Use case of Web Application Firewall

                                     Web Application Firewalls (WAF)

 

     A Web Application Firewall, otherwise shortened down to WAF, WAF is, as it implies a type of firewall. It can control traffic into and out of something. Specifically, this is an OSI Layer 7 firewall, layer 7 of the OSI model is the application layer. The OSI model is a conceptual model with 7 layers to which we can map communications hardware and software. So, by saying that a WAF is a layer 7 firewall, we are implying that a web application firewall can look into the details of a network transmission into the packet payload, not just the addressing headers.

 

  WAF Attack Protection

To determine what is happening when a request comes to a web app. And that's why it's so effective at protecting web applications from the most common type of web app attacks. Now, some of those attacks would include protection from things like Denial of Service or DoS attacks, or even Distributed Denial of Service, DDoS attacks. At the end of the day, a Denial of Service attack prevents legitimate use of an application. It could be as unsophisticated as unplugging a web server if you are physically in a data center room where that equipment resides.

 

 It could be a little more IT sophisticated by flooding a network or a host with useless traffic, thus preventing legitimate traffic from reaching a web app. So, while your Web Application Firewall certainly won't be able to detect somebody in a server room unplugging a server, it will be able to detect suspicious flows of traffic that might indicate that a DoS or a DDoS attack is occurring. A WAF can also prevent sensitive data leakage. As an example, there might be a policy configured that looks at the source IP address from which a web app request is coming.

 Based on that, it can make a decision as to whether or not sensitive data is displayed or is allowed to be downloaded. It can look for malicious bots mimicking humans or malicious URLs and HTTP requests to the server, which could indicate things like a directory traversal attack. It can protect against various types of injections like command injections, and SQL database injections. We already mentioned directory traversals, it can even look for things like buffer overflows.

But it's limited in doing this because some of these issues stem from bad programming practices, there's only so much the Web Application Firewall can do. It can also be integrated with an identity provider, and you can configure granular access control policies for the web application or even subsets of parts of the web application that might require authentication. Your web application firewall might also support HTTP or HTTPS load balancing to improve the availability and performance of the web app. So, there are many different products out there that fall under the umbrella of a web application firewall.

Some of them may support all of these items, and some may only support a subset. It just depends on the solution that you're using. There's another aspect of this that's quite interesting, and that's machine learning or ML. Machine learning uses behavioral analytic algorithms as part of a Web Application Firewall that supports this, and it would be a configuration that could be enabled for each web application or for all web applications protected by the WAF.

Machine Learning In WAF

Machine learning (ML) means that the Web Application Firewall continuously improves itself by watching, observing, and analyzing traffic patterns and the type of traffic being sent to web apps. So that ultimately it can detect malicious connections, and malicious bots that are trying to mimic human behavior but are really automation scripts trying to break into a web app. Deploying a Web Application Firewall really depends on what kind of solution you've got. It might be a hardware appliance that you install in a data center in a server rack, for example.

 

 

WAF Deployment

It might be a software appliance or a virtual machine. It could be a software appliance that runs as an application container, the difference being that a virtual machine contains an entire operating system, but an application container does not. All of these might be something that you deploy and manage on-premises or you could use a web application firewall solution as a managed cloud service in the cloud. You don't have to worry about setting up the underlying physical infrastructure. Now, aside from these options, you might also deploy a WAF by manually installing the appropriate software on a host.

 

 

 Cloud Based WAF

In the cloud, a Web Application Firewall would be considered Security as a Service, where the cloud tenant or the cloud customer is responsible for the configuration of the Web Application Firewall and, of course, monitoring it and setting up alerts. Most cloud-based Web Application Firewalls do have the ability to monitor not only cloud web applications but maybe web applications that you're still hosting on-premises. On the monitoring level, a Web Application Firewall is just one piece of an overall monitoring solution for your environment.

 

 WAF Monitoring

Because you should be monitoring, of course, web applications, but also the ecosystem in which that web app lives. That means monitoring other network hosts and devices, having network firewalls at the perimeter, watching traffic coming into the network, or leaving the network. So, in a larger enterprise, when it comes to monitoring, any security incidents or alerts detected by Web Application Firewall are normally forwarded to a centralized SIEM or SOAR solution, which is really just a large-scale enterprise centralized way to monitor and deal with security incidents.