What to Look for in Web Application Firewall Architecture

To operate safely and protect against cybersecurity threats like SQL injection, every business that exposes online applications, services, and APIs requires a Web Application Firewall (WAF).?

A WAF detects and prevents attacks that cause downtime, data leakage, and compromised transactions and accounts. However, you may discover that selecting the best WAF is a difficult task.

Numerous WAF options are available, each aimed at a different use case. You must choose the one that is best for your company today and in the future. If you make the wrong decision, you may expose your company to security risks or bind your team to infrastructure that does not meet their needs.?

This guide will assist you in selecting the best WAF to protect your business while also fitting your tech stack, teams, and workflows.

How Web Application Firewalls Work

A web application firewall, is a type of security software that monitors, filters, and blocks data packets from a website or web application. WAFs are typically deployed in front of an application or website via reverse proxies and can be host-based, network-based, or cloud-based.

Web Application Firewall (WAF) security protects web applications from malicious IP addresses and endpoints and is essentially the inverse of proxy servers, which protect devices from malicious applications.

To ensure security, WAFs intercept and examine all Hypertext Transfer Protocol (HTTP) requests. False traffic is blocked or tested with CAPTCHA tests designed to stump malicious bots and computer programs.

How does the WAF fit into your environment?

When evaluating a WAF, like the AWS web application firewall, one of the most important factors to consider is deployment. In other words, what is required to activate the WAF? There are several WAF deployment options to consider, and each of these, along with an enterprise's existing environment, should be considered to determine which type of WAF is best suited.?

This will allow decision makers to narrow down the list of vendors and products by eliminating products that do not work for their network and IT environment.

1. Inline Appliance: This popular WAF implementation method entails connecting a device to a network between users and a Web application. Because administrators will be modifying internal network configuration, this method usually necessitates some in-house expertise. It is ideal when an organization has sufficient internal technical staff or can afford to pay for vendor implementation services.
2. Cloud-based WAF: This WAF method typically requires organizations to redirect Domain Name System (DNS) records to resolve to the IP addresses of the WAF vendor and have web traffic forwarded from the vendor to the actual application host. Because the vendor's servers will decrypt the data before it is forwarded, enterprises will often be required to provide their SSL keys.
3. Integrated WAF: A code- or software-based WAF will almost certainly necessitate changes to an enterprise's Web application code or Web servers. This is an excellent choice for technically skilled personnel and may be less expensive than other WAF products. It also does not necessitate a change in network architecture or DNS redirection. Furthermore, integrated WAF products have the least impact on networks, systems, and performance.

Another factor to consider is how the WAF handles the Secure Sockets Layer (SSL), which protects website identity and data as it travels across the Internet. WAF implementations differ in how they handle SSL.

Organizations must decrypt traffic to see it in the cloud-based or appliance-based WAF implementations. This entails either terminating and recreating the SSL session or decrypting the sessions on the wire as they pass through the WAF.?

What detection and blocking techniques are appropriate for your traffic and risk profile?

Leading WAFs today employ both negative and positive security techniques to ensure accurate detection coverage without interfering with legitimate traffic. If malicious traffic poses the greatest risk to your business, select a WAF with the most robust protection and the least permissive model. If blocking legitimate traffic poses a significant risk to your business, you should select a WAF that allows you to employ a more permissive security model.

Negative Security Model

A negative security model presumes that all traffic is safe unless identified as dangerous. Unsafe traffic is traffic that matches predefined threat signatures or violates a security rule.

A WAF with a negative security model will, by default, allow all incoming requests and will only block those deemed unsafe.

Positive Security Model

A positive security model assumes that unless safe, all traffic is unsafe. Safe traffic is traffic that passes security checks and matches the characteristics of legitimate user requests.

A WAF with a good security model will only allow legitimate users and reject requests that show anomalies. In some cases, a WAF will allow anomalous traffic but will further analyze it before blocking it.

A WAF that employs both a positive and negative security model is far more effective than a purely negative security model at protecting against:

• Unknown attacks
• Modified attacks
• Attacks that appear to be legitimate user behavior
• Exceptions and edge cases

How is the WAF managed and updated?

Unsplash

WAFs are not meant to be configured and then forgotten, so how they get managed is critical for long-term use. If a WAF employs blacklist signatures or rules, an enterprise should determine how they will be updated. The organization should also ensure that it can customize these security rules and signatures to allow maximum flexibility.

If the company does not use the Hypertext Preprocessor (PHP)or cross-site scripting language, those blacklist signatures and expression rules are probably unnecessary and should be disabled. To maintain the most control over how the WAF works, ensure that these policies, like the security policy enforcement point, are completely user-configurable.

Detection Techniques

The WAF's purpose is to protect Web applications intelligently, so having granular rules and detection is essential. Most WAFs employ various techniques to ensure the most accurate detection coverage.?

In addition to inquiring with the vendor about the techniques employed, request proof of false positive/negative rates and any third-party testing results to understand better how well the WAF will perform in practice.?

These methods are as follows:

WAF signatures: Like those used by anti-malware, intrusion detection systems, and network intrusion prevention systems, to detect known attacks, a predefined string or regular expression (RegEx) gets used in traffic.

Rules: Taking the signature concept a step further, rules can use the logical AND operator to connect a series of strings, the OR operator to add more complex matching, and the NOT operator to implement "exclusion" functionality. Some WAFs can "learn" traffic patterns dynamically and look for abnormal behavior based on a set of baseline rules.

Normalization: One tactic attackers use to avoid WAF detection is to disguise an exploit payload as something harmless. The WAF must be able to normalize web requests to perform its analysis in order to detect attacks like Distributed Denial of Service (DDoS).

APIs: If a company wants to develop its custom detection techniques or rules for specialized assessments such as logic checks, one method is to use Application Programming Interface (APIs). Check with vendors to see if they support APIs and, if so, how tightly these APIs integrate with the WAF parsing engine.

Other Factors to Consider

Below are other factors you should also include when looking for WAF architecture.

High Throughput and Availability

If the WAF is in a high-traffic area, it should be able to handle a high volume of traffic without slowing down the Web application, especially if it is in-line. If a WAF or Web application fails or becomes overloaded, the WAF must support failover and collaborate with load balancers to avoid service disruption.

Some WAFs operate as components of a Web traffic management system and integrate with High Availability (HA) devices. Check that stand-alone WAFs meet the company's HA requirements for both performance and architectural conformance.

Logging and Reporting

The WAF logs traffic and activity as the Web application's monitor and sentry. Some WAFs capture all packets in the traffic stream (most commonly in tap/span solutions), but all should log critical information about transaction activity to and from the Web application.

Management of Multiple Instantiations

The ability to centralize management will reduce administrative costs significantly if the WAF is in a complex, distributed environment.

Encryption protects sensitive data in the traffic stream from prying eyes, but it also means that a WAF can't inspect the data unless decrypted. The options here are to either provide the keys to the WAF so you can decrypt the stream and data, terminate the SSL connection at the WAF, and then, if desired, create a new encrypted tunnel for data transfer from the WAF to the Web server/browser.

Emerging Protocols

Normalizing and reassembling HTTP and HTML is difficult, but many emerging protocols and existing media types in Web 2.0 and beyond can introduce malware or exploits. No WAF can parse.swf for all exploits, but you should support image inspection and scripts like Jscript and PHP.

Integration With Web App Scanners

Web application scanners are products that scan a Web application automatically from the outside to simulate the types of vulnerabilities that an attacker might discover. Scanners complement WAFs by detecting vulnerabilities that administrators can mitigate with custom rules.

Azion Web Application Firewall Solution

To summarize, enterprise decision-makers should have a thorough and detailed list of questions that they should answer before selecting a WAF product or vendor.?

Do you need help with deciding on what WAF best suits your company?

Azion's Web Application Firewall can be the perfect solution.

Azion's security suite protects everything from the network layer to the application, including serverless code deployed at the edge. Developers can use our serverless solution, Edge Functions, to create custom functions or use pre-built functions like Azion JWT to protect API access.?

You can also expand your edge security capabilities through Azion Marketplace, which allows for the seamless integration of third-party solutions.

Contact us if you want to get started.