This Isn’t Just a Firewall, This… is a Web Application Firewallby Donna Toomey, November 3rd, 2016
Firewalls are, in technology terms, as old as the hills. There’s been more ‘next generation’ firewalls than musical genre’s in the 40 odd years they’ve been about. At their heart, they permit or deny packets entering or leaving a network and, useful as that is, little else. Each generation adds something new to the policy mix that decides upon what ‘gets through the door’ but a better informed bouncer is still just a bouncer. User identification, intrusion detection, time of day, footwear, bandwidth usage, hair style or TCP session state still don’t dictate whether something is safe or to be trusted.
Enter our ‘fixer’ who knows (or at least can learn) rather more about our punters and what they might be up to – the Web Application Firewall, or WAF. Forget who is allowed in, a WAF specifies what behaviours are acceptable and what are not once you’re inside the perimeter. With a WAF, application functions and input & output are what’s permitted or denied, not access.
This is clearly a more sophisticated and in-depth approach than a binary choice between permit or deny. It allows for fine-grained control and implementation of security policy in a more meaningful, dare we say natural way. If a web site only provides information to be read or downloaded, a WAF allows you to ensure no files are uploaded to the servers that provide it. Your servers might be using an SQL backend but that’s no reason clients should be including SQL queries in requests. In a nutshell, a WAF will protect you from a malicious user – one that your ‘network’ firewall has already let through, because it has no way of knowing the difference between that and a benign user.
The WAF module, available with our ALB-X advanced load balancer release, is the first we’ve released as a Docker container. This is a new, exciting direction and in keeping with our ethos, as simple as can possibly be. There’s no need for you to have to understand the intricacies of Docker or containers to use it. Because it’s a container the WAF can be installed and upgraded independently of the ALB-X software – no need to reboot. You can also run multiple WAF containers to apply different policies to different services and improve isolation. In short, there’s a whole lot of flexibility to exploit with this approach.
In that vein there are a multiple implementation options available depending on whether you’d like to protect unencrypted or encrypted (HTTPS) traffic (which must be decrypted to allow for inspection). With HTTPS you can choose to re-encrypt the traffic before you send it on to a real server.
The WAF module does offer protection against poorly coded web based applications and their vulnerabilities but really, it shouldn’t be considered a one stop solution for badly written code with gaping holes; treat the cause, not the symptoms. Don’t forget, a joined up, in-depth approach is the best defence. Properly formulated cookies, flightPATH traffic management rules, appropriate HTTP Headers & restrictions and other tools in combination are far superior to a single seemingly impenetrable wall. Secure everything you can and true security might just follow.
Consider packets and traffic (IP addresses and ports), protocols, applications, services and transactions. Rely too much on protections for one single element and you’re probably in trouble. In the same cautious vein, keep in mind the following;
- As application aware as it is, a WAF can only do so much, it’s not aware of how your application works or your ideal of how it should.
- The WAF uses a common ‘rulebase’ which is based on a number of assumptions that may not be appropriate for your application (for instance file uploads are not permitted) – test appropriately using the default Detect mode before rolling out to production
- More recent innovations such as AJAX, HTML5 and others may not be accounted for or protected
As is the norm with most ALB-X features, the huge benefit of their implementation on ALB-X is that we only have to do this in one central place in order to protect all our servers. We don’t need to rely on developers or web server reconfigurations. Updating the WAF’s rule set (the list of unacceptable behaviours) takes just a few clicks too, and only needs to be done once no matter how many your running.
More information on the WAF can be found here and it is available to download now from our App Store – another exciting new development we encourage you to check out. There’s an in depth installation guide here.
A Web Application Firewall allows for fine-grained control and implementation of security policy, including the management of what’s permitted or denied in application functions and input & output.