Data breaches. Ransomware. Denial of service. Botnets. All trying to infiltrate your network. These attacks can interrupt vital business operations and damage your organization’s reputation. What can you do to protect your data and applications and stay out of cybersecurity headlines? To find out how to stop these types of attacks, we talked to Dustin Larmeir, Director of Security Engineering at TierPoint, about the role of web application firewalls for IT security.
In this interview, Dustin gives us some background on what a web application firewall (WAF) is, what types of applications a WAF protects, and the types of attacks a WAF blocks.
What is a web application firewall?
Interviewer: In your own words, can you explain to us what is a web application firewall?
Dustin: A web application firewall, or WAF, protects your web applications by inspecting HTTP and HTTPS traffic for indications of malicious activity. A WAF is specifically designed to block web application attacks such as cross-site scripting attacks, SQL injection, cross-site request forgeries, and other vulnerabilities as outlined in the OWASP Top 10 and other security frameworks. Basically, a WAF is a hardware appliance or cloud solution that sits in the middle of your web traffic and provides a level of inspection and protection.
Interviewer: How does a WAF do that? What are the parts of a web application firewall?
Dustin: A typical WAF deployment would consist of these six components:
- A reverse proxy for inspecting SSL and non-SSL traffic. This server sits between the user’s browser and your server infrastructure. It decrypts and encrypts all HTTPS traffic so the traffic can be inspected, and it controls network traffic destined for the web application.
- A security engine that inspects, analyzes and takes action on the traffic.
- A signature database, which is built into the web application firewall and can identify known attack techniques and vulnerabilities
- An IP reputation database, which recognizes IP addresses associated with bots and malicious activities
- A rule management interface where you can tune your WAF, fix false positive blocks, and apply new security rules
- A reporting interface where you can pull reports on attacks, including what was allowed or blocked, and get statistics about attacks
What types of applications can a WAF protect?
Interviewer: What are the typical applications that can be protected by a web application firewall?
Dustin: Any web application has a use case for a web application firewall. In the past, enterprises focused on protecting only their most important applications with a WAF, but in today’s security landscape, it makes sense to put a WAF in front of every web application. Even though a marketing website might not contain valuable intellectual property or data that could be breached, it could be used by someone for drive-by downloads, that is, to distribute malware to your customers. Or someone could deface the website to damage your brand.
A content management system such as WordPress, which has plugins that aren’t as well maintained as the core code, has a larger attack surface. Those plugins could be exploited, and a web application firewall is a big help in mitigating the threats.
Other types of web applications, such as enterprise portals, Software as a Service (SaaS)-based applications, and application programming interfaces (APIs) all need to be protected. It’s simply a good idea, an IT security best practice, to put a WAF in front of anything on the internet that you are using for business purposes.
What types of attacks can a WAF block?
Interviewer: What kind of attacks are pushing the need for web application firewalls?
Dustin: As a web application firewall administrator, I’ve observed that attacks are becoming more complex, and traditional mitigation techniques are no longer effective. That’s driving the need for web application firewalls and good WAF vendors. Low and slow attacks and other attacks that slip under the radar are good examples. Such attacks can be incredibly low bandwidth, they don’t create a lot of noise, and so they can easily slip through the cracks without a WAF.
Another type of attack is denial of service. Bots using automated scripts are a huge part of application layer 7 denial of service attacks in this modern era. Threat actors harvest systems for use in their botnets to launch large distributed DoS attacks.
SQL injection, which is often enabled by simple programmatic mistakes, is one of the most dangerous forms of attack that a WAF can protect you from. If someone (or a bot) can use malicious SQL query language on your website to do an SQL injection attack, they could breach an entire database and dump all its data, which is a huge risk and negative outcome for any business.
Many types of legitimate processes are also used in attacks. For example, Selenium scripting: here a legitimate quality assurance process, a script that is used to QA a website, is used to conduct malicious activity against a web application. Or as another example, someone may load up an e-commerce shopping cart so full of items that they crash the database and exhaust the server. Or a bot may hammer a form to generate tons of spam or another malicious load.
All these are the types of attacks that a web application firewall is used to stop.
Interviewer: What’s the motivation behind web application attacks?
Dustin: Different threat actors have different motivations: hacktivism, organized crime and foreign government-sponsored activity, for example.
Let’s start with hacktivists. These are people who have a cause, who want to cause your organization pain or are trying to make a political statement. They might be out for blood because of something your company has done.
Some are in it for the money. If organized crime can get into your website, they can use your site to deliver malware as part of a larger breach campaign. In this case a user could come to your website, download malware without realizing it, and in this way the criminal organization gains a foothold in your customer’s network. Breaches in financial and healthcare sectors are lucrative.
Another motivation might be state-sponsored. Higher-end threat actors are engaged in advanced persistent threats (APT) sponsored by foreign governments. They might have a huge interest in an enterprise portal that contains proprietary information, intellectual property or product design information.
More on cybersecurity and web application firewalls
In the second part of this blog post Q&A series, we’ll a look at who needs a WAF and why, and the challenges enterprises face in using web application firewalls.