This is a question I get all the time… What is a WAF? Since I maintain our WAF for my job, I usually need to educate and convince co-workers, management, application owners about why and how we should deploy our WAF. Let’s start with the objections I usually run into, and why you still should have a WAF, and then dig a bit deeper into what a WAF is really doing.
Myth 1: I have a firewall, I don’t need a WAF!
Network Firewalls are a must nowadays. You would be crazy to have a windows box sitting out on the internet without at a minimum its own windows firewall running on it, right? Well a network firewall is only working at the IP and TCP level (Layers 3 and 4) to limit the traffic to your site. But you’re still going to open up port 80 or port 443 for HTTP or HTTPS traffic, aren’t you? A WAF works up the stack at layer 7.
You already know you need to let the world access your web site. You need to block application attacks that take advantage of that fact, and try to use it to their advantage. For example, an attack might be able to find a page in your site that doesn’t sanitize database queries. Perhaps it allows them to send a query through your search box for example with any character in it. Instead of searching your site, they could expose the tables and values of your database. Things such as usernames, passwords, personal data can be leaked — all over port 80 or port 443! A network firewall would just be passing that right through!
Myth 2: I have an IDS/IPS, I don’t need a WAF!
An IDS/IPS is a great start to a secure perimeter. They can help you be on your way to what is called a Negative Security Posture. This is where you look for Bad Things, and when you see them, you stop them. The problem with a standard IPS is two-fold. First, generic or specific signatures are really only looking at the data in the packets. They don’t really decode or understand the application data. Why? Well they work on a broad variety of protocols, SMTP(Email), HTTP/S, FTP, etc. and as such, they generally can’t see into any of those protocols with much depth.
A true WAF will decode all of that data, and apply a security posture against each of those values individually. This will result in fewer false positives and better security in general. Second, since an IPS doesn’t decode that data, there are a lot of evasion techniques that can be put to use. The hacker can scramble the data so it avoids a signature. Things such as encoded characters, or just having the relevant attack data spread over a few packets. As long as it modifies it slightly so that it doesn’t trigger the signature is usually enough to get around them. When fully decoded, the packets and segments are put back into application data, and checked before being sent onto the web server. This results in much higher security.
Another major difference between the two is the ability to create what is called a Positive Security Posture. This is where you actually build a policy that says what the website requires, and literally blocks everything else. It can be compared to the standard “default deny” security posture of a network firewall, but obviously at the application level.
Myth 3: My application is secure. I don’t need a WAF.
Even the smallest and simplest of application can’t be 100% secure. If your code is tight, there might be a vulnerability in the operating system or the Web Server you’re running. A good example of this is the shellshock vulnerability in the linux bash command. It happened that this vulnerability was exploitable through apache and was pretty simple to execute! WAF vendors were quick to release signatures, and you could also build them yourself. Often times also, having signatures checking for things such as command execution would catch the attack due to what they were trying to run on your server. Attacks such as this aren’t only on Open Source software such as Linux, but can happen on any operating system, and trust me, this wasn’t the first, and definitely won’t be the last!
I always recommend a thorough, multi-faceted security solution, that has low false positives, and is relatively easy to setup and maintain. Why? Because otherwise it will probably just be shelfware and never be used or implemented! Blocking 80% of attacks is better to me than blocking 0% with the dream of 100% security. Also, as your organization gets more comfortable with the WAF technology, you can increase that 80% to 90%, then to 95%, and perhaps eventually to 100%, but have a clear path of how to do that.
What’s your strategy of leveraging WAF technology in your environment? Leave a comment below!