Debunking Misconceptions About (Cloud) Web Firewall Applications

According to Gartner, three quarters of all web attacks are targeted at web applications, making them the weakest security point for many businesses and the preferred entry gate for hackers. Web application security is a commonly misunderstood topic even among web developers and experts in the IT field. Web application firewalls (WAFs) are only part of the larger framework that is web application security and similarly constitute some misconceptions. Here are five misconceptions that Cloudbric thinks should be addressed:

Misconception #1: “My web service response time is slow or delayed due to many connection points in the WAF”

While it’s true that web traffic between the user and the server is routed through the WAF and causes a reduction in the sever load due to the WAF assuming the responsibility of detecting and stopping malicious from reaching the server, website speed optimization is possible thanks to content delivery networks (CDN). A CDN minimizes the distance between the visitors and a website’s server by utilizing a cached version of its website content in multiple geographical locations, thus allowing content such as images and Javascript to load much more quickly.

Misconception #2: “Using cloud security services like WAFs create more entry points for hackers to hack”

It would be wrong to say that using a cloud-based WAF creates more entry points for hackers to gain access to a network. In reality, all web communication between the user and server can be attacked; vulnerability is not restricted to the cloud. In other words, attacks targeting web traffic is not tied solely with cloud web security services but with all web communication. When it comes to web attacks against web applications, the web application layer is the preferred entry gate for hackers since they essentially provide a direct access route to sensitive data. However, effective protection against unauthorized data access is provided by WAFs, which function as gatekeepers by only allowing legitimate visitors who have passed a series of test to gain access. Most WAFs are able to withstand attacks outlined in the “Top Ten Web Application Vulnerabilities” by OWASP.

Misconception #3: “Since web traffic is routed through the WAF, the original IP addresses of my visitors’ IP are changed to WAF’s, making it more difficult to know my real visitors’ IP addresses”

An important and simple configuration is being overlooked here known as the X-Forwarded-For (XFF) header, which can identify the originating IP address of a user connecting to a web server through an HTTP proxy — in this case, a web application firewall. As a website admin you may be interested in retrieving the original visitors’ IP to track invalid login attempts or record the IP in a database for online payments for example, and this feature allows you to easily extract the original client IPs yourself. Most WAFs can insert original client IP addresses into the XFF header so it can be retrieved by the server for processing. Due to the technicalities and the fact many users aren’t IT experts, the XFF feature may be difficult to understand but WAF vendors like Cloudbric can enable such feature for their users if it becomes a huge concern.

Misconception #4: “There are many difficulties installing and managing a cloud-based WAF”

Installation does not have to be difficult or complicated. In fact, even the word “installation” may be a stretch considering the fact that a cloud-based WAF requires zero hardware to install or maintain. Cloudbric, for example, simply requires the customer to register their website and change their DNS. All other settings can be automatically configured as well. A cloud-based WAF is much easier to install than an appliance-based WAF, which requires manually deploying the WAF onto an environment, setting up a network connection, and configuring security settings. These WAF vendors are also in charge of manually installing the hardware which results in increased costs.

Misconception #5: “WAFs reply on past definitions of known attacks and cannot protect you from attacks that aren’t defined in the rules you supply them with”

The fact that many WAF bypass techniques still exist and are popularly used today proves that no one WAF can resolve all security flaws at the web application level. Rather they provide an additional layer of protection and when configured properly can tremendously thwart off sophisticated web attacks. For example, traditional WAFs primarily rely on pattern matching or signature-based detection, meaning they can only detect and filter previously recorded attacks or known web attacks that have already occurred. Cloudbric, on the other hand, does not solely rely on signatures and utilizes 26 custom algorithms and rule sets to more accurately block web attacks with low false positives. This logic based engine allows Cloudbric’s WAF to capture a wider range of web attacks and possibilities and detect even unknown or modified web attacks.