Web Application Firewalls are used to create an external security layer to detect and/or prevent attacks by allowing “friendly” traffic and blocking attacks or unexpected web traffic.
Why are Web Firewalls important?
Application-level security is among the top-5 concerns of all medium and large systems, independently of whether they’re public or private.
Since more than 70% of attacks against intranet- or Internet-enabled systems are performed at the web application level, organizations need all the help they can get in making their systems secure. Applications are exposed to the network so they’re an easier target than lower-level components such as databases or operating systems.
And that’s where Web Application Firewalls (WAFs), such as ModSecurity and many others, come into play. WAFs are deployed at a higher level on the security stack, before they reach web applications.
This way, firewalls use rules that cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified. Once identified, they are blocked and this provides protection to web applications. This way, attacks are stopped before they even reach applications, increasing security. Firewalls are also used to monitor and analyze web traffic, allowing Web managers to improve and optimize network security. All this, with little or no changes to existing system infrastructure.
In general, there are three different ways of setting up the rules used by firewalls to protect Web-enabled systems.
Positive security model.
When a positive security model is used, the only Web traffic WAFs let through is that which is known to be valid while rejecting/blocking everything else. While this seems easier to implement, this type of firewall requires knowledge of the web applications you are protecting. Most importantly, the kind of traffic that’s expected from these applications. Therefore, positive security models work best with applications that are rarely updated. This keeps maintenance efforts of the model to a minimum.
Negative security model.
A negative security model is continuously checking web traffic for anomalies, unusual behavior, and common web application attacks. At first, most traffic is allowed to pass while keeping anomaly scores for each request and logging as much information as possible (IP addresses, application sessions, and user accounts). If the firewall detects requests with high anomaly scores (according the rules set by the Web admin), they are either logged or rejected altogether. This model is best used when all kinds of traffic is expected and it’s very difficult to create rules for each kind. This model is particularly useful to deter DoS (Denial of Service) attacks.
Known weaknesses and vulnerabilities.
This model is a mix of the previous two. Firewall rules are used to prevent attacks directed towards components with known vulnerabilities. This includes applications, operating systems, servers, databases or any other component. This kind of protection (often defined as Virtual Patching) reduces the time between a vulnerability is discovered and a fix is actually provided. This way, attack vectors that take advantage of these vulnerabilities are effectively eliminated. Rogue traffic is rejected by the firewall, making your systems secure until a proper patch is applied to the application.
A Web application firewall (WAF) is a software and/or hardware component that monitors, filters and blocks the Web traffic to and from (preventing inside attacks that attempt to send out confidential information) a Web application’s components. Web application firewalls are a common security control used by enterprises to protect Web applications against zero-day exploits, impersonation and known vulnerabilities and attackers.