Protect Your Web Apps
- by Antoniy Yushkevych
- in Security
We have all heard of a proxy before. It acts as an intermediary for requests between the client and the internet. A reverse proxy, however, is not so familiar to the average web user. A WAF (Web Application Firewall) is a type of reverse proxy which sits outside of web applications in production and inspects incoming traffic. If they see a malicious traffic pattern, they will block it.
Web application firewalls typically monitor HTTP and HTTPS traffic between a web application and the internet. The most common use for WAFs is to protect against SQL injections attacks, cross-site scripting (XXS) attacks, file inclusion and many more.
How do WAFs Operate?
WAFs are commonly of two types: operating on a negative security model (blacklist) and operating on a positive security model (whitelist). In the first case, it protects against known attacks and denies the passing of malicious traffic. When operating on a whitelist, however, a WAF only accepts pre-approved traffic. Most WAFs offer a hybrid model between the aforementioned operation modes and take advantage of both the models.
This is how most web application firewalls are implemented:
- Network-based: local installation minimizes latency but is expensive as it is hardware-based requiring storage and maintenance and demands all security expertise be in-house.
- Server-based: also known as Next-gen WAFs, are integrated into the server. The downside is increased consumption of local sever resources and implementation complexity.
- Cloud-based: easiest to implement with the least costs. The web application owner can lay back and relax as the provider takes care of the necessary updates to mitigate new arising threats.
- In-application: a WAF sits inside the application itself. Further maintenance and configuration are not required as the firewall has the full context of the application.
A web application firewall protects the 7th layer of the OSI model and thus is not designed to defend against all types of attacks. It is simply one of the many tools website owners should use to create an appropriate defense for their sites.