malicious actors (bots, attack IP addresses, attack-based inputs, etc.) from finding these loopholes. This way, the developers get buffer time to fix the vulnerabilities/ loopholes in the application.

A web app firewall is generally configured according to three basic security models. These models are:

• Whitelisting model: Here, the WAF is configured to allow only pre-approved traffic that meets specifically configured criteria. This model is best suited for use on internal networks that are used only by a limited group of users (for instance, employees). This is because whitelisting can block legitimate requests and traffic too when used on public websites and applications.
• Blacklisting model: Here, the WAF is configured to block known vulnerabilities, attack signatures and malicious actors from accessing the web application or server by using pre-set signatures. For instance, if some IP addresses are sending more requests than is typical, the blacklisting WAF can secure the application against a DDoS attack. This security model is best suited for web applications are on the public internet as legitimate requests too can come from unfamiliar client machines. This model, however, is not effective against zero-day attacks.
• Hybrid model: Here, the WAF is configured to incorporate whitelisting and blacklisting methods based on the specific needs of the application. It can be used on both internal and public networks.

The choice of security model depends purely on the context, risk profile, and needs of the web applications and servers. Reality is Applications are the heart of many businesses and are continuously changing and no singular model will work.  A combination of the positive security model for specific transactions with well-defined boundaries, negative security model with no false positive on identifying hacker intent and continuous management of the policies on a continuous basis with learning is needed for WAF to be effective.

Web app firewalls are most effective when they are intelligent and managed such the ones offered by AppTrana. Intelligent WAFs are endowed with global threat databases and machine learning abilities which enables them to monitor web traffic continuously and include the learnings in securing web applications. When they are managed, WAFs can zero assured false positives and can be custom-built with surgical accuracy to incorporate custom business rules preventing business logic vulnerabilities. Managed WAFs will include the expertise of certified security professionals who conduct pen-testing and security audits to prevent zero-day threats and to upkeep the highest standards of web app security.  Managed WAF ensures the learnings are accurate and relevant and focused on mitigating the risk specific to the applications.  It will have learnings built-in backed with 24×7 security experts to take actions so that application owners can focus on agility in their functionality and be secure leveraging the services of the experts.