● HTTP keyword checks, such as GET and POST
● SQL injection attack (SQLIA) check
● XSS check
● CSRF check
● Bad bot check
● Credit Card Number (CCN) masking
● Social Security Number (SSN) masking
● Perl Compatible Regular Expressions (PCRE) masking
● Cookie check
● Cookie encryption
● URI Black List/White List check
● HTTP protocol compliance check
● HTTP referrer check
● Cloaking to hide server responses/error status codes
● Configurable deny action
● Passive/Learning/Active deployment
A WAF offers granular control of Web application dataflow, and has various ways of dealing with threat vectors that can be launched at Web applications. Below are use cases of attack mitigation:
● The WAF can prevent buffer overflow attacks by setting accepted maximum thresholds for aspects of HTTP requests, and blocking requests that exceed the configured limits.
● The WAF can strip HTTP response headers to 'cloak' server information that can equip a hacker to target an attack on your Web servers. For example, the WAF can cloak an HTTP response header to hide the operating system that is running on your servers. Exposed HTTP headers can enable a hacker to more narrowly target your servers with attacks that are specific to the servers' operating systems.
Best practice WAF deployment
Not just deployed as a point solution to address a certain type of security risk, a WAF now appears increasingly as an integrated component, either within conventional firewalls, as server-based solutions, or on high performance Web aggregation points such as Application Delivery Controllers (ADCs). This also reflects the enterprise's desire to improve ROI from network security by consolidating multiple devices and reducing deployment and troubleshooting time and cost.
An ADC by definition must implicitly understand Web traffic and the associated security contexts, thus is a natural place to include a WAF module as part of a service chain. This is especially so when considering complementary features such as SSL Offload - utilising the ADC to terminate encrypted SSL transactions, to simplify certificate management, and offload the CPU intensive encryption/decryption setup from the Web server farm.
Since an application delivery firewall (ADF) is inherently fluent in application protocols, it can monitor and act on behavior, both forensically, and at scale. The ADF inspects a full spectrum of message envelopes, from IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, through to Diameter and RADIUS, enabling sophisticated deep packet analysis based on protocol as well as the payload.
This allows the ADF to detect anomalies indicating an attack in progress and to take appropriate action. For example, the ADF can detect the number of Layer 7 connections per second, per client, and impose various rate-limiting schemes that have proven effective in mitigating Layer 3, Layer 4 and Layer 7 resource attacks, such as DDoS protection.
Sign up for CIO Asia eNewsletters.