This article explains the fundamental concept of Web application firewalls and its use in a network infrastructure.
Web application firewalls are used to protect servers and associated applications from application based attacks. Assume that you have a web application hosted on a server on your organization network which is used for providing service to users on the internet.
As the server is exposed to the internet, it would be vulnerable to numerous attacks from the internet. Attacks can be classified broadly into network and application layer attacks.
Network layer attacks target the network layer of the infrastructure. Application layer attacks target the application layer.
Web application firewall use case
The below diagram shows a web server setup on a network. There is a web application on the server which is set up for users to access from the internet. In order to protect the application from attacks targeting the application layer, a web application firewall is installed.
The following are the steps which happens when a user on the internet attempts to access the application inside the network.
The http request to the the web application is intercepted by the web application firewall.
The firewall looks into the HTTP headers and data to check if the packet is malicious in which case it is dropped.
After the packet is checked and validated for non malicious activity, it is sent to the web server.
In today’s world, all packets are encrypted with SSL. To look into SSL packets, the web application firewall should have a certificate, which would be issued to the clients requiring access to the server. The web application firewall would behave like a proxy.
All clients connecting to the server would connect to the firewall , where SSL decryption and inspection would happen , following which the packets are forwarded to the the web server.
Web application firewalls protects the application from various types of web application attacks. If a web application firewall is not setup, then it makes the server and application vulnerable to attacks.
In today’s digital world , a web application firewall is strongly recommended to be used for protecting websites from application layer threats.
Web application Firewall FAQ’s
My organization has a network layer firewall. Would this be sufficient
This would be dependent on the resources your organization is using. For example, assume that there are no internal servers which are exposed to the internet, then it makes no sense to deploy a web application firewall as there are no resources required for protection.
But if there are resources like applications hosted on servers which are exposed to the internet, then a web application firewall would be needed.
My organization is running an eCommerce website hosted on the cloud. What type of firewall should I use
A combination of web application and network layer firewall should be used. The network layer firewall should provide appropriate network access control to the server on the cloud. The web application firewall is needed to protect the eCommerce application from internet threats.
How do I know if the web application firewall is deployed properly
You can conduct a security audit or if you are more aggressive, a web application penetration testing can be conducted to test for vulnerabilities which can be exploited in the deployment.
Can web application firewall block DDOS attacks
This would depend on the type of DDOS attacks. For example if it is a HTTP based DDOS attack, then it could block it if the firewall supports the feature. If the DDOS attack is network based, then it would not be possible as web application firewalls cannot look into the network layer packets.
I have my infrastructure setup on the cloud. Should I buy an additional web application firewall to protect the resources on the cloud
Yes. You are responsible for security of resources in your cloud infrastructure. The cloud vendor is only responsible for the security of the entire infrastructure setup. Every cloud vendor has custom web application security solutions.
How do web application firewalls inspect SSL packets
When SSL packets needs to be inspected, the SSL certificate of the web application firewall is provided to the clients connecting to it. Normally, the SSL certificate of the server is issued to the clients.
In a normal setup, when the firewall receives the packets, it cannot inspect the contents of the packets since the SSL session keys are not known to the firewall.
When the certificate of the firewall is used, then the SSL decryption would be performed at the firewall. The clients would connect to the firewall instead of the web server. The firewall after decryption and inspection would forward the packet to the server.
My application and server is patched and is up to date. Should I deploy a web application firewall
Yes. It is highly recommended to deploy a web application firewall in spite of your operating system and application is patched to avoid day zero attacks and other advanced web attacks.