Web Application Firewall

1. Introduction
A web application firewall (WAF) is an appliance, software(Host based application firewall) or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

2. Need of WAF
There are so many types of Web-based attacks and security risks to watch out for, where do you start? While the details of these attacks vary greatly, the key threat concepts — and the main defensive countermeasures — are well-understood and can be boiled down to a manageable list.

3. Architecture

  1. Reverse Proxy Mode : While in reverse proxy mode a device sits in line and all network traffic passes through the WAF. The WAF has published IP addresses and all incoming connections terminate at these addresses. The WAF then makes requests to back end web servers on behalf of the originating browser.
  2. Transparent Proxy : When used as a transparent proxy, the WAF sits in line between the firewall and web server and acts similar to a reverse proxy but does not have an IP address. This mode does not require any changes to the existing infrastructure.

4. Types of WAF

  1. Appliance based
  2. Host Based

5. Freeware(Non commercial) host based application firewall
1. ModSecurity : ModSecurity is one of the oldest and widely used open source web application firewall which can detect application level threats on internet, and provides security against a range of security issues to web applications. It provides non viral open sources license and it can be integrated to Apache programs.
2. ESAPI WAF : ESAPI WAF is developed by Aspect Security and it is designed to provide protection at the application layer instead of network layer. It is a Java based WAF which provides complete security from online attacks. Some of the unique features of the solution include outbound filtering features which reduce information leakage. It is configuration driven and not code based, and it enables easy installation by just adding configuration details in the text file.

6. Pros :

  • Protection against OWASP top ten and we can also customize all the rules
  • Can allow/deny any application module for specific users or region.
  • Very few false positives because of learning mode(i.e., should NEVER disallow an authorized request)
  • Strength of default (out-of-the-box) defenses
  • Detects disclosure and unauthorized content in outbound reply messages, such as credit-card and Social Security numbers
  • Both positive and negative security model support
  • Simplified and intuitive user interface
  • Cluster mode support
  • High performance (milliseconds latency)
  • Complete alerting, forensics, reporting capabilities
  • Web services\XML support
  • Brute force protection
  • Ability to active (block and log), passive (log only) and bypass the web traffic
  • Ability to keep individual users constrained to exactly what they have seen in the current session
  • Ability to be configured to prevent ANY specific problem (e.g., emergency patches)
  • Form factor: software vs. hardware (hardware generally preferred)

7. Cons :

  • Cost
  • Performance
  • May slow down network performance (because of traditional packet-filtering).

8. Additional Features :

  1. Caching – Reducing load on web servers and increasing performance by caching copies of regularly requested web content on the WAF thus reducing repeated requests to back end servers.
  2. Compression – In order to provide for more efficient network transport, certain web content can be automatically compressed by the WAF and then decompressed by the browser.
  3. SSL Acceleration – Use of hardware based SSL decryption in a WAF to speed SSL processing and reduce the burden on back-end web servers.
  4. Load Balancing  Spreading incoming web requests across multiple back end web servers to improve performance and reliability.
  5. Connection Pooling – Reduces back end server TCP overhead by allowing multiple requests to use the same back end connection.

9. Conclusion :
A web application firewall is another tool in your arsenal to protect your organization’s critical web assets and associated data. They are not a substitute for properly written code or input validation, however provide an additional layer of defense. A WAF can also be a highly effective defense for blocking newly discovered vulnerabilities or previously successful attacks. A WAF can protect a site while vulnerabilities are being fixed and thoroughly tested by your developers.