Our previous post reviewed the types of attacks described in the first two chapters of the recently released Securing Modern Web Applications eBook. This post reviews chapter three, which covers the evolution of WAF technology and how it protects against those threats.
The first network security solutions—Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS)—focused on parsing network traffic and conducting signature-level comparisons. Because these solutions depend mostly on traffic signatures, attackers can modify parameters so that the attack looks different from the signature. One such evasion method is packet fragmentation, where the message is broken into multiple smaller packets that can be reassembled by the receiving device. Though they don’t provide adequate protection for websites, these technologies can inspect multi-protocol traffic, such as FTP and other network traffic, outside of just HTTP.
To provide more extensive website protection, WAFs are deployed in the cloud or in corporate De-Militarized Zones (DMZs). They can perform SSL termination to conduct deep inspection of applications traffic at layer 7. The WAFs go beyond matching signatures, analyzing application behavior and detecting deviations from baselines of acceptable behavior.
WAFS have advanced detection capabilities that protect against major attacks, including the OWASP Top 10. For example, they protect against attacks that bypass traditional firewalls such as:
- SQL injection attacks, which manipulate data input to inject SQL code directly into a web server’s input stream, and is then passed directly to the database. This code could retrieve sensitive data directly from the database.
- Cross-site Scripting (XSS) attacks inject malicious scripts that do not properly encode the input. The scripts would be executed by the client browser.
In both cases, WAFs protect against these attacks by analyzing the application layer input and applying rules that look for characteristics of the attacks. The signature-based approaches, on the other hand, would need to look for an exact match of the attack—the exact script or SQL input. These approaches allow evasion techniques such as packet fragmentation or adding whitespace to the code.
WAF Performance and High Availability
WAFs are deployed inline and process all data at every layer of the OSI model, down to the layer 7 application traffic. That, along with the rules that could be processed on every packet might introduce incremental latency. The WAF should support a variety of deployment modalities that can achieve 10 GB throughput, to at least match the speed of the layer 2 and layer 3 devices that feed them, and support tens of thousands of transactions per second.
WAFs often function as SSL termination points because traffic needs to be decrypted for inspection at the firewall. Since encryption is processor intensive, WAFs support SSL acceleration to offload these operations to specialized hardware, such as SSL accelerator cards.
WAFs require management servers that have exclusive and protected access to manage the WAF devices. The management plane should unify auditing, reporting and logging of the WAF deployment, and provide a view of WAF status and of incidents in real time to track threats in the network. In an enterprise environment that consists of multiple groupings of WAF devices, each with its own local management server, there should be a master management server to provide a consolidated view of the entire WAF deployment. The master servers can uniformly distribute security and audit policies to all WAF deployments in the enterprise.
Emergent WAF Capabilities
As attackers employ new capabilities, vendors are starting to incorporate with existing technology trends to evolve WAF capabilities from simply detecting and mitigating technical attacks to addressing complex business and logic-oriented attacks.
One such capability is integration with Security Information and Event Management (SIEM) systems that gather information from multiple sources, and then synthesize, correlate, and report on security events across the company’s technology landscape. Once the WAF security data is integrated into the company’s existing SIEM, you no longer need to log in to the WAF interface to view the logs, and you can add WAF logs to other events across the enterprise.
WAFs in SOC Modernization
SOCs—operational hubs for monitoring and escalating security incidents—are affected by trends that increase the complexity of the environments they monitor. SOC activities require increased automation, such as machine learning, to capture baselines and identify deviations from normal traffic. Modern WAFs include that capability together with threat intelligence from other sources.
Virtual patching, the quick short-term implementation of a security policy to prevent exploitation of a security vulnerability, can be installed on WAFs without modifying the application source code. These patches at the WAF provide interim protection until the actual patch can be applied to the system.
WAFs should serve as one component of an overall application defense-in-depth strategy, and these technologies complement WAF deployments to help solidify the organization’s overall security posture.
- API Gateways insulate and abstract internal APIs and allow them to be securely published to external customers. They can also be used to inject and enforce uniform security rules. Your best option is to protect your API gateway behind the WAF so that the API calls are properly terminated and inspected by the WAF at layer 7, before reaching the gateway.
- Bots serve a legitimate purpose, such as search engine bots that continually update their index of web pages, but there are plenty of malicious bots. WAFs can protect against certain types of bots, such as scraper bots or credential-stuffing bots, but there are new bot mitigation and defense devices that can help by addressing emerging bot threats.
- Runtime Application Self-Protection (RASP) is a new category of application-defense technology that you can embed into an application’s runtime—Java Virtual Machine, for example. RASPs can respond to runtime attacks using custom actions that can terminate the app or send an alert when attacked.
- Content Delivery Networks (CDNs) consist of geographically dispersed proxy servers to distribute cached content and access controls closer to the users. By providing cached content at the perimeter of the web, CDNs can help absorb DDoS attacks and minimize the performance impact on the website servers.
- Data Loss Prevention (DLP) solutions ensure that sensitive data doesn’t leak out of corporate boundaries.
- Data Masking and Redaction solutions conceal or redact data so it can be viewed only by those with a need to know.
WAF Deployment Models
A WAF can be deployed on premises or in a cloud configuration. Following are samples of deployment options described in the eBook.
- In-line reverse-proxy uses NAT for address translation and proxies traffic between internal and external networks. All traffic for the configured network segments ingress and egress through the WAF.
- Bridging mode WAF is deployed as a transparent layer 2 switch on the network, offering high performance that requires no changes to web applications.
- Cloud-based WAFs in an IaaS deployment can be deployed as a software appliance or virtual machine. The WAF can also be deployed as an extension of an existing CDN, providing WAF-as-a-Service, with no need to deploy hardware or software. This service is typically set up by changing your DNS records to point to WAF cloud services, which will in turn proxy back to your actual web properties.
As you can see, deploying WAF components correctly with other technologies can help ensure that you are designing and deploying modern security solutions that keep up with the increasing threats that are plaguing technology at a faster rate than ever before.
Download the eBook