Web Application Firewall (WAF)
Web Application Firewalls (WAFs) are hardware, software, virtual, and cloud-based firewall solutions. Unlike other network infrastructure security solutions, WAFs focus specifically on web app attacks, vulnerabilities, usage patterns and are able to differentiate between normal and anomalous usage.
WAFs can be implemented in the following ways:
Physical WAFs — hardware-based; installed locally to reduce overhead and latency.
Virtual WAFs — typically in a virtual environment such as ESX servers or in public cloud such as Amazon Web Services (AWS).
Cloud-hosted WAFs — a low-cost solution; easy to deploy, available on a subscription basis, and typically requires only a simple change to redirect application traffic.
Why Do You Need a WAF?
By inspecting HTTP(S) traffic, WAFs can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations. WAFs know how to validate inputs to stop malicious attacks before they can do harm, and are able to block scanners and automatically patch application vulnerabilities. In addition, they quickly learn application behavior, maintaining the safety of critical applications by continuously adapting and preventing new attacks.
The following analyses are recommended when evaluating web application firewalls:
- Identify current location of your web applications (e.g., on-premises, remote data center, cloud-based, other).
- Assess each web application’s risk factor, if it were attacked (e.g., a blog with no comments allowed would be low risk, while a blog that accepts donations via credit card payment would be high risk). Questions to consider are:
- Does the web application provide access to sensitive or proprietary data?
- Is the web application customer facing?
- What would be the impact to the organization if the web application was compromised or became unavailable?
- Determine the WAF deployment type (e.g., network or managed service), based on the organization needs and resources.
- Determine the WAF form (e.g., appliance, virtual appliance, or cloud-based), based on the gathered location and risk factor information.
- Evaluate the WAF features and functions, using the information detailed in the Top Ten Requirements for Choosing a WAF section of this document.
Top Ten Requirements for Choosing a WAF
A WAF should be able to:
- Understand the protected application, including URLs, parameters, and cookies. Understanding the protected application, and then validating input, helps stop attacks like SQL injection, parameter tampering, and cookie poisoning.
- Have up-to-date protection to defeat the latest web-borne threats. It should leverage live attack, reputation, and threat intelligence from around the world to identify both attacks and attackers.
- Include an analytics engine that can examine multiple attack indicators to block attacks without incurring false positives, or identifying legitimate visitors as attackers.
- Be able to stop automated attacks such as site scraping, comment spam, application DDoS, and vulnerability scans.
- Recognize known malicious sources and sites. It should identify users that are actively attacking other websites and stop them instantly, before they can inflict more damage.
- Prevent attempts to exploit application vulnerabilities.
- Be able to mitigate the growing menace of credential abuse.
- Be able to mitigate automated bot attacks without requiring application changes.
- Provide flexible deployment and configuration options to satisfy every organization’s unique requirements.
- Deliver point-and-click security policies or automated policy updates.
Learn how the Imperva WAF solution meets these requirements.