WAF

WAF (Web Application Firewall) is a firewall for web applications. It is an application layer traffic filtering tool that protects web applications by analyzing HTTP/HTTPS traffic and XML/SOAP semantics. WAF can be installed on a physical or virtual server and detects a wide variety of attacks.

The firewall acts as a proxy server, but due to the ability to analyze HTTPS traffic by verifying the certificate of a particular server, WAF is designed to perform additional operations: server load balancing, SSL traffic termination, etc. WAF can work with clustering and application acceleration.

Security models and modes of operation

A WAF can be embedded in a network as:

• Monitor. Real-time monitoring of the network using the SPAN port.
• Gateway. 3 proxy modes: transparent, bridge and reverse.

WAF works according to the following security models:

• Negative. A kind of “blacklist” that prohibits the reception of specific information prescribed in the settings. Protects web applications at the application level (analogous to IPS), but is able to assess potential threats in more detail and is more often used to provide protection against “popular” and specific types of attacks. Analyzes vulnerabilities of specific web applications.
• Positive. “Whitelist”, allowing the acceptance of specific information that has been pre-specified in the settings. Allows for maximum protection as it is applied as an add-on to the models. Invokes a different type of logic: rules that define what exactly is allowed.

.

. An example of how Negative works: deny a predefined “bad” GET request over HTTP and allow everything else.

Example of Positive operation: allow the previously specified GET requests over HTTP for the specified address and disallow everything else.

WAF capabilities

• Respond quickly to any type of web application attack that is included in the OWASP Top 10 (Open Web Application Security Project).
• Protection is ensured by specified active rules.
• Check HTTP/HTTPS traffic coming to the application and other requests addressed to web applications, then make decisions based on the specified rules and policies (block, allow, send notification).
• Maintain stable operation of the Negative and Positive security models and comply with all rules defined within them.
• Check and analyze content created with HTML and DHTML, as well as CSS and application protocols HTTPS, HTTP.
• Analyze and analyze content created with HTML and DHTML, as well as CSS and application protocols HTTPS, HTTP.
• Prevent information leakage by inspecting HTTP/HTTPS traffic coming from web applications and take specified actions based on defined active rules.
• Continuously maintain an event log and record all executed operations, analytics and other events that occurred.
• Analyze web services (partly public) by XML (eXtensible Markup Language) analysis, SOAP structured message exchange and check HTTP web servers for interaction patterns.
• Analyze all incoming web services (partly public) by XML (eXtensible Markup Language) analysis, SOAP structured message exchange and check HTTP web servers for interaction patterns.
• Verify all incoming data used to send/receive information from web applications.
• Protect against attacks specifically targeting the Web Application Firewall itself.
• Terminate TLS and SSL – decrypting and inspecting traffic before sending it to the Web Application Firewall.

The main difference between firewall and other methods of protecting web applications is deep analysis of application layer protocol traffic.