Web Application Firewall (WAF) – why your apps need more than a simple firewall?

In its latest 2023 Data Breach Investigations report, Verizon says that attacks on web applications are – for yet another year in a row – the leading cause of security incidents and data leaks. The increasing complexity of applications and the dynamic landscape of threats make effective protection a real challenge. All the more so because we can never be 100% sure that our app is free of security vulnerabilities. In this article, we investigate whether traditional security tools can pass the security test in these circumstances, and what advantage a modern Web Application Firewall has over them.

What is a Web Application Firewall (WAF)?

A Web Application Firewall is an advanced, automatic system that isolates web applications and their external users with an invisible protection barrier. It scrutinises all HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) communications, protecting applications from cross-site scripting (XSS), SQL injection, cookie poisoning and other attacks listed in the OWASP Top 10 (Open Web Application Security Project, a global organisation that develops security standards for software).

WAF helps to determine which network traffic is safe for our app and which is malicious. It does so by:

• blocking attacks that exploit security gaps, even before they get into the actual application;
• monitoring incoming traffic to identify and block scans, attacks and bots;
• monitoring outgoing traffic to prevent confidential data leaks.

OSI model – at which levels do firewalls operate?

For a better understanding of how the Web Application Firewall works, it is helpful to familiarise yourself with the OSI (Open Systems Interconnection) model, which explains the communication processes taking place in the network and helps to design new solutions in terms of both hardware and software. Although it traces its roots back to the 1970s, it is still a relevant and widely used framework.

The OSI model creates seven layers ranked in a hierarchy from the physical to the most abstract:

1. Physical layer – transfer of raw bits between a sending and receiving device using a transmission medium
2. Data link layer – transfer of data between nodes and packing it into frames, as well as correction of errors from the previous layer
3. Network layer – reception of frames from the previous layer and transfer to the destination with the help of logical addresses (e.g. IP).
4. Transport layer – segmentation of data, control of size and transfer order (e.g. TCP – the protocol most commonly used for browsing the web, with UDP [User Data Protocol] on the other side, used for streaming, for instance).
5. Session layer – at this level, the start, management and termination of the session between receiver and sender takes place.
6. Presentation layer – a.k.a. syntax layer; change of data format to a suitable form for the top layer of the app.
7. Application layer – providing interfaces and services for user apps such as web browsers, email and communication protocols.

How does WAF differ from other firewalls?

Network Firewalls

A traditional firewall operates at the third and fourth layer of the OSI model – network and transport. Its function is simply to monitor network traffic, which is handled by rules defined by the IP (Internet Protocol) source. Its capabilities are seriously limited, as it only identifies an application by its assigned port number, which can be changed relatively easily.

Intrusion Detection and Prevention Systems (IDS & IPS)

Intrusion Detection and Prevention Systems are hardware or software solutions that operate at levels three to seven of the OSI model, depending on their configuration and their intended context. They safeguard network traffic based on top-down rules, and some more advanced systems are capable of analysing the context of network traffic as well, helping to distinguish between safe and malicious requests.

Next-generation Firewalls (NGFW)

Next-generation Firewalls, or network protection platforms, combine the capabilities of firewalls (ordinary ones) and Intrusion Detection and Prevention Systems (IDS and IPS), allowing Deep Packet Inspection (DPI), i.e. monitoring of network traffic at packet, content, sender and receiver level. As a result, they are able to detect various types of attacks, including malware. NGFWs employ both passive and active filtering, analysing each query to provide protection against advanced threats. Their network traffic analysis capabilities are configurable, but they operate at a much more advanced level than traditional firewalls when it comes to countering threats.

Web Application Firewall

WAF works actively at the highest, seventh layer of the OSI model, the application. The increasing automation is a double-edged sword – by boosting the capabilities of attackers, it helps the Web Application Firewall distinguish between typical and atypical HTTP traffic in a way that is not available to security engineers who are not equipped with similar tools.

A modern WAF provides monitoring and protection for all HTTP traffic (starting from simply opening a page) and Application Programming Interfaces (APIs). It operates within the scope of incoming and outgoing traffic, that is:

1. It analyses the query on the basis of defined rules before it reaches the actual application, and possibly blocks or admits it to the app.
2. It analyses the application’s response and possibly blocks it before sending it to the handler (attacker).

The WAF allows users to automate the creation of individual protection rules for each interface exposed to a potential attack. Simply deploy it upstream of the application in question or integrate it into elements of the container application.

When analysing queries, the Web Application Firewall can operate under any of the following:

• blacklist – a set of rules (usually concerning parameters passed via a URL or data submitted with forms) that WAF deems unsafe and will block their traffic to the application (the most commonly used option);
• whitelist – a set of rules (analogous to the blacklist) that WAF deems safe and will be green-lit in traffic to the application;
• hybrid method – uses both models.

As an additional functionality, some Web Application Firewall implementations use a JavaScript injection technique. They do this to assess whether an app user is human, establishing a unique ‘fingerprint’ of the client in question, thereby making it easier to identify bots and other automated tools. Importantly, we can configure the actions of the Web Application Firewall to be transparent and not affect the user experience.

Available ways of implementing WAF

When deciding which Web Application Firewall implementation option will be most suitable for your business, you need to consider where you are deploying the web applications that the WAF is ultimately intended to protect. Are all of them located in a local data centre? Or perhaps in the public cloud? Possibly in a distributed multi-cloud environment? The answers to these questions are key for determining the most optimal way to implement a WAF.

Each method has its own advantages and challenges:

1. Hardware WAF (network-based) – a locally installed device where speed is its strength while the requirement for its own data storage resources, as well as periodic maintenance, are its weaknesses. This is relatively the most expensive option available.
2. Virtual WAF (host-based) – host server-integrated applications, which offer the greatest flexibility, that is, the ability to customise the tool, in addition to being cheaper than the option above. Drawbacks include high consumption of local server resources and greater difficulty of deployment.
3. Cloud WAF (cloud-based) – cloud deployment, which usually boils down to DNS changes and redirecting traffic. This method spreads the costs over fixed subscription fees (it is therefore the cheapest), is continuously updated and scalable. The challenge, however, remains in handing over all responsibility to the party providing the service, so it is advisable to take the time to select a trusted provider.

In conclusion – what else do you need to keep in mind when securing apps with a Web Application Firewall?

In its current form, which has been in development for many years, WAF is an effective tool to protect your web apps from the most dangerous kinds of attacks, i.e. cross-site-scripting (XSS), cross-site forgery, file inclusion, SQL injection or DDoS attacks, among others. You can deploy a Web Application Firewall using either a hardware, virtual or cloud model.

Bear in mind, however, that the Web Application Firewall should not be the only firewall you entrust with the task of protecting web-based apps. The WAF works most effectively in tandem with a traditional network firewall (operating at layer four of the OSI model) or a newer generation firewall. In addition, the integration of the application firewall with other security systems, such as Intrusion Detection and Prevention (IDS/IPS), is not insignificant. What is important is that the implementation of a WAF does not necessarily mean that it will always protect our assets with the same efficiency. As the application itself changes, the security rules governing the operation of a Web Application Firewall need to be regularly updated. However, a properly implemented, integrated with other firewalls and configured WAF will be your greatest friend in the fight against potential attacks.

This article was written with the substantive support of Patryk Gruszka from the Marketing Production Department at Comarch.