Web Application Firewall (WAF)

Today, I would like to discuss Web application Firewall (WAF). It can filter Layer-7 packets that travel to our web application servers. And we can assume it works as a reverse proxy server in front of one or more web applications. In Myanmar, WAF has already been deployed in many Banking Systems to protect their banking mobile/web applications.

💭 Why we require WAF?

If we want to know about Web Application Firewall, we have to know about OWASP (The Open Web Application Security Project) organization. OWASP is very active in defining techniques for writing web applications that can make them more resistant to such attacks. OWASP provides excellent resources to help developers who are interested in writing secure web applications.
However, not all applications are written with these guidelines provided by OWASP. Also, the coding system developed in these web applications becomes vulnerable to web attacks such as cross-site scripting (XSS), SQL Injections, session hijacking, buffer overflows. These attacks cannot even be detected by network-based firewalls and IDS/IPS. Only WAF specially become useful to protect these web attacks.

💭 What is WAF?

WAF analyzes the GET and POST requests sent through HTTP and HTTPS and applies configured rules to identify and filter out malicious web traffic.

WAF can be configured to three basic security models. One model may be more effective than the others according to the specific context of the web server and application.
Please think about yourself as a web application server. So, you can easily get a quick understanding of whitelisting and blacklisting security models.

🔹 A Whitelisting Model: Web Application Firewall evaluates parameters (especially for global, URL flow, sensitive, navigation and other dynamic content), meta characters, query string lengths, and POST data lengths as part of a positive security logic check. When the security policy includes known parameters, you are creating a whitelist of acceptable parameters. In this whitelisting model, the system allows traffic that includes the parameters that you configure in a security policy.

🔹 A Blacklisting Model: This model uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. It works as “Allow all except for these items”. This Model is a great choice for websites and web applications on the public internet because those targets can get a lot of legitimate traffic from unfamiliar client machines.

🔹 Hybrid Model: Some web applications can also be configured according to a hybrid security model that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.

💭 Is WAF a Reverse Proxy?

A reverse proxy is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. While proxies generally protect clients, WAF protects servers and are deployed to protect a specific web server. Therefore, WAF can be considered as a reverse proxy.

💡 If developers could not provide the secure coding system that is compliant with OWASP standards, it is a better way to use WAF firewall as mitigated control for our web application servers to protect from malicious web attacks. In next week, I will introduce WAF vendors being provided by NEX4 SI.

As one of the best SI, NEX4 is providing a better solution in implementing WAF features with our skillful professionals. Moreover, NEX4 also provides User and Admin Awareness Trainings to get easier understanding in implementing this edge technology. 

Don’t forget to share this post!