As time passes and web pages improve, users can benefit from more features, such as user registration forms on a site, online payment, and actions to interact directly with the web server. These developments in recent years have not only served online businesses and facilitated their performance but also helped cybercriminals to achieve their goals, such as stealing users’ bank information!
Websites, web servers, and web applications, all have functionality in the application layer and are constantly exposed to various threats and cyber-attacks in today’s world.
So how can you protect the vital parts of your online business from these attacks?
There are two ways to do this:
- Developing applications to be more resistant to attacks
- Protect applications using security technologies such as WAF
Regarding the first method, various references, such as OWSAP, are available to developers to develop software securely. However, not all applications are mentioned in this guide. On the other hand, protection equipment such as IPS, IDS, and firewalls in the servers’ infrastructure cannot prevent application layer attacks.
Therefore, the best way is to use a WAF to prevent application layer attacks despite using network layer security equipment such as firewalls.
What Is WAF?
Hacker attacks take place in different OSI layers. one of these layers is called Application. The application layer is the seventh layer of the network, and the most sophisticated attacks take place in this layer. WAF stands for Web Application Firewall, a firewall that detects and reacts to these attacks.
A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. This program typically protects web applications against attacks such as the following:
- Cross-site Forgery
- Cross-site-scripting (XSS)
- File Inclusion
- SQL Injection
WAF is a layer 7 (application) defense protocol in the OSI model and is not designed to defend against any attack. This attack mitigation method is usually part of a suite of tools that provide a comprehensive defense against a wide range of attack vectors.
A shield is placed between the web application and the Internet by deploying a WAF in front of the web application. While a proxy server protects the identity of the client machine using an intermediary, a WAF protects the server from exposure by having the client pass through the WAF before reaching the server.
How Does WAF Work?
WAF is part of a comprehensive security concept for web applications. It resists specific cyber-attacks such as cross-site spoofing (a CSRF attack known to forge requests from other websites) and SQL Injection (injecting SQL code into places such as forms or the comment section of a web application).
For this purpose, WAF forms a protective wall between the web application and the Internet. Clients who want to access the web server must pass through the web application’s firewall.
WAF is a type of Application Level Firewall (ALF for short); But its distinguishing feature is that, unlike a standard firewall, it does not work at the network and protocol level; rather, it parses, filters, and blocks HTTP data directly at the application level.
A WAF firewall will protect web applications by inspecting HTTP traffic, but the standard firewall creates a barrier between external and internal network traffic.
Therefore, a WAF differs from a typical firewall in its type of protection. Another point is that WAF sits between external users and web applications to parse all HTTP communications.
How Does WAF Protect Applications?
Some of the tasks performed by web application firewalls that enhance cyber security include:
- Testing URLs:The WAF looks at the URL to detect anything unusual. This may be due to unexpected variables or the presence of SQL, indicating a possible injection attack.
- Filter Spam Traffic:Most WAFs look for spam keywords in the content sent to the web application. Additional tests may be performed before the user is challenged or directed out of the program.
- Prevents XSS and SQL Injection Attacks:WAFs check for code commonly used in Cross-Site Scripting (XSS) and SQL attacks.
- Identify Malicious Bots:WAFs, look for computer bots on the Internet that try to exploit web applications and stop them before they reach the application.
WAF Configuration Models
WAF configuration is generally based on the following three security models:
- Allow List Model
In this method, a list of allowed URLs is defined, and only the traffic of these specific URLs is allowed to pass. Any traffic from URLs other than those in the specified directory will be blocked.
- Blocklist Model
WAF protects the web application against known attacks in this model. In other words, a WAF is configured to block known threats and malicious activities that attempt to access a web application or server. This WAF model is useful for any user accessing public applications in the Internet world. But this model is not an effective method against zero-day attacks. In general, this model is done in the following three ways:
-
- Pattern-based: In this case, predefined general patterns (usually below 100 patterns) are placed in the WAF, and the sent requests are matched with these patterns. If a request matches one of these patterns, it will be blocked by the WAF.
- Behavior-based: In this case, WAF tries to detect abnormalities as attacks and prevent them by having normal user behavior.
- Score-based: In this case, each rule has a score. If a request matches one of the pattern-based or behavior-based methods, the total score of the matched rules is calculated, and if the obtained value reaches a predefined threshold, the WAF blocks that request.
- Hybrid Model
In this model, the WAF is configured to use both allowlist and blocklist methods according to the application’s needs. This method can be used both in the internal structures of a network and public structures (Internet).
Blocklist vs. Allowlist WAF
WAFs can protect against known attacks by using negative security models based on blocklists. Think of them as bouncers who inform guests that they will not be allowed into the club if they fail to meet the dress code. On the other hand, WAFs are designed to only allow traffic based on a positive security model based on allowlists.
In essence, it would be like having a bouncer at a private party who would welcome only those individuals whose names and addresses are listed. Both blocklists and allowlists have advantages and disadvantages, so many WAFs use a hybrid security model that incorporates both.
Types of WAF
WAF can be implemented in the following three ways, each of which has its own advantages and disadvantages:
- Network-based
In this method, WAF is implemented in hardware form. The advantage of this method is more control over the security of your network structure. The disadvantage is that it is expensive. Because in this method, you will need separate hardware and a fee for installation, configuration, maintenance, etc.
- Host-based
WAF can be fully integrated into the application code in this method. This method is less expensive than the previous method, but its disadvantage is the waste of resources of the main server hosting the site, the complexity of implementation, and the maintenance cost.
- Cloud-based
The easiest and cheapest way to implement WAF is this method. To start using this method you only need to change the DNS to redirect the traffic to the cloud WAF. Another advantage of cloud-based WAFs is that they are automatically updated against the latest attacks without paying additional costs or actions from the user.
The Benefits of Using WAF
Companies that use a Web Application Firewall (WAF) on their website enjoy the following benefits:
- An Additional Level of Security
In combination with other security measures, WAF provides additional protection against unauthorized access.
- Reducing Security Vulnerabilities
Webmasters can deploy WAF in front of multiple applications simultaneously. This approach provides the possibility of reducing existing vulnerabilities.
- Protect Legacy Applications
Security vulnerabilities persist longer in software used for a long time or not programmed in-house. WAF service provides more security for these systems and applications.
Who Needs WAF?
A web application firewall is mandatory for websites or applications offering credit card payment options and payment gateways. For example, this applies to e-commerce retailers and online stores. Additionally, many companies that use agile development methods rely on WAFs; because any development error is mitigated by firewall protection.
ArvanCloud WAF
ArvanCloud Web Application Firewall uses a set of rules called OWASP Core Rule Set or OWSAP CRS and works based on the point-based method. The score-based method is a way to detect attacks with high accuracy.
In this method, a score is assigned to each rule. When multiple rules match a request, the score of the matched rules is added together and compared with the threshold value set for the web firewall (sensitivity level). That request will be blocked if the rule score matched by that request is equal to or greater than the sensitivity specified for the WAF.
Conclusion
There are many advantages to using a web application firewall to protect your website against all threats, including securing your site against malicious code and malware. However, a WAF does not provide coverage for all threats, so you should keep this in mind.
The WAF of ArvanCloud works based on the points-based method. As a result, this WAF is one of the best in the market for detecting attacks with high accuracy and you can configure it easily.
If you are looking for a security tool that can effectively handle common or advanced attacks, check ArvanCloud WAF for more information about this product.
