Introduction to Web Application Firewalls
According to the Web Application Security Consortium (WASC), Web Application Firewalls (WAF) are defined as:
"An intermediary device, sitting between a web client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack", and Web Application Security is defined as: "Theory and practice of information security relating to the World Wide Web, HTTP and web application software. Also known as Web Security".
Furthermore, WASC classify WAF as
"a new breed of information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code."
This article pushes the concept of WAF to "protect the information processed by web applications from web-based
attacks," presents some typical information security requirement scenarios, and analyzes available technology control options for securing the information.
The Security Layers
The diagrams below illustrate in a rather simplistic form the security layers of an information system, and the typical generic class of controls used to secure each layer.
The Web application could be further divided into sub-layers: Web server, Web application (front-end) and Web application back-end (typically a database) that has direct access to the information.
In an effort to gain a competitive edge, organizations are increasingly offering to partners and customers direct access to information. Since data is to be made selectively accessible to external parties, a new dimension is to be added to the Web application security: authentication and authorization. It is no longer do just needed to protect web server and web application from hacks and abuse (which is where WAFs come in), but in addition organizations need to restrict external parties' access to data, based on who they are and on what the security policy allows them to do.
Authentication and authorization mechanisms could be hard-coded into the application, but a better method of control is to setup Web Access Control (WAC) in front of the web service. WAC may or may not be as good as WAF at protecting the web application against compromise, but it has the potential to effectively and efficiently control who has access to what information, and at maintaining an audit trail for compliance reporting or security monitoring purposes.
In the illustration above, whenever a client requests a page (1), the request is first intercepted by the Agent. The agent parses the request and determines the rule(s) that apply to the requested access based on stored policy. If the requested page is protected and requires authentication, the agent presents the user with a logon page and forwards the user's credentials and access request to the policy server (2). The policy server forwards user credentials to the authentication server (3). The authentication server validates user credentials and informs the policy server (4). The policy server creates an audit trail and sends back to the Agent an 'Access Allowed' message (5). Only then does the real web server receive the request from the Agent (6), and serves the page back to the client through the Agent (7) and (8).
In the logical data flow above, the real web server does not receive the client request until the user has been authenticated, the request authorized and an audit trail created.
Separating security from the application has several advantages.
- The security policy is enforced uniformly across multiple platforms and applications.
- A single policy server can manage hundreds of agents with flexible policies. An audit trail of changes to policies is maintained by the policy server.
Because authentication is external, flexible authentication mechanisms can be used and multi-level security can be enforced. The security policy can specify not only whether authentication is required or not, but also what authentication method or combination of methods are required to validate the user. In an e-business environment, the authentication method can be based not only on the type of transaction, but also on transaction variables such as the $ value of the transaction.
- Security monitoring and compliance reporting are greatly facilitated by a centralized log.
- Auditors no longer need to look at the security mechanisms embedded inside applications, with each application using different mechanisms.
WAF Operating Modes
WAF can be operated in passive or active (in line) mode. Active mode can be:
- Transparent bridge that fails open (such as Imperva SecureSphere).
- Routing, which requires network reconfiguration.
- Reverse proxy, requires traffic redirection via DNS or at the network level (Big-IP NetContinuum, or ModSecurity for Apache).
- Embedded as a web server plug-in with varying degrees of reliance on the web server (ModSecurity for Apache).
A passive WAF link to the Web server through a hub or a mirrored port on a switch. In high volume/low-latency production environments, passive firewalls may not act fast enough to block an identified attack.
About the Author
From Information Security Management Handbook, Sixth Edition, Volume 3, edited by Harold F. Tipton and Micki Krause. New York: Auerbach Publications, 2009.