A web application firewall is a device that protects web servers and web applications from malware and threats by providing a layer of control between end users and applications. The web application firewall functions as a flexible barrier that filters all application access, inspecting both in-bound and out-bound traffic. It is specifically designed to mitigate attacks without blocking legitimate users and without slowing down application performance.
A web application firewall differs from a traditional network firewall in its ability to inspect data at a more granular level—for example, by validating form field input or protecting application cookies. A network firewall and a web application firewall are generally deployed together and provide complementary levels of security.
Applications that provide services to end-users can be vulnerable to many threats. A10 Thunder® ADC (Application Delivery Controller) processes a complex set of functions simultaneously via the industry’s highest-performing appliances. It integrates advanced L4-7 techniques to ensure server availability, protect vulnerable applications and accelerate content delivery.
With a built-in, ICSA-certified WAF, Thunder ADC guards vulnerable software from dozens of application layer attacks, including the Open Web Application Security Project (OWASP) top-10 threats. These attacks include cross-site request forgery, SQL injection and buffer overflows that target coding flaws. Integrated into Thunder ADC, the WAF blocks these and other application behavior anomaly attacks, as well as prevents unauthorized data leakage.
A WAF filters all application access, inspecting both the traffic towards the web application and the response traffic from the application. By securing both the application infrastructure as well as the application user, a WAF complements traditional network firewalls, which are not designed to protect at this granular level.
Applications can be vulnerable to many threats that are not detected by regular network firewalls. The impact of these attacks can be quite severe. The Open Web Application Security Project (OWASP) has compiled a list of the top 10 risks that still threaten many web application deployments. The top 10 of 2010 is virtually identical to the new 2013 version; the most common attacks have not changed dramatically over the years. Here are some examples:
The A10 Thunder and AX Series Application Delivery Controllers (ADCs) include a full featured Web Application Firewall that blocks web attacks before they can reach vulnerable applications. Deployed as a proxy in front of web servers, Thunder ADC inspects web requests and responses and can block, sanitize, or log malicious activity.
The WAF enables a full defense stack with other A10 security mechanisms in order to protect web applications, ensure against code vulnerabilities and prevent data leakage; this aids in regulatory security compliance, such as Payment Card Industry (PCI) Data Security Standard (DSS) requirements.
A10's WAF feature is designed to recognize many of today's threats, with flexibility to customize checks for emerging threats. The WAF is tightly integrated with other A10 security features within the Advanced Core Operating System (ACOS). Instead of integrating 3rd party WAF code, as many other vendors do, A10 has developed the WAF specifically for ACOS. This approach results in a highly scalable and high performance security solution which is simple to configure.
The WAF module offers granular control of Web application data flows. The WAF has various ways of dealing with threat vectors that can be launched at web applications. Here are two use cases: