A Web Application Firewall acts as a protecting layer between the web application and the Internet. It filters the traffic and monitors it to protect the web application from certain attacks such as XSS (Cross site scripting) , DDOS (Distributed Denial of Service) and SQL Injection.
Unlike traditional edge firewalls that work on network layer, a WAF works at the application layer. WAF was needed because traditional firewalls were unable to block HTTP traffic, since different web applications had the same port number (80 or 443).
Diagrammatic Representation (Example Scenario):
Unlike traditional edge firewalls that work on network layer, a WAF works at the application layer. WAF was needed because traditional firewalls were unable to block HTTP traffic, since different web applications had the same port number (80 or 443).
Diagrammatic Representation (Example Scenario):
Description:
When the client tries to access the Web application (say www.test.com), his request is filtered through the WAF running on Ubuntu (which filters the traffic and also gives him the illusion that the Web Application he's trying to access is hosted on an Ubuntu server) . Hence , Web application server's IP Address is not revealed (Windows 7). We can say that the WAF acts as a proxy here. Therefore, the request from the WAF to the Web application is known as Proxy Pass; and the response from Web application to the WAF is known as Proxy Pass Reverse.
A WAF can either use the Blacklisting or Whitelisiting approach to allow the traffic to pass through it. Blacklisting means that it blocks only the known threats , whereas whitelisiting allows only trusted traffic to pass.
The evolution of WAF:
The First Generation WAF used blacklists and signature-based HTTP attributes to filter web traffic. As the number of web applications grew, this approach became obselete.
The Second Generation WAF became more intelligent by the use of machine learning. It generated whitelists, while also maintaining the blacklists. It also maintained session moinitoring and heuristics to detect variants of known signatures.
The Third Generation WAF uses machine learning combined with behavior analysis to prevent zero day exploits as well. It monitors HTTP behavior, and also enforced user role permissions.
The evolution of WAF:
The First Generation WAF used blacklists and signature-based HTTP attributes to filter web traffic. As the number of web applications grew, this approach became obselete.
The Second Generation WAF became more intelligent by the use of machine learning. It generated whitelists, while also maintaining the blacklists. It also maintained session moinitoring and heuristics to detect variants of known signatures.
The Third Generation WAF uses machine learning combined with behavior analysis to prevent zero day exploits as well. It monitors HTTP behavior, and also enforced user role permissions.
Types of WAF:
1. Network Firewalls - They filter traffic based on the rules and analyze metadata of the incoming packets.
2. Application Firewalls - They analyze the actual data that is being transferred, rather than the metadata. They understand the type of data that is allowed in a specific protocol.
3. Local Firewalls - They help to secure your local environment (server/desktop). However, they do not play an important role in protecting the website.
Deployment options:
1. End point - Deployed in the hosting servers.
2. Cloud - Deployed in the cloud.
3. In-line Appliance - Deployed in the organisation's network.