Although conventional network firewalls serve us well, significant changes in application delivery are allowing new vulnerabilities to emerge. These demand more specialised application security proxies such as the web application firewall (WAF), an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation.
As more applications are migrated to the Web, the role of the WAF combined and integrated with an application delivery controller (ADC) is becoming increasingly important. Information professionals are realising the security benefits this potent combination can deliver.
These include deep packet inspection, DDoS protection and SSL Offload capabilities as part of richer, multi-layered security architecture that enhances security while reducing cost and operational complexity. With the WAF becoming mandatory in securing today's Internet and its best practice for deployment, the WAF-plus-ADC combination is taking security to new levels.
Web application threats
Network firewalls are part of an IT security landscape that is becoming increasingly specialised and smarter. They are unable to inspect traffic content, focusing primarily on the networking aspect of traffic. They remain relatively unintelligent with respect to high level application behaviour and context, and unable to cope with threats to Web application deployments such as the top 10 risks complied by the Open Web Application Security Project (OWASP). Examples follow:
● Injection: SQL Injection Attacks use a Web form or other exchange mechanism to insert SQL commands or commands containing SQL special characters. By sending these SQL commands, the attacker can trigger the backend SQL database to execute the injected commands and allow unauthorised users to obtain sensitive information from the database.
● Cross-Site Scripting (XSS): XSS attacks exploit a Web server that does not validate data coming from another site. XSS can enable the attacker to obtain sensitive information, or to compromise a Web server.
● Sensitive Data Exposure: If Web applications do not protect sensitive data such as credit card numbers or Social Security Numbers (SSN), attackers are able to conduct identity theft, credit card fraud, or other crimes.
● Cross-Site Request Forgery (CSRF): CSRF attacks forge a user to send an HTTP request, including the victim's session cookie, to a vulnerable Web application. To the vulnerable Web application, this appears to be a legitimate request coming from the victim.
What is WAF?
The concept of a 'firewall' has been gradually supplemented by a bewildering array of security 'point solutions'. These include proxy firewalls, stateful firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), fraud-detection systems, anti-virus (AV), and emerging next generation firewalls.
As a next generation firewall, a WAF filters all application access, inspecting both the traffic towards the Web application and the response traffic from the application. By securing both the application infrastructure as well as the application user, a WAF complements traditional network firewalls, which are not designed to protect at this granular level. A WAF typically provides the following features:
Sign up for CIO Asia eNewsletters.