You need another firewall for web applications, says McDermott of Agile Networks
27 July 2015 | 0
Most people, even in ICT, think of a firewall in the traditional way — as a central or perimeter defence against intrusion, malware and forbidden access or activity. But in today’s complex online world, that is no longer the strategy for comprehensive protection. Web Application Firewalls or WAFs (pronounced ‘Waffs’) add to our industry jargon but are an important specialist addition to our security armoury, with a fast growing market according to Gartner and major brands such as F5, A10, Imperva, Barracuda, Radware and Fortinet. In essence, you are tying security and the application together and the specific instance of engagement with it.
Web applications are increasing daily, both publicly and internally, and they can be deployed on-premise or, more commonly, hosted in the cloud or delivered as-a-Service. A WAF is designed to protect these web applications and servers from attacks that intrusion prevention systems cannot prevent. Traditional IPS works by checking signatures and interrogation for anomalies while a WAF examines the behaviour and logic of what is requested and returned.
WAF’s act on dangers maliciously woven into innocent-looking website traffic that slips right through traditional defences. This includes application vulnerability attacks such as SQL injection, cross-site scripting and remote file inclusion. Other such threats include business logic attacks such as site scraping and comment spam and fraudulent activity like account takeover attacks.
In the past, enforcing web application security and compliance policies across a range of traditional and cloud environments has meant greater complexity, security gaps and higher costs. That is indeed the prevalent situation to this day, for which WAFs offer a practical, effective and much less costly solution. WAFs can ensure fast, reliable and secure delivery of mission-critical web applications. They also enable PCI compliance by mitigating web application security threats and vulnerabilities, preventing data theft and manipulation of sensitive corporate data and protecting customer information.
Any web application can benefit from a WAF at the front end, especially when you think of some of the most widely used such as social media, banking or government services. Most WAFs allow fixing of vulnerabilities on the fly. So if by chance there is an undiscovered vulnerability, it can be mitigated quickly and easily in most cases, without having to change the underlying application. Most WAF products can be thought of in terms of firewall as an application and a potent extra layer in the security stack.
“WAFs can ensure fast, reliable and secure delivery of mission-critical web applications. They also enable PCI compliance by mitigating web application security threats and vulnerabilities”
A key feature of these new WAFs is that their use is thoroughly flexible. The WAF approach can suit almost all environments and deployment scenarios, from dedicated physical devices to cloud deployments, to being integrated into a more powerful Application Delivery Controllers (ADC), which can provide enhanced services such as SSL offload or load balancing. Essentially, the WAFs protections can be present wherever your application is running.
Like any ICT security product, a WAF takes a certain amount of technical knowledge to install and experience to configure. In a larger organisation, it is possible that the owners of the application could also take responsibility for the WAF while the core centralised security stack remains under whatever specialist security control team is in place. At another level, any SaaS provider could add WAF as an attractive upsell to its user market.
Will McDermott is senior systems engineer with Agile Networks