F5 Web Application Firewall

Web application firewall (WAF) protect applications from different application-level attacks like cross-site scripting (XSS), SQL injection, and cookie poisoning. However, application attacks are a leading cause of data breaches, which could be prevented with appropriate measures.

WAF protects web applications by filtering, monitoring, and blocking malicious HTTP/S traffic destined for the application and prevents data exfiltration. It uses policies to differentiate anomalous traffic from ordinary ones. Policies can be configured to protect one or more web applications with features such as machine learning, vulnerability updates, and threat intelligence.

The primary function of WAF is to analyze HTTP/S requests and responses. Thus, it is user, session, and service aware and aware of the application it protects. In addition, it has a function of a middleman between user and application, analyzing complete traffic as it passes.

Different Deployment Models

WAF could be deployed differently depending on the application’s location, architectural flexibility of infrastructure, and the desired type of management. For example, an application could be located on-premise, in a cloud environment, or have a microservice architecture in multiple clouds. The number of applications that need to be protected and client engagement for deployment and maintenance purposes are significant factors in system breaches prevention.

Regardless of the deployment being on-premise or in a cloud environment, the client’s decision to maintain WAF solution on its own allows complete and granular control over configuration, fulfilling specific business needs. This type of maintenance requires the cooperation of security and application engineers to configure and deploy application security policies. This approach is most suitable to organizations with well-developed security teams that could fully utilize the level of configurational flexibility the solution offers.

Using the SaaS (software-as-a-service) type of WAF reduces costs and levels of engineer engagement. With functionalities similar to on-premise deployment, SaaS provides the simplest delivery of application vulnerability and attack protection. It fits the needs of DevOps teams for integration with software development with relatively minimal maintenance and update requirements.

SaaS provides security policy flexibility and portability for multi-cloud deployments. It keeps control over traffic monitoring and security policy configuration. These options can fulfill the most demanding project requirements regarding architectural flexibility, planned performances, and advanced protection.

Working with managed services partner could be the easiest way to start working with WAF solutions in the cloud. Automatization provides a simplified implementation of security policies for web applications and their data. Fully managed WAF solution includes 24/7 support of security operations center (SOC). Although it has the fastest installation and application of basic functionalities, in comparison with other models, it lacks total architectural flexibility, and some options won’t allow administrative control over security policies. Costs are usually higher than with other models but not in comparison with hiring new full-time security engineers with appropriate skills to maintain the solution.   

Basic WAF possibilities

WAF protects web applications from different types of L7 (application layer) attacks:

  • Cross-site scripting (XSS): This type of attack aims to gather private information by applying malicious software to the user’s end devices via legitimate websites.
  • SQL injection: exploitation of web application’s forms with SQL to gain access to the back-end database and/or application data. Malicious SQL requests could produce unwanted or malicious application behavior.
  • Cookie poisoning: this type of attack is based on the interception of cookies before they reach a server. The goal is the extraction and modification of information. Cookie modification enables false representation and unauthorized access to additional user’s data.

WAF applies a set of policies that help with the detection of malicious traffic. Just as proxy server protects web clients acting as a middleman in communication, WAF functions in the opposite direction (hence the name reverse proxy) acting as a middleman protects web applications. By filtering traffic, it monitors and blocks malicious HTTP/S requests and responses to prevent data exfiltration.

Modern WAF application protection

WAF solutions were created to address problems of web application servers that had vulnerable code and were targeted by a large number of known attacks, particularly XSS and SQL injection. Modern WAF solutions provide active protection fingerprinting end-user devices while establishing a session and dynamically hardens web application protection. In addition, it applies countermeasures and blocks application-level threats.

To thoroughly assess threats for every client session, WAF integrates behavioral analysis and dynamical code injection. Determining normal application behavioral baseline simplifies traffic anomaly detection. Just as automatization enlarged attack capacities, artificial intelligence and machine learning could differentiate regular traffic and anomalies in a manner inaccessible to humans.

Contemporary WAF solutions use advanced analytics and machine learning to generate dynamic signatures that block malicious traffic without administrator intervention.

Determining if the user is a man behind a browser is performed with JavaScript injection, which allows bot and automated tools detection and determines more information than the IP address of the attacker.

Proactive bot defense analyzes every client session, determines the client’s nature, and separates malicious bots from harmless ones. Furthermore, the analysis process does not disturb the web application user experience.

Modern WAF solutions protect API interfaces from some automated application-level attacks by forming appropriate rules for every visible API. Thus, WAF positioned in front of the application or integrated into different application components placed in a container could effectively help with API security management.

Modern WAF characteristics:

  • Advanced protection level – Combination of machine learning, threat intelligence, and in-depth application expertise.
  • Proactive bot protection – It protects applications from automated bot attacks and other malicious tools.
  • Antibot protection for mobile SDK (Software Development Kit) – Protects mobile applications with permitted activities list, behavior analysis, cookie proofing, and advanced application hardening.
  • Encryption of browser data – Application data is encrypted for data mining protection and man-in-the-browser attacks.
  • Behavior DoS protection – Provides very accurate detection and application-level DoS protection.
  • API Protocol Security – Specialized tools are used for hardening REST (Representational State Transfer), JSON (JavaScript Object Notation), XML (Extensible Markup Language), i GWT (Google Web Toolkit) APIs.
  • OWASP Top 10 protection – Protection from today’s most significant security challenges listed in OWASP top 10 vulnerabilities list.
  • Credential protection from brute-force attacks that use previously stolen credentials.

10 Key Arguments in Favor of WAF application protection

  1. WAF should cooperate with L4 (transport layer) or NGFW, not to replace it – While WAF protects web applications, a firewall protects users and network traffic. Therefore, it is necessary to make it an integrated part of the security ecosystem, helping to protect your entire attack surface.
  2. WAF should be integrated with other security solutions: Integration with IPS, vulnerability scanners, and SIEM solutions is needed to prevent WAF from becoming another device for separate management.
  3. WAF should be configured to fulfill the needs of a specific application – WAF policies and rules should be configured in accordance with necessary protections, regulation and policy compliance, and desired performances.
  4. WAF policies shouldn’t be forgotten after initial setup – Set and forget should not be the approach. Instead, WAF policies should be regularly updated to follow changes within the application it protects and to remain effective against new attack vectors.
  5. WAF should have behavioral learning capabilities – Artificial intelligence and machine learning technology enable WAF to recognize normal behavior and adapt when anomalies that point to malicious activity are detected.
  6. WAF should be capable of credential abuse and data breach – Misuse of credentials is a significant cause of application compromise and data breaches.
  7. WAF should analyze inbound and outbound traffic – WAF works as a reverse proxy protecting web applications against malicious inbound and outbound traffic. It should also analyze outbound traffic to prevent sensitive data exfiltration.
  8. WAF should be DevOps friendly – WAF should be an integral part of the deployment pipeline, preventing vulnerability exploitation of code placed in the production environment.
  9. WAF should protect API – API is an integral part of application development and third-party integration, making it an interesting target. Therefore, WAF should provide robust protection for web applications and API as well.
  10. OWASP recommendation for WAF – OWASP foundation is a leader in the domain of web application protection and recommends the usage of WAF solutions.