Application Firewalls: Protecting Web Applications from Attacks
Application firewalls are a critical security layer between web traffic and your application server. Learn how WAF technology stops attacks and who the top vendors are.
The term firewall usually refers to an application or an appliance that is designed to prevent unauthorized network access through unused TCP or UDP ports. While these types of firewalls provide general purpose protection, many organizations use application firewalls as a way to protect specific applications.
What is an application firewall?
Application firewalls are designed to protect web applications against an attack. As such, an application firewall must be designed and configured to protect a specific web application. Whereas a general purpose firewall provides protection at the port level, an application firewall provides protection at layer 7 of the OSI model (the application layer). In fact, application firewalls are sometimes referred to as layer 7 firewalls.
This brings up an important point: The term "application firewall" is something of a generic term. There are many other terms that are also used for an application firewall. Some of these terms include web application firewall, WAF, WAF firewall, and even proxy firewall. All of these terms mean basically the same thing.
An application firewall is essentially a reverse proxy. A standard proxy is designed to protect client computers. A user who wishes to browse the Internet anonymously for example, may connect to a proxy server. The proxy server in this case establishes a secure tunnel with the user’s computer so that any traffic between the user’s computer and the proxy is encrypted and kept private. When the user types a URL into his or her browser, the URL is sent to the proxy server, which connects to the URL on behalf of the user and then passes a copy of the requested page back to the user who requested it. This approach maintains the user’s privacy because the user never connects to a site directly and all traffic flowing between the user’s computer and the proxy is encrypted.
That is an example of a standard proxy. An application firewall acts as a reverse proxy. Whereas a standard proxy is designed to protect a client computer (or a user’s privacy), a reverse proxy is designed to protect a server.
How an application firewall works
To understand how an application firewall works, consider the way that web servers are normally set up. Typically, a web server exists behind a standard firewall. The firewall blocks traffic to all ports except for port 80 (HTTP) and perhaps port 443 (HTTPS). When the firewall receives a request on one of these ports, it typically uses a port forwarding rule to send the request to a web server.
Depending on how the perimeter firewall is configured, it might perform some extra checks on the traffic before forwarding the packets to the web server. For example, if the firewall knows that HTTP traffic is the only type of traffic that should ever flow through port 80, then the firewall would block other types of traffic that are attempting to come in through the open port.
Typically, a web application is not confined to a single server. If a web server were to host static HTML content, then the website could presumably exist entirely within a single server. Most modern websites and web applications, however, depend on external components. At the very least, a website probably ties into a back-end database.
In an effort to keep the site secure, the database will not usually reside on the front-end web server. Instead, the database is typically placed on a back-end database server, and the front-end web server communicates with the database server through a secure channel that passes through a dedicated firewall.
In this particular case, the front end web server is acting at least somewhat like a proxy. Clients that are accessing the website are not making database queries themselves. The front end web server is making a database query on the client’s behalf. In doing so, the web server also shields the database server from being exposed to Internet traffic.
An application firewall works in a somewhat similar manner. The application firewall sits between an organization’s perimeter firewall and a web server or web application server. When a client attempts to access the web site or web application, the client's request passes through the perimeter firewall using port 80 or 443. But rather than directing the request directly to the web server, the firewall's port forwarding rule sends the request to the application firewall. The application firewall then filters the request and passes it to the web server. The web server then handles the request. Depending on the nature of the web application, the web server may proxy requests to a backend database server, just as it did before.
In this example, the web application firewall is performing two main tasks. First, the application firewall is shielding the web server from Internet traffic. Although the perimeter firewall forwards Internet-based requests to the application firewall, the application firewall does not forward those requests to the web server. Instead, the application firewall acts as a proxy, making a request of the web server on behalf of the client and then forwarding the result of that request back to the client. This keeps the web server from being exposed to the Internet and makes it more difficult for hackers to gather information about the web server. Web traffic never communicates directly with the web server. In fact, the web server is typically equipped with a software firewall that is configured to allow it to communicate only with the application firewall and the backend database server.
The second task that the web application firewall is performing is that of making sure the request is safe before proxying that request to the web server. One of the key differences between a port-level firewall and an application firewall is that an application firewall has detailed knowledge of the application that it is protecting. Because of this, the application firewall knows which types of requests are normal and can therefore filter out (or drop) abnormal requests. For example, an application firewall might be configured to prevent the use of malformed URLs or SQL insertion attacks.
Although these are the basic types of tasks that are performed by an application firewall, an application firewall can be designed to perform some additional tasks. For example, some application firewalls also act as load balancers. As requests for a web application come into the organization, the application firewall may proxy those requests to a collection of back-end web servers. Typically, the proxy request would be distributed in a round-robin fashion to evenly distribute the requests among the available web servers.
A WAF can act as an intrusion prevention system
A web application firewall may also act as an intrusion prevention system. An intrusion prevention system is similar to an intrusion detection system, with one big advantage: While an intrusion detection system passively detects attempted security breaches, an intrusion prevention system is designed to take action against those attempts.
In order to prevent an attack, an intrusion prevention system must be able to first detect the attempt. In so doing, an intrusion prevention system works similarly to an anti-malware program. Anti-malware software typically relies on a signature database that identifies known malware. Similarly, intrusion prevention systems use a signature database to identify known exploits. An IPS scans the traffic stream, looking for matches. For example, an intrusion prevention system might look for port scans or denial of service attacks.
Since there can be variations of attacks that may not exactly match a signature found in the database, some intrusion prevention systems use heuristics as a mechanism for identifying attacks for which no signature exists. The disadvantage to using heuristics, however, is that doing so carries the risk of false positives.
If an attack is detected, there are several different actions that an IPS may take. The most basic of these actions is that of dropping the potentially malicious packets and then blocking further traffic from the source address. In addition, an IPS may generate an administrative alert or even communicate the detected attack to the perimeter firewall so that the perimeter firewall can block further traffic from the source.
Web application firewall vendors
Application firewalls can come in a variety of different forms. An application firewall can exist as a software application, a hardware appliance, or even a virtual appliance. Depending on the volume of web traffic that an organization receives, a dedicated hardware appliance may be preferable because traffic must be scanned in near real time.
It is also worth noting that some application vendors provide their own application firewalls. Microsoft, for example, has created an edge role for Exchange Server. Although Microsoft does not usually refer to an edge server as an application firewall, it performs the same basic tasks as a more traditional web application firewall by shielding Exchange mailbox servers from the Internet.
Here are some web application firewall vendors to consider:
- A10 Networks