What is a Web Application Firewall?

Web Application Firewalls are quite different from normal packet inspection firewalls because they primarily operate in the application layer identifying and protecting web based applications/ servers from specific application based vulnerabilities, over the Internet. Let us find out more about these web application firewalls, in this article.

Why is there a requirement for an additional application specific firewall?

Don’t we have enough Firewalls/ Unified Threat Management devices in the network already? So, why do we need another one now? The answer is simple – We have (recently) changed the way in which we access applications! Almost every application developed these days is web enabled and they can be accessed from anywhere using a standard web browser.

Previously, these applications (and hence the databases related to them) were securely restricted to the Intranet, which was difficult for hackers to access. Now since everything is available on-line, they are accessible from anywhere and hence specific vulnerabilities for specific applications have been identified by hackers to get control over critical and confidential information.

E-Commerce applications, for example, deal with credit card numbers and other customer details day in and day out. CRM applications  might deal with all your customer/ order information – All these have become mainstream Internet based applications. A hacker might able to get access to such critical information stored in applications (and databases). So, Web applications firewalls were devised to prevent such hacking attempts and secure web based applications.

What is a Web Application Firewall?

Web Application Firewalls have the ability to prevent attacks that are specific to a wide range of web servers, databases and programming platforms by enabling application/ http session awareness. A Network Firewall might be able to control port based access to applications. But they have limited visibility in the application layer and cannot prevent certain application specific attacks that take advantage of coding/ development based anomalies.

Lets face it – Applications can never be 100% secure. There are always some vulnerabilities due to the overlooking of certain development/ coding aspects. So, a Web Application Firewall de-constructs HTML/XML data payload fully and tracks the state of each application session in-order to get full application layer visibility.

Web Application Firewalls use the Positive Security model which gives them a unique advantage of being able to prevent Zero Day attacks along with previously known signature based attacks on web applications. Mostly, Web Application Firewalls identify and map all good user activities to detect (few) activities that are abnormal, and block them if they look to be highly suspicious. That is an effective way to prevent malicious activities that keep evolving specific to applications.

As you can guess, this requires detailed understanding of legitimate user transactions within each application – Including (but not restricted to) URL structures, http methods, XML/SOAP Schema, Cookie behavior, Session ID formats, etc. Some web application firewalls are specific to certain applications, but others are more general.

But as you can guess, this method is more vulnerable to false positives. So, blocking suspicious activities totally is up to the user/ application criticality as application structures change frequently and web application firewalls are also expected to learn them at the same pace.

How are Web Application Firewalls deployed?

Web Application Firewalls are deployed as stand alone hardware/software applications (or) self contained softwares on the application servers itself (or) as an overlay on network firewalls/ application load balancers, etc. They may be placed right in front of the application servers they need to protect, or they may also be placed at the edge of the network.

Are there any examples of Web Application specific attacks?

A few examples of such application specific attacks are given below:

  • SQL Injection: This technique consists of direct insertion of malicious code in to user-input variables that are linked with SQL commands and executing the code. Using this method, an attacker can try to gain access to the back-end SQL database used by the application.
  • Cross site scripting: If Java script can be run on a web-page (either by inserting it in a modified URL or through form submissions), it can (under certain configurations) access cookies / active sessions to gather sensitive data like user-name/password etc.
  • Buffer Overflow: Web applications try to store excess data in a temporary storage space called buffer (having limited memory capacity). Often, the additional data overflows to other buffers. If that additional data contains malicious code, it might get executed.
  • Cookie Poisoning: By changing the information contained in a cookie before sending it back to the web server, an attacker can tamper with important variables either to impersonate other users (and hence gain transaction details) or tamper with vital data.

How does a Web Application firewall prevent such threats?

As mentioned earlier, web application firewalls map (learn) all the legitimate user activities and identify (and block) those activities that are clearly abnormal. They also perform signature based threat matching for identifying/mitigating known threats.  They track every session for data that goes out of the web server to ascertain if any critical information (like credit card numbers, etc) is being leaked out. Web Application Firewalls generally encrypt cookie names/values and also check if the returned cookie elements/ form field elements/ URL’s have been tampered with.

Web Application firewalls try to hide most of the information about the application environment by a technique called cloaking where:

  • A proxy architecture where TCP traffic is terminated and re-initiated on both sides, hides network related info to the outside world.
  • Response headers are removed from web servers to prevent disclosure of information like type of server (Apache/IIS etc), host-names, etc.
  • URL components are re-written to hide application directory structure, etc.

There are many more methods used by different vendors and some are specific to certain applications. Modsecurity, is an open source based free to download Web Application Firewall.

excITingIP.com

You could stay up to date on the various computer networking/ related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’