Web Application Firewalls (WAFs) are designed to protect websites from common web application attacks, including SQL injection, cross-site scripting (XSS), and buffer overflows. A web application firewall is something that sits between your web server and the Internet, protecting you from hackers. It has become an essential tool in the arsenal of modern web security professionals.

What is the difference between WAF and firewall?

Firewall and WAF are important elements of information security. They both work to secure the network. However, these two solutions work in different ways. The differences between them are important to understand.

WAF products are an essential part of establishing effective layered protection. In recent years, the technology of WAF has not changed too much. WAF systems check to see if requests match what is written in RFC documents and apply various attack signatures to make a decision about whether the request is legitimate or not.

Over time, new features have been added that allow user sessions and behavior to be tracked by the app to prevent potential Brute Force attacks or Session Hijacking and blocks known malicious sources including botnets, anonymizers, and other threats. Most WAF products still rely largely on passive technology with limited functionality when it comes to customer verification.

A WAF protects against malicious applications, databases and services by specifically checking HTTP requests. This process takes place on the back-end, meaning code is placed in each web application that analyzes HTTP communications. It then detects malicious requests that would damage critical systems. The decision to block them or not is made through a UX layer in a control panel. WAFs are especially useful for protecting CMS platforms that run multiple databases, services, or even separate websites like an e-commerce site.

On the other hand, a network firewall separates internal networks from the external Internet. Without it, there would be no protection for a company’s computers that have public IP addresses. Companies can easily block or restrict network access through these firewalls to prevent unauthorized access by hackers and malicious organizations.

Positioning WAF devices in the network communications application environment

Very often the question arises where to put such a device. Of course, there are several possibilities. Several points within the communication path between a user and the desired application can be used to place WAF.

This does not mean that these points are all equally great. Ideally, WAF is installed behind a system that performs load balancing and traffic optimization within the environment. By doing so, we optimize usage, performance, and reliability, while maintaining the security of applications in the data center – especially where the applications are publicly accessible.

Choosing a Web Application Firewall solution

The WAF vendor landscape can seem complex, with new vendors popping up almost every week. You need to choose one which best suits your business. If you’re considering this topic, there are 8 questions you should get answered before making a decision.

• 1. what does the WAF protect against?
• 2. what detection techniques does it use?
• 3. how does it protect?
• 4. does it allow customization?
• 5. is it equipped with accurate learning to constantly update its policies based on the current risk levels of your application in production, based on new threat vectors and application risk structures?
• 6. is it scalable?
• 7. how does logging and reporting work?
• 8. is it easy to implement?

3 tips for success with a WAF

• 1. make sure your WAF supports the security goals of your application
• 2. carefully evaluate and test your WAF solution
• 3. think about what internal resources you will need

Do I need a Web Application Firewall (WAF)?

Standard network firewalls and WAFs protect against different types of threats, so it’s important to choose the right one. A network firewall alone won’t protect businesses from website attacks, which can only be prevented by the features of WAF. A business without an application firewall could leave its whole network vulnerable to attacks caused by vulnerabilities in web applications.

Use the Virusdie Web Application Firewall (WAF), a three-tiered security system that automatically protects your website, synchronizes with our anti-malware network, and prevents hacking, malware, attacks, content grabbing, XSS/SQL injections, malicious code uploads, suspicious activity, and blacklist threats.

Virusdie Website Firewall Scanner connects to your website before it runs and checks all incoming requests against the malware definitions in our cloud. If necessary, it alerts you.

Threats in the online world today

Today, almost every threat is automated and attackers perform automated application scans to find potential vulnerabilities. Attacks like DDoS are fully automated and allow attacks to be executed at over 1Tbps.

Automated attacks are hard to detect because they are usually designed to look like perfectly legitimate traffic. CAPTCHA and similar technologies are used to prevent such attacks, but over time such verification methods become insufficient and compromise the legitimate users’ experience.

Credential Stuffing

New threats are also emerging, such as Credential Stuffing. Credential Stuffing is a special type of attack that uses millions of combinations of usernames and passwords stolen in previous attacks. Recent research indicates that the most common method of attack in 2017 was the use of stolen credentials. Credential Stuffing attacks are very hard to detect because not only does the traffic appear to be completely legitimate, but it is also very often executed very slowly so that these attacks are not detected as Brute Force attacks.

Malware

Malware is ubiquitous in the online environment and is used to exploit vulnerabilities in web browsers and attack users who use those browsers. There are several methods of spreading malware – from malicious links on social networks to email attachments.

Computers infected with malware are often used for DDoS attacks, identity theft, and data collection. If the client computer is not monitored by an experienced IT team, detection and containment methods can be limited.

DDoS attacks

Finally, DDoS attacks itself. Many are designed to cause resource exhaustion – whether it’s application servers or database servers. Due to the fact that most DDoS attacks appear to be legitimate traffic and very often meet standard input checks, detecting DDoS attacks is relatively difficult.

With most traditional WAF solutions, the above attacks don’t look suspicious and can go undetected. Reputation databases of IP addresses also have limited functionality in this case, as the number of infected devices is growing every day and the spectrum of infected devices is growing in diversity – modems, IoT devices…

It is clear that a more sophisticated WAF device and technology is needed to protect us from these types of threats.

Conclusion

Today, the majority of our private and business communications are conducted via various applications, special attention must be paid to protecting them.

42% of companies that were the target of cyberattacks reported that the attacks came from outside, with the two of the most common attack methods being precisely targeting web applications and all sorts of vulnerabilities in software.

Web applications are constantly under attack from malicious users, and security experts are looking for WAF devices that protect the web from advanced attacks, including zero-day attacks, and are designed to protect all applications regardless of format.
———

Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.

Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.