A Comprehensive Guide to Understanding WAFs: How it Works, Types, and Security Models
Web applications drive digital transformation, remote work, employee productivity, and consumer interactions. The ability to connect to critical applications over the internet gives workforce members a way to work synchronously and asynchronously, while also making products or services easily available to consumers.
A web app usually consists of multiple, connected components, generally categorized within presentation, application, and storage tiers. Web apps tend to serve critical business functions, requiring the app always be secure and available for use.
To maximize access, web apps are internet facing, making them obvious targets for threat actors who seek to exploit access points to a company’s data, networks, and systems. A web application firewall (WAF) protects applications from attacks that exploit the application layer, supporting other security technologies as part of an in-depth defense strategy.
What is a WAF?
A web application firewall is a filter for web traffic that applies rules for HTTP/HTTPS communications to filter, monitor, and block malicious traffic. A WAF monitors all the traffic entering and leaving a web application. Think of it as a shield or a set of thick gates raised up or down, depending on the traffic it deems safe. This is important because the internet is made up of data packets — clustered information sent between nodes in a network. These packets can hide malicious activity, usually exploits creating backdoor access via a webshell posing as harmless data. A firewall assesses them, one at a time, against pre-configured security rules. When it approves them, they’re let in, and when it doesn’t, the packets are dropped. This ensures the integrity of the web application by preventing malicious requests from reaching the application, keeping it protected, even if it was susceptible to the blocked exploit. This level of scrutiny is known as application layer filtering.
WAFs also can prevent the exploitation of misconfigurations, missing security patches, insecure building practices, and third-party or open-source plugins. They can be host-based, network-based, or cloud-based, ultimately serving as a reverse proxy that sits in front of your web apps.
What is the Difference Between a WAF and a Firewall?
Although both WAFs and firewalls monitor for malicious traffic, they don’t work in the same way.
Traditional firewalls filter based only on the origin and destination of a request. However next-generation firewalls (NGFWs) can filter at the application layer. Traditional firewalls assess traffic at layer 3, meaning they only scrutinize origin, destination, and port. An organization sets a list of approved IP addresses and ports. Then the firewall denies requests and data transfers from anything not on the list. However, a determined attacker can circumvent these controls by spoofing the packet headers.
The rise of cloud led to the development of next-generation firewalls that go beyond traditional traffic filtering by inspecting content at layer 7 to examine the contents of the traffic for malicious activity, not just the direction of travel.
Both traditional and next-gen firewalls protect large networks as a whole, and:
- Limit access to risky websites
- Segment networks
- Record events
- Alert organizations to potential intrusions
To eliminate any confusion over the differences of layer 3 and layer 7 inspection, think of a letter in a sealed envelope:
- The address and return-to-sender address on the envelope represent layer 3
- The contents contained within the letter represent layer 7
While identifying a suspicious sender address or unauthorized destination on an envelope can be useful, the only real way to know if the contents of the envelope are malicious is to open it and inspect what is inside.
Firewalls sit at the network and transport layers. Consequently, they only monitor network traffic coming into and out of nodes and destination hosts. These layers are closer to the public internet.
Web Application Firewalls
Like a NGFW, a WAF sits at the application layer (7) where the user interacts with the software and network. WAFs traditionally sit between an application or server and the traditional firewall. This means that malicious traffic needs to get through two different firewalls before getting to the application itself. As a WAF usually protects a few web applications, the policies applied can be much more granular and targeted, versus NGFWs or firewalls which serve large segments of a network.
Think of a firewall as security around the perimeter of an entire hotel, whereas a WAF is security for a single room within the same hotel.
Why take the extra precaution of combining a WAF and a firewall? Web apps are an organization’s most targeted asset, accounting for 53% of all attacks. Shouldn’t the most targeted asset be the focus of your security strategy?
Web apps are also an obvious gateway into your environment and sensitive data. Undoubtedly, you need to protect the data connected to your web application as well as your wider network from a breach, by preventing your web app from becoming a stepping-stone for lateral movement leading to further data exfiltration or ransomware.
Which Attacks Can a WAF Protect Against?
Your web applications perform critical business functions and are an exposed entry points to your network. This combination of high exposure and potential impact warrants targeted protections. When you deploy a WAF, you’re staying vigilant against serious attempts to steal your data, hold it hostage, or disrupt business practices.
WAFs protect against attacks such as:
- Malware uploads which exploit a web app vulnerability to upload malicious code, including:
- Trojans that steal your users’ information.
- Ransomware that can spread to your whole network, crippling digital operations until you pay out.
- Webshells that create backdoor access and facilitates further malicious actions.
- SQL injection where an attacker exploits vulnerabilities in web app login tables, or poor sanitization configuration to connected datastores, to gain access by stealing credentials or dump sensitive data.
- Cross-site scripting (XSS) which injects malicious code into your app and spreads it to users’ browsers and computers.
- Denial of service (DoS) attacks which overwhelm your application by sending it into an infinite logic loop.
- Credential-based attacks where stolen usernames and passwords attempt to gain user or admin access. Stolen credentials in brute force or credential stuffing attacks account for approximately 75% of web application compromises.
- Man-in-the-middle attacks where a threat actor positions themselves between the user and the app. Next, they intercept and even modify information without the knowledge of the user.
DDoS protection is another use case of WAF. Some WAFs have DDoS mitigations embedded within them, while in some scenarios a complimentary technology called a content delivery network (CDN) is preferred.
How Does a WAF Work?
A WAF is your first line of defense against application layer attacks. It does this with a reverse-proxy server, which stands as an intermediary to safeguard a web client’s identity. The WAF functions as a wall around the web app, preventing harmful clients from progressing to the app.
WAFs usually use algorithms to detect known malicious types of traffic. Organizations need to set policies telling the WAF what is suspicious before it can protect against a security incident.
These are the rules that tell the WAF what type of requests or traffic behavior present risks to an organization. They also tell the WAF what action to take when it detects one of these types.
Good WAF policies must minimize false positives. False positive blocks may prevent legitimate users from using the application for its intended purpose. False positive blocks may prevent legitimate users from using the application for its intended purpose. As web apps tend to be dynamic and continuously developed, policies must be regularly reviewed and modified to maximize protections and limit false positive blocks.
The WAF scans all requests sent to the web application. It inspects the entirety of each HTTP(s) request to determine what is legitimate, harmless web traffic and what is a targeted threat to be blocked, as defined in the policies. The WAF looks at the headers and content of all packets. Sometimes, it requires additional challenge requests, like CAPTCHAs, that prove the activity comes from a human and not a bot.
If the WAF detects malicious requests, it blocks the activity by dropping the request. For example, if the requestor fails to appropriately respond to the challenge question, the WAF blocks further requests. This prevents future connections from the identified bot looking to exploit or scrape the application.
WAF Security Models
Organizations using a WAF can choose a positive, negative, or hybrid security model.
Positive Security Model
A positive security model is one where the organization’s policies take a “deny all” approach, allowing requests based on specific inputs. All HTTP(s) traffic is blocked, except for requests that match deployed policies created to identify legitimate traffic. This model is established by defining all the characteristics of expected traffic, such as approved characters, IP addresses, and filetypes. This model maximizes security coverage and can block emerging threats not known to those maintaining the policy set. However, maintaining this model is not doable for every organization or application.
Challenges: The positive security model is strict and uncompromising. While it provides heightened security by rejecting requests not specifically approved, it also presents challenges that can deny legitimate requests:
- Dynamic Applications: Web applications that produce frequently changing variables like users, URLs, directories, parameters and cookies, require constant, manual rule-based tuning to account for these changes.
- Constant Management: Failure to stay on top of this policy type will result in high level of false positives, preventing users from accessing the app with legitimate intentions.
Negative Security Model
With this model, all HTTP(s) traffic is allowed, except for requests matching deployed policies created to identify malicious traffic. This method keeps a library of known and probable threats using the latest threat intelligence. For example, a black-listing firewall can spot malware, spyware, and injection code contained within the requests by scrutinizing the content and behavior of traffic. Access is the default unless traffic matches any defined criteria where it is dropped.
Challenges: While the negative security model reduces the likelihood of blocking legitimate user requests, there is a possibility that misses unanticipated or emerging threats, like zero-days. Also, policies must be updated regularly using the latest threat intelligence to maintain coverage of known threats.
Hybrid Security Model
In this model, the organization uses a combination of positive and negative security measures. This model looks to combine the best elements of each. Hybrid security selects overly restrictive rulesets in areas of high risk or consistent traffic, while using less restrictive rules on dynamic sections or areas of lower risk.
Challenges: A hybrid model is tough for many in-house security teams. For instance, if you can’t get the balance right, the application may reject some requests or open backdoors not planned for. It’s another reason to pursue fully managed web application security. You’ll have the precise expertise to build the kind-of firewall you need.
Types of WAFs
A WAF can exist in one of three ways before it begins defending against web application attacks:
Installed via LAN and held on a physical component, the firewall retains high performance because it’s near the web server. Hardware models can be expensive and inflexible. With this choice, you invest in more high-computing equipment.
With lower costs than hardware setup, a virtual appliance, or software-based firewall can suit a wider variety of businesses, including those that are relatively small but growing fast. Virtual appliances can be scaled up or down manually or respond automatically demand with autoscaling features.
Cloud WAFs are managed by a service provider in the form of software-as-a-service. While lower costs and ease of deployment make this an appealing choice for organizations with limited resources, cloud WAFs can present several drawbacks. These include limited and/or costly scaling, higher latency, insufficient granularity in controls, and an inability to handle complex architectures.
Expert Managed WAF
A managed WAF eliminates the hassle of WAF management and configuration so your team can focus on providing the best business value of your applications. Fortra Managed WAF delivers a competitively priced, highly versatile, enterprise-level, cloud-ready WAF with a team of web security experts to eliminate the complexity for you.
Alert Logic delivers:
- Managed deployment that aligns project managers and technical experts. This sets up the firewall rapidly on your behalf with all the right presets.
- An extensive signature set drawing on some of the most complex notifiers for web traffic attacks and bot management.
- Credential attack coverage protects against credential-based attacks like brute force or credential stuffing, which account for approximately 75% of web application compromises (Verizon DBIR 2022).
- 24/7 support* from web security experts. Get back to the operations that need your full attention to help reduce the burden on your security teams.
- Ongoing tuning and management, adjusting the web application firewall with the evolving nature of your business and the threats surrounding it.
- Extensive defensive tactics like rate limiting, data masking, connection throttling, and end-to-end encryption. You’re never short of appropriate measures.
- Auto-scaling in the cloud to handle unpredictable traffic throughput and so variable loads are matched by what you’re actually paying for. We always charged based on use, not security seats.
- Application delivery controls that simplify and streamline network performance. These include smart load balancing, caching, acceleration, and virtual hosting.
- Proven zero-day emerging threat detection with forward-thinking security policies informed by our threat research and SOC teams. These have proven success in blocking zero-day attacks such as Log4J.
- Virtual patching with coverage provided to 100+ applications and emerging threats to ensure you stay secure between patch management cycles.
*subject to SLA
Additional WAF Resources
- Solution Brief: Alert Logic Web Application Firewall
- Blog: Are Your Web Applications as Secure as They Should Be?
- On-Demand Webinar: Responding to Web Application Compromise
- Blog: Web App Security: Insights from the Frontline