What is a Web Application Firewall?

This blog post was published on PurpleBox website on Dec 16th, 2021.

Web Application Firewall (WAF) is a barricade within client and server. What does a web application firewall do? The purpose of WAF is to monitor, filter, sanitize or block malicious requests to the web application. It runs in the application layer, which is the 7th layer of OSI and aims to protect web applications against attacks. It is usually positioned between the web application and the client. Web Application Firewall is similar to a reverse proxy in terms of its location between the web application and the client. Web Application Firewall comes in three types: network-based, host-based, and cloud-based. The use of WAF is mandatory in some standards, and one of the most important of these standards is the PCI Data Security Standard.

How Does Web Application Firewall Work?

It prevents incoming attacks by analyzing incoming network traffic to the webserver/web application according to the rules and policies. It is recommended that the selected WAF should be able to detect the attack types on the OWASP list: SQL Injection, Cross-Site Scripting, Command Injection, Local File Inclusion, Remote File Inclusion, Buffer Overflow, Brute-Force Attacks, Cookie-Session Poisoning, Session Hijacking, Sensitive Data Leaks, Server Misconfiguration, Well-Known Vulnerabilities, Form and Hidden Field Manipulation, Parameter Tampering, and File Upload Vulnerabilities.

Types of Web Application Firewalls

A Web Application Firewall can be implemented in three different ways, each with its benefits and shortcomings:

Host-Based:

Usually software-based and can easily integrate with web servers. In terms of price, it is more suitable than Network-Based Web Application Firewalls.

Network-Based:

Usually hardware-based and installed as a separate physical device. It requires maintenance costs and physical hardware storage. Therefore, it is expensive compared to other Web Application Firewall types.

Cloud-Based:

Offers an affordable and simple setup. It is received as a service from a third party with monthly and annual payments. It can offer a constantly updated solution to protect against the latest threats without any additional work or cost from the user. The biggest disadvantage is the transfer of responsibility to a third party.

Web Application Firewall Security Models

There are three types of security models used for Web Application Firewalls.

Positive Security Model

The positive security model is a model in which only allowed requests or inputs are trusted and the rest are denied. Allowed inputs or requests are considered based on the whitelist.

Negative Security Model

The negative security model is the exact opposite of the positive security model. It means the negative security model rejects certain inputs or requests. Rejected inputs or requests are considered based on the blacklist.

Mixed Security Model

The mixed security model is a model which uses both white and blacklists.

What is the Difference Between Blocklist and Allowlist WAF’s?

With the block list, all traffic is allowed to pass and only traffic/requests of identified threats are blocked. In the allow list, most of the traffic is blocked and only the trusted traffic/requests we have specified are allowed to pass. Continuous monitoring and updating of the list can be seen as a disadvantage of using Blocklist.

Web Application Firewall Testing

To control WAF performance, a server can be installed locally and tested with client simulations such as Curl-Loader or Siege.

Web Application Firewall Important Configurations

1. Set-Up

First of all, you should select a WAF which is suitable for your web application. After this step, you should install the WAF you have chosen.

2. Access Control List (ACL) Configuration

Access Control List (ACL) is to block or allow web requests based on conditions you specify, such as the IP addresses from which the requests originate or the values in the requests. In this step, you should create an access control list and configure it according to your wishes.

3. Rule Configurations

In this step, you should create a rule with a string match statement and indicate what to do with matching or doesn’t match requests (block, sanitize, or allow). A string rule statement identifies strings that you want WAF to search for in a request. In addition to specifying the string to search for, you specify the web request component that you want to search, such as a header, a query string, or the request body.

Business Use Scenarios for a Web Application Firewall Deployment

Protecting corporate data and services is the first and most compelling reason to implement a WAF. Thousands of businesses, from small companies to huge corporations, rely on their online presence to generate money and keep the firm afloat. If this revenue stream is compromised, the company will suffer a variety of consequences, including:

Loss of Direct Revenue:

A firm may lose a considerable amount of money if a web resource becomes inaccessible, as a result of purchases not being made or leads not being created.

Loss of Customer Confidence:

Many consumers and customers pay attention to news stories about specific firms being hacked and make a mental note to avoid doing business with that company. It’s crucial to have a good reputation.

Loss of Sensitive Data:

In numerous situations, hackers have gained access to sensitive information such as credit card numbers, names, addresses, Social Security Numbers, and medical records after websites have been hacked. Proprietary information, trade secrets, and even classified government data are examples of protected data. While this is undesirable in and of itself, the fines and costs of catastrophe recovery/forensics can exceed any other financial consequence.

If you want to read more on this topic, feel free to check out the PurpleBox Blog Section.