Thinking About Web Application Firewalls

by François Gaudreault

Web Application Firewalls (WAFs) are growing in the market, providing many benefits including the prevention zero-day exploits.

What is a Web Application Firewall?

By definition, a web application firewall is a device that sits between the client and the web server and analyses layer 7 messages for violations in the defined security policy. In other words, WASFs look at HTTP/HTTPS/SOAP/XML requests and responses and look for potential attacks according to predefined rules on the device or abnormal behavior.

Why use WAFs?

IT managers or Network professionals can use WAFs in their infrastructure for some of the following reasons:

• Block common web attacks like SQL Injections, XSS, CSRF, Command Injections, or Data Leak.
• Help preventing 0-day attacks on code you don’t know
• Use in a Reactive or Proactive way (block or just alert basically)
• Protect from HTTP DDoS
• Help get PCI DSS certification

What to look for?

If you are interested in using WAFs, many solutions are available on the market. You should consider the following four key requirements on the technical side as you compare solutions:

• Performance. It all comes down to how much bandwidth and packets per seconds the WAF can handle. You want to look at a unit that can deliver with the load you have now, and scale as you grow.
• Management and Feature set. You should look for a compromise between ease of use and number of features. You don’t want to end up with a too complex GUI, use only CLI for some feature configuration or have a lack of features that you need in your infrastructure. Find the balance you like.
• Rules. How often will the vendor propose rules update? Can you add your own rules? Can you modify the vendor rules? Those are some questions you need to ask when investigating for a potential WAF.
• Learning/Training. Another key feature would be to have training or learning mode on the appliance. You can then determine which alert is a false positive, and which one is not. You could also tell the appliance which response is normal and expected, and then block everything else.

Challenges with WAF

There are some concerns with the bypassing of WAFs, called WAF evasion. In a future post we will investigate the potential threats (and response) from attacks such as:

• Mixed Cases to bypass REGEXP matching
• Random comments in SQL Injection queries
• SQL query encoding using Hex
• Packet fragmentation
• URI Encoding (Unicode)