Monday, August 1, 2016

What is Web Application Firewall ?

What is Web Application Firewall ?

If a firewall filters traffic based on IP addresses, ports or connection state alone, it will not be possible to detect intrusions like whether an unwanted protocol is trying to bypass the firewall in an allowed port or any protocol is being abused. Many a times, we need to understand application layer protocols like HTTP, FTP, DNS etc and filter traffic based upon that. Web Application Firewalls are developed for that purpose.

A Web Application Firewall or WAF is an appliance, server plugin or filter that monitors the incoming and outgoing traffic from an application or service and filters them as per some predefined rules. Web Application Firewall can look through certain traffic upto layer 7 of the OSI reference model and filter traffic based on that.

Types of Web Application Firewalls

There are mainly two types of Web Application Firewalls :

  • Network-based Web Application Firewalls
  • Host-based Web Application Firewalls

Network-based Web Application Firewalls

Network-based Web Application Firewalls act on the application layer of the OSI reference model and can inspect the contents of traffic and block specific traffic such as certain websites. It can also look through the traffic to detect presence of malware or possible network intrusions, offload encryption from internal servers, manage and consolidate authentication and block traffic which violates policies.

Network-based Web Application Firewalls are also known as Proxy-based Firewalls.

A Forward Proxy server intercepts all the traffic from or to an internal network behind it and can filter them based on policies. For an allowed traffic, it changes the source IP address of the outgoing traffic to its own IP address and sends it to external servers. The external server sends the response to the Forward Proxy server and the Forward Proxy server then forwards the packets to appropriate internal client. A Reverse Proxy, on the other hand, intercepts all the traffic coming from external clients to the internal servers behind it. The outside requesting clients cannot see the IP address of the requested internal server behind the Reverse Proxy Server, thus providing security. You can find more on how Forward Proxy Servers and Reverse Proxy Servers work here : How do Proxy servers work ?

Just like Proxy servers, a Proxy-based Web Application Firewall intercepts the traffic between the requesting clients and requested servers and filters them as per some predefined set of rules. It can use stateful inspection technology or Deep Packet Inspection (What is Deep Packet Inspection ? ) to monitor and analyze the incoming and outgoing network traffic. It can understand a number of application layer protocols like HTTP and FTP and detect signs of malware or network intrusions.

A Proxy-based Firewall prevents the outside network to directly communicate with the inside network. Information packets do not pass through the Proxy Firewalls. Instead, the Web Application Firewall acts as an intermediary. A Proxy-based Firewall has its own IP address. The outside computers first make a connection to the Proxy-based Firewall and the firewall makes a separate connection to the requested computers after carefully inspecting the network packets. And thus, it can provide strong security.

A Proxy-based Firewall can also help in the following ways :

  • Caching – It can cache regularly requested web contents and thus reduce the load on the web servers by reducing repeated requests to back end servers.
  • Compression – Proxy-based Web Application Firewall can compress certain web contents that can be decompressed later by the browser.
  • SSL Acceleration – Proxy-based Web Application Firewalls can speed up SSL processing and reduce the burden on back-end web servers by using hardware based SSL decryption.
  • Load Balancing – Proxy-based Web Application Firewalls can distribute the incoming requests to multiple servers behind it and thus improve performance and reliability.
  • Connection Pooling – Proxy-based Web Application Firewalls can reduce back end server TCP overhead by allowing multiple requests to use the same back-end connection.

Host-based Web Application Firewalls

A Host-based Web Application Firewall can examine the information that pass through the system calls through the network stack and filter traffic based on that. It can hook into socket calls and filter the connections between the application layer and the lower layers in the OSI reference model based on some predefined rules. It applies the filtering rules on a per process basis instead of per port basis.

Host-based Web Application Firewalls can examine the process ID of data packets and match them against a pre-defined rulesets for that process. They can also have complex rulesets for the standard services, such as sharing services.

AppArmor, TrustedBSD MAC Framework are examples of some commonly used Host-based Web Application Firewalls.

The benefits of an application layer firewall is, as already said, it can understand certain application layer protocols like FTP, HTTP, DNS or web browsing and filter network traffic of an unwanted protocol. It can also look through non-standard ports to detect if any protocol is being abused.

Host-based Web Application Firewalls can protect against threats like SQL Injection, Cross Site Scripting or XSS, Session Hijacking, Parameter or URL tampering, buffer overflows etc.

Some commercial Web Application Firewalls and vendors

A list of some commercially used Web Application Firewalls is mentioned below :

You can also find a comparison between various Web Application Firewalls here : Comparing the best Web application firewalls in the industry

No comments:

Post a Comment