Do I Need a Web Application Firewall

It’s likely that your company has a web presence which gives your customers the ability to interact with your web sites through web applications that service their requests. Whilst this is great for them, it also gives potential attackers an opportunity to interact with you as well. In 2017 around 40% of all data breaches involved web application attacks. That’s significant, and hopefully it’s got your attention.

A ‘traditional’ network firewall does very little to protect a multi-tier web application. This is because a perimeter firewall needs to open common ports such as 80 (HTTP) and 443 (HTTPS) so that users can browse to your sites. Attackers can do the same thing. So, a traditional firewall cannot easily stop an SQL injection or DDOS attack. A web application security system, therefore, needs to be able to do more than open and close ports. It must be able to differentiate between good and bad incoming traffic.

What is a WAF

To fully protect your web applications, you need to install a Web Application Firewall (WAF). Unlike your network firewall, a WAF is not there to provide perimeter protection for the entire enterprise network. It’s a specialised security tool specifically designed to protect your web applications. A WAF is normally situated at the outer edge of your network on the public side of a web application where is proxies and analyses incoming web traffic.
There is a misconception that an Intrusion Protection System can supplement a firewall sufficiently to protect web applications. While an IPS can monitor incoming network traffic, it is not usually equipped to interpret the complex nature of HTTP traffic. The IPS, like the network firewall, is designed to protect a wider corporate network, not a dedicated edge-based application.

Why You Should Install a WAF

Web based attacks predominantly occur as SQL injections, cross-site scripting and malicious file executions. A WAF is designed to protect against these and other OWASP Top Ten application risks. WAFs are able to differentiate between fraudulent and legitimate traffic. This is a highly complex task as hackers may attempt hide their attack code within safe-looking website traffic. A WAF accomplishes this by intercepting and analysing each HTTP request before it reaches the web application.

WAFs can also perform SSL termination. Much of today’s web traffic is encrypted in order to protect the data being transferred within the web session. However, HTTPS can work against you, in that it also can also mask malicious code which will bypass scrutiny. Many attackers take advantage of this, using HTTPS as a camouflage to avoid detection.

Because a WAF stands between the web and the web application, it is able to uncouple the traffic between the web server and the internet. SSL certificates are hosted on the WAF, terminating the encrypted connection. Traffic can then be analysed before being forwarded to the web application. The WAF is essentially operating as a reverse proxy. Response traffic is sent back to the WAF where it is then encrypted and forwarded to the user as HTTPS.

If you do not host your own web applications, it doesn’t mean you do not need, or can’t have a WAF. There are large cloud vendors offer WAF subscription services, one of the best know being CloudFlare. These kinds of service can also offer a geographically distributed content delivery network which can provide website performance improvements and a level of DDoS protection.

If you have questions about how a web application firewall could help protect your website, please contact KRYPSYS via our website