Endpoint Security: The Protection Mechanism of Web Application and Networks
Introduction
Websites are no longer the same as they used to be in the late 1990s or early 2000s. That was the era of Web 1.0, and it didn’t take us long to transition to Web 3.0 where everyone is talking of NFTs, Blockchain and Cryptocurrencies.
Company or enterprise websites serve as the public face of the organisation. The days when websites were nothing more than a collection of static HTML pages are long gone. Today, you can install complex Machine Learning and artificial intelligence models with a single click of a button on a website’s home page. The website also has a large number of distinct functionalities, such as login, resource retrieval, and even serving users with various types of visuals or videos, among other things.
It makes perfect sense for businesses to deploy or host websites on their own public cloud or in-house data center, with the database connected to the company’s internal network. Is it, however, risk-free? What security precautions are taken by developers, system administrators, and network administrators to keep their networks and websites safe from malicious attacks?
Security Consultants press on the fact of using Reverse Proxies, Firewalls, IDS, IPS systems and keeping track of Network and HTTP logs to remain on the safe side and ensure their safety and the health of their systems. In addition, because the IPS and IDS log all network activity, they can be used to send an alert to the organisation when something goes wrong, such as when a user is using more resources than intended, allowing the organisation to become aware of the situation and possibly terminate the user’s connection in order to prevent DOS type conditions. They are extremely useful in preventing various forms of port scanning attempts, restricting ports for the general public, and a variety of other tasks.
It wouldn’t be uncommon for you to find an organisation using the services of companies like Cloudflare and AWS to prevent themselves from common exploits like SQL Injections, or the most reverent log4j vulnerability.
IDS, IPS and Firewalls
An attacker can compromise your network by finding a flaw in your web application (that happens to be connected to your internal network) or by directly going after your network. If you aren’t on a virtual private cloud and use publicly accessible IP addresses for your day-to-day work you better watch out for any suspicious activities more frequently.
As per a report, it took at least 6 months for threat hunters and Incident Response teams to find that adversaries had already compromised their network.
To protect yourself from the adversaries you need to ensure that you are following the best security practices and deploy instruments like Firewalls, IPS and IDS.
Firewalls
Firewalls are available in a variety of configurations, but the underlying concept is the same for all of them. Firewalls are equipment that filter packets depending on rules that have been defined by the network administrator. Administrators can configure the firewall to implement a variety of rules, such as blocking specific IP addresses, IP ranges, and ports that are accessible to the general public or from public computers. The responses from the server can also be filtered through the firewall, for example, if the server is replying to ICMP packets, the firewall will hold the reply and, in some cases, the request so that it does not reach the user or the server. Consequently, if an adversary attempts to exploit a service running on a port that should not be available to the public, the firewall can detect this and promptly deny access to the service.
There are different types of firewalls based on your use and requirements. Some of them are:
Web Application Firewall
A WAF, or web application firewall, is a tool that helps in securing web applications by filtering and monitoring HTTP traffic between a web application and the Internet or the user. It typically protects web applications from a variety of web application attacks such as cross-site scripting (XSS), file inclusion, and SQL injection, among others. It is a protocol layer 7 protection (in the OSI model) that can be used as the initial line of defense against web application attacks.
Network Firewall
Packet filtering is a firewall technique that allows network administrators to regulate network access by monitoring outgoing and incoming packets and deciding whether to allow them to pass or block them based on the source and destination Internet Protocol (IP) addresses, protocols, and ports.
Next Generation Firewall
As opposed to standard stateful firewalls, a next-generation firewall (NGFW) is a network security device that offers enhanced features. Instead of providing stateful inspection of data packets, a next-generation firewall contains additional features such as application awareness and control, integrated intrusion prevention (IPR), and cloud-delivered threat intelligence, among other things.
Firewalls can be broadly categorized into 2 categories, they are:
- Stateful Firewall
When a network connection is active, a stateful firewall keeps track of and monitors the state of the connection while also analyzing incoming traffic and looking for potential traffic and data risks.
- Stateless Firewall
Stateless firewalls examine the data packet’s source, destination, and other parameters to determine whether or not the data packet poses a threat to the organisation in accordance with the rules and parameters that have been specified. These parameters must be entered by either an administrator or a manufacturer, according to rules that have been established in advance.
Stateful Firewalls are more advanced and better as compared to stateless firewalls, as they maintain session information and don’t let any connection being made from outside if no session was found previously in its table. But this comes at a cost. They can be a bit slower as compared to the stateless firewalls.
IDS & IPS
More often you’ll find IDS and IPS addressed together. IDS and IPS stand for Intrusion Detection System and Intrusion Prevention System.
Through continuous network monitoring, intrusion detection systems detect and report on potential incursions, attack attempts, and other occurrences. If they want to accomplish this, they can choose from one of the following options.
Signature Based
Signature-based intrusion detection systems (IDS) detect attacks by looking for specific patterns in network data, such as byte sequences in network traffic or known malware instructions.
Anomaly Based
An anomaly-based intrusion detection system identifies network intrusions and misuse by monitoring the system activities and then classifying it as either normal or unusual. This classification depends upon the rules, rather than specified patterns or signatures.
There can be other approaches used as well. For example, stateful protocol analysis, etc.
Intrusion Prevention Systems prevent intrusions and other malicious incidents and attempts by performing Intrusion Detection.
Difference between WAF and IDS/IPS
Now that we have some knowledge about Firewalls, IDS/IPS, we can distinguish between a WAF and an IDS/IPS.
WAF stands for Web Application Firewall and keeps track of the HTTP/S traffic. It is a stateful firewall and is an intermediary between the web application and the internet users. All the requests sent by the users and the responses generated by the web applications go through the WAF first. A WAF is first configured before it can begin to distinguish between a normal HTTP request/response and a malicious one. It is capable of dropping requests and even blocking IP addresses. The WAF is configured on layer 7 of the OSI model.
An IDS/IPS on the other hand are mostly referred to in the context of the network. It monitors the network traffic (internal and coming from external sources) and prevents unauthorized activities, and communications. It can be based on the rules or the signature and most of the IDS/IPS works on layer 3 of the OSI model.
Conclusion
New web frameworks, applications, etc. hit the market every day. Despite stringent security practices, many of these remain vulnerable and these vulnerabilities are exploited by attackers. It is not always possible for the companies to patch these vulnerabilities right away as most of them are open-source products and services. So, these remain vulnerable and unpatched for many days and often weeks. To prevent yourself from these unpatched vulnerabilities and other known exploits and malicious attempts, it is advised to use firewalls and other security mechanisms.
