WAFs
Introduction
A Web Application Firewall, as the term firewall implies, is a middleman that sits between web applications on a web server and the Internet. A WAF serves two major functions: preventing malicious traffic from reaching web applications hosted on a server and preventing unauthorized data from leaving the web server. In the Open Systems Interconnection (OSI) seven-layer model, a WAF operates at the application level, which is the seventh and highest level.
How a WAF works
Conceptually, a WAF works like a reverse proxy. A proxy typically protects client machines’ identities from web servers by positioning itself in the middle of the data flows between client and server machines. For a WAF, its protection acts in the reverse direction: it positions itself in the middle of data flows between the server and client machines to protect the server from potentially malicious traffic originating from clients.
Some of the attacks that malicious clients can launch on web applications include cross-site scripting (XSS), cross-site forgery, SQL injection, file inclusion, and cookie poisoning. To prevent such attacks, a WAF monitors and examines every single data packet going in and out of a web server to ensure that the data packets are safe.
WAFs operate through policies that establish what malicious traffic and safe traffic look like. Broadly, these policies fall into two categories: a block model where traffic resembling known attacks is denied passage through the WAF, and an allow model where pre-approved traffic is granted passage. Most WAFs do not exclusively depend on policies from a single model because each model has inherent weaknesses. Therefore, WAFs tend to employ a hybrid model with both block and allow policies for maximum effectiveness.
Ways to deploy a WAF
There are three major ways to deploy a WAF on a web server: network-based, host-based or cloud-based.
- Networked-based WAF: In a network-based WAF, hardware or physical equipment is used to sit in between server and client traffic. The main advantage of network-based WAFs is that they minimize latency because the protection operates through a separate physical device on-site. However, network-based WAFs are usually the most expensive option.
- Host-based WAF: For host-based WAF, protection comes from software installed on the web server itself. Like networked-based WAFs, host-based WAFs are on-site and minimize latency. However, host-based WAFs consume the resources of the web server to perform its protective function because they don't reside on a separate physical device, unlike network-based WAFs. Host-based WAFs may also be costly because they require a web server to be optimized so that deployment of a host-based WAF doesn't degrade performance.
- Cloud-based WAF: The main advantages of cloud-based WAFs are affordability and simplicity. Cloud-based WAFs are typically offered as a service for a monthly fee and do not require hefty upfront investment such as buying physical equipment, like network-based WAFs. Cloud-based WAFs are also very easy to implement. Often, a DNS change to redirect traffic to the cloud-based WAF service is all that is necessary. The main downside of cloud-based WAFs is that the protection is not on-premise and the protection is offered by a third-party. Providers lack full knowledge of the policies and strategies employed by cloud-based WAFs.