Web Application Firewalls (commonly referred to as WAF) are mainly designed to protect web applications.
But what exact roles can they play in a web architecture?
Depending on how they are integrated in your web platform, their impact and ability to improve your security will differ.
Using a WAF as an attack mitigation solution
A WAF can be used to analyse inbound and outbound traffic in order to block malicious or dangerous items.
In this configuration, the threat detection engine of the firewall detects suspicious inbound traffic and decides to block the request. This means that the request will not reach the web server, and a generic response will be returned to the client.
To decide whether a request is innocuous or malicious, the WAF can use a positive or a negative security model:
The negative security model assumes that all transactions are innocuous, by default. It will look for threat cues and if judged dangerous, block the transaction.
The positive security model, on the other hand, assumes that all transactions can be dangerous and only allows those that are recognized as safe.
Blocking outbound traffic also protects web applications if ever a malicious requests has gone through the WAF without being caught. Indeed, the WAF can also detect a successful attack when the server returns what the attacker was trying to get as an answer.
In this case, the WAF will detect sensitive information that is not supposed to be returned by the server (e.g. a configuration file or passwords file), block the outgoing transaction and in the end prevent data leakage, or sensitive data disclosure.
Using a WAF as an attack detection solution
A WAF can be used as an Intrusion Detection System (IDS), where it will simply observe the web traffic, notice dangerous transactions and log them.
In this configuration, the WAF is passive and does not modify or interrupt the web traffic. Obviously this means that an attacker can potentially perform an attack successfully without being caught.
Looking for attacks and not blocking them can be useful to properly install and configure the firewall. Imagine a scenario where a legitimate transaction is being performed by a normal user and considered as dangerous by the WAF, better not blocking it! In fact, achieving a “perfect” WAF configuration can sometimes be difficult and risky. A transitional and testing period is therefore necessary to install a WAF without putting your business activity at risk.
The drawback is that such a testing period in a logging mode can be endless. If the WAF is not switched to a blocking mode at some point, attacks would not be mitigated.
Using a WAF as a security breach patching solution
Fixing a vulnerability on a web application is not always a matter of minutes and sometimes requires a lot of testing and validations before pushing the fix to production. That’s when the WAF can be used as an emergency patching solution.
In this configuration the firewall is used as a shield to protect against known vulnerabilities inside the web application. Newly discovered breaches, whether specific to the application or more prevalent can this way be mitigated by blocking recognized breach exploitation tentatives.
There is no big hurry to mobilize the developers immediately, as the platform can be quickly patched.
For example, if a web platform uses a CMS that has just been declared as vulnerable, without any available fix (zero-day vulnerability), using the virtual patching feature of a WAF is a good solution. When the fix is released, the CMS can be fixed and the virtual patching removed.
NB: Although the firewall can be used to patch known vulnerabilities of an application, fixing the real vulnerability inside the app itself remains the recommended solution. Remember, a WAF can only be used as a safety net, whatever its configuration is.