Definition
A Web Application Firewall (WAF) is a security component that protects web applications from attackers by analyzing and filtering HTTP traffic.
Overview
A firewall is a security device or software that protects systems from unauthorized access. Firewalls intercept network connections and either permit or block them based on a set of rules. Traditionally, firewalls are the first level of security around networks and Internet services.
Standard network firewalls operate between levels 3 and 4 in the OSI Model. Consequently, they can only inspect packets over the IP and TCP/UDP protocol stacks. They are limited to using IP addresses, protocol types, connection states, and port numbers as filtering criteria.
Websites and web applications need more security than what a standard firewall can provide. WAFs are specialized firewalls that can operate at Level 7 of the OSI Layer. Specifically, WAFs are capable of understanding web application protocols. They can analyze HTTP traffic coming to and from a web application.
How a Web Application Firewall Works
WAFs sit between the clients and the web services they wish to connect to. Client connections are routed to the WAF where checks take place.
The Top Ten Most Critical Web Application Security Risks is the primary threat list in web security. It is regularly updated by the OWASP Foundation, a non-profit organization focused on security.
WAFs provide mechanisms to block or mitigate the threats described in the document:
- Cross-site scripting (XSS): one of the most prevalent attack vectors where attackers inject malicious code into the client’s browser to access session cookies, steal sensitive data, or even rewrite content to show false information. To prevent XSS attacks, WAFs can be configured to enforce Content Security Policy.
- Misconfigured servers: unsafe settings such as default passwords and guest accounts are the first targets for attackers. These vulnerabilities are created when administrators fail to follow security best practices. WAFs can mitigate the impact of poorly configured systems by forcing security directives and rejecting insecure protocols.
- Known vulnerabilities: out-of-date software and libraries are vulnerable. WAFs can act as a stop-gap solution, blocking known exploits until patching can take place.
- SQL injection: websites with inadequate input validation are open to code injection vulnerabilities whereby attackers try to sneak in SQL statements to gain unauthorized access to databases. WAFs detect such attempts and block them.
- Access control and sensitive data exposure: attackers may try to steal sensitive data by scanning a website structure and exploiting unsecured resources. WAFs can be used to lock down parts of the website, only granting access to trusted parties.
- Insufficient logging and monitoring: comprehensive logging of traffic leads to an early detection of malicious activity. A WAF acts as a centralized point of logging and alerts administrators about ongoing threats.
Additionally, WAFs can prevent bot traffic (e.g. CAPTCHA challenges), mitigate Distributed Denial of Service (DDoS) attacks, implement geo-fences, consolidate user authentication at a single point, and offload encryption and compression workloads from servers.
How to configure a WAF
It only takes a few minutes to configure a cloud WAF:
- Subscribe to the StackPath’s global WAF service to gain worldwide protection.
- Add your domain names and the content or services you want to protect.
- Review the OWASP threat settings, configure the DDoS rate limits, and review other security settings.
- Set up inbound and outbound rules to control access to your web services.
- Create IP whitelists or blacklists to control access if necessary.
- Monitor access to your applications, set up security events notifications, and analyze traffic in real-time. StackPath’s dashboard offers a quick way to create rules and analyze logs.
The management API can be used to manage rules and monitor traffic. Once the WAF has been installed, you can get the list of rules with:
$ curl --request GET
--url https://gateway.stackpath.com/waf/v1/stacks/YOUR_STACK_ID/sites/YOUR_SITE_ID/rules
--header 'accept: application/json'
--header 'authorization: Bearer YOUR_AUTH_TOKEN'
Adding rules is simple. Imagine you wish to only allow PNG file types to your site’s “/pictures/upload” path. First, add a rule allowing “image/png” content:
$ curl --request POST
--url https://gateway.stackpath.com/waf/v1/stacks/YOUR_STACK_ID/sites/YOUR_SITE_ID/rules
--header 'accept: application/json'
--header 'authorization: Bearer YOUR_AUTH_TOKEN'
--header 'content-type: application/json'
--data '{"name":"allow_filetypes","conditions":[{"url":{"url":"/pictures/upload"},"httpMethod":{"httpMethod":"POST"},"fileExtension":{"fileExtension":"png"},"contentType":{"image/png"}}],"action":"ALLOW","enabled":true,"statusCode":"FORBIDDEN_403"}'
Then add a rule blocking other content:
$ curl --request POST
--url https://gateway.stackpath.com/waf/v1/stacks/YOUR_STACK_ID/sites/YOUR_SITE_ID/rules
--header 'accept: application/json'
--header 'authorization: Bearer YOUR_AUTH_TOKEN'
--header 'content-type: application/json'
--data '{"name":"allow_filetypes","conditions":[{"url":{"url":"/pictures/upload"},"httpMethod":{"httpMethod":"POST"},}],"action":"BLOCK","enabled":true,"statusCode":"FORBIDDEN_403"}'
For further details, review the API specification.
Examples of Web Application Firewalls
WAFs operate with a predetermined set of rules. Whitelist rules determine which parties may pass while blacklists block others from accessing protected resources. In addition, WAFs often include behavioral rules to detect known attack patterns and exploits.
There are three types of Web Application Firewalls:
- Appliance or hardware-based WAFs: a hardware-based firewall that is physically interposed in the network connections. They act as a router or a network edge device. They are only applicable to on-premises or co-located networks.
- Software-based WAFs: a software firewall running either on the same machine where the web server resides or in a separate machine on a shared network (acting as a reverse proxy). A software-based firewall can be customized and integrated into the code. Customizability is gained at the cost of increased development and operation time. One of the most popular open-source WAFs is ModSecurity.
- Cloud WAFs: a special type of software-level firewall that is integrated into the cloud infrastructure. Cloud WAFs are virtual firewalls that can be instanced on a per-customer or per-stack basis and charged in a pay-as-you-go model. This is what StackPath provides.
Cloud WAFs provide flexibility, isolation, and increased security. Threat-detection rules can be managed by the cloud vendor and shared across all users for improved detection rates. Cloud WAFs are globally deployed and take less effort to set up than the other types as they do not require any hardware or software modifications.
Key Takeaways
- WAFs are a specialized type of Level 7 firewalls capable of understanding and inspecting web traffic.
- WAFs are used to protect websites, web applications, and API services.
- Cloud-based WAFs are platform-agnostic, easy to configure, and scalable.
- WAFs can monitor traffic in real-time and alert administrators about ongoing security threats.