Although conventional network firewalls serve us well, significant changes in application delivery are allowing new vulnerabilities to emerge. These demand more specialized application security proxies such as the web application firewall (WAF), an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation.
As more applications are migrated to the Web, the role of the WAF combined and integrated with an application delivery controller (ADC) is becoming increasingly important. Information professionals are realizing the security benefits this potent combination can deliver.
These include deep packet inspection, DDoS protection and SSL Offload capabilities as part of richer, multi-layered security architecture that enhances security while reducing cost and operational complexity. With the WAF becoming mandatory in securing today’s Internet and its best practice for deployment, the WAF-plus-ADC combination is taking security to new levels.
Web application threats
Network firewalls are part of an IT security landscape that is becoming increasingly specialized and smarter. They are unable to inspect traffic content, focusing primarily on the networking aspect of traffic. They remain relatively unintelligent with respect to high level application behavior and context, and unable to cope with threats to Web application deployments such as the top 10 risks complied by the Open Web Application Security Project (OWASP). Examples follow:
Injection: SQL Injection Attacks use a Web form or other exchange mechanism to insert SQL commands or commands containing SQL special characters. By sending these SQL commands, the attacker can trigger the backend SQL database to execute the injected commands and allow unauthorized users to obtain sensitive information from the database.
Cross-Site Scripting (XSS): XSS attacks exploit a Web server that does not validate data coming from another site. XSS can enable the attacker to obtain sensitive information, or to compromise a Web server.
Sensitive Data Exposure: If Web applications do not protect sensitive data such as credit card numbers or Social Security Numbers (SSN), attackers are able to conduct identity theft, credit card fraud, or other crimes.
Cross-Site Request Forgery (CSRF): CSRF attacks forge a user to send an HTTP request, including the victim’s session cookie, to a vulnerable Web application. To the vulnerable Web application, this appears to be a legitimate request coming from the victim.
What is WAF?
The concept of a ‘firewall’ has been gradually supplemented by a bewildering array of security ‘point solutions’. These include proxy firewalls, stateful firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), fraud-detection systems, anti-virus (AV), and emerging next generation firewalls.
As a next generation firewall, a WAF filters all application access, inspecting both the traffic towards the Web application and the response traffic from the application. By securing both the application infrastructure as well as the application user, a WAF complements traditional network firewalls, which are not designed to protect at this granular level.
A WAF typically provides the following features:
- HTTP keyword checks, such as GET and POST
- SQL injection attack (SQLIA) check
- XSS check
- CSRF check
- Bad bot check
- Credit Card Number (CCN) masking
- Social Security Number (SSN) masking
- Perl Compatible Regular Expressions (PCRE) masking
- Cookie check
- Cookie encryption
- URI Black List/White List check
- HTTP protocol compliance check
- HTTP referrer check
- Cloaking to hide server responses/error status codes
- Configurable deny action
- Passive/Learning/Active deployment - A WAF offers granular control of Web application dataflow, and has various ways of dealing with threat vectors that can be launched at Web applications.
Below are use cases of attack mitigation:
- The WAF can prevent buffer overflow attacks by setting accepted maximum thresholds for aspects of HTTP requests, and blocking requests that exceed the configured limits.
- The WAF can strip HTTP response headers to ‘cloak’ server information that can equip a hacker to target an attack on your Web servers. For example, the WAF can cloak an HTTP response header to hide the operating system that is running on your servers. Exposed HTTP headers can enable a hacker to more narrowly target your servers with attacks that are specific to the servers’ operating systems.
Best practice WAF deployment
Not just deployed as a point solution to address a certain type of security risk, a WAF now appears increasingly as an integrated component, either within conventional firewalls, as server-based solutions, or on high performance Web aggregation points such as Application Delivery Controllers (ADCs). This also reflects the enterprise’s desire to improve ROI from network security by consolidating multiple devices and reducing deployment and troubleshooting time and cost.
An ADC by definition must implicitly understand Web traffic and the associated security contexts, thus is a natural place to include a WAF module as part of a service chain. This is especially so when considering complementary features such as SSL Offload - utilizing the ADC to terminate encrypted SSL transactions, to simplify certificate management, and offload the CPU intensive encryption/decryption setup from the Web server farm.
Since an application delivery firewall (ADF) is inherently fluent in application protocols, it can monitor and act on behavior, both forensically, and at scale. The ADF inspects a full spectrum of message envelopes, from IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, through to Diameter and RADIUS, enabling sophisticated deep packet analysis based on protocol as well as the payload.
This allows the ADF to detect anomalies indicating an attack in progress and to take appropriate action. For example, the ADF can detect the number of Layer 7 connections per second, per client, and impose various rate-limiting schemes that have proven effective in mitigating Layer 3, Layer 4 and Layer 7 resource attacks, such as DDoS protection.
When a WAF is implemented within an ADC the benefits are obvious by virtue of where the ADC resides. ADCs sit at the border between data centers serving Web applications and the wider Internet, effectively acting as a load balancing proxy and intelligent cache for application transactions and content.
ADCs get a complete view of the whole messaging stack (L2-L7) and are routinely involved in packet manipulation such as IP address, port mapping and URL rewrite. While the most obvious use of the ADC is for load balancing, high availability (HA) and content caching across applications servers, this privileged position of trust and oversight in the network topology means it is becoming increasingly common for ADCs to provide value-added security at scale, reducing risk and improving both information security and availability.
These security features include pre-authentication, SSL Offload, SSL Insight, and DDoS mitigation. Typically a high-end ADC will also include custom scripting to enable Deep Packet Inspection (DPI) and manipulation of traffic, endpoint information and even Web content.
In essence, a WAF as part of an ADC is a natural and complementary extension to the core application delivery functions. While conventional firewalls have a key role to play in perimeter security, the ADC typically sits in front of Web application servers as the last stop in the chain of defense. This enables organizations to deal with both internal and external misuse attempts, with the confidence that policy enforcement is being done in the right place, at an appropriate level, and with intimate knowledge of application logic and associated vulnerabilities.
This is particularly important if the organization is deploying virtualization, and wishes to implement different policies for different virtual domains. More importantly, a WAF may be the last word in internal security controls, and important with the increased trend towards BYOD, where mobile technology is increasingly brought inside the workplace, bypassing many of the perimeter controls.