How a WAF Could Improve the Security of Your Linux Web Applications
The use of Web Applications is growing amongst businesses, however, that also makes these businesses a target for Cyber Criminals to attack. If there are vulnerabilities within your Web Application, then that means there is a flaw that attackers may exploit to really wreak some havoc to an individual, small business, or even large corporations alike.According to recent statistics, about 95 Web Applications are attacked daily and about 3,000 Web Applications are either scanned or visited by bots every single day. As everything becomes digitized and companies and users alike start to move their daily operations to web applications, if you are amongst one of the many people who has and uses a Web Application, or are planning in using one, then using a WAF could greatly improve the security of your web applications and furthermore, put your mind at ease from being attacked just a little bit more.
Brief Overview of How a WAF Works
A WAF or web application firewall helps protect web applications as well as API applications by monitoring and filtering HTTP/HTTPS traffic between a web application and external users by blocking traffic from malicious sources. Since web applications and API applications are considered to be a part of Layer 7 of the OSI model, a WAF is considered to be “Layer 7 security tool”. Additionally, Discovering new vulnerabilities can be tiresome and creating new scripts to protect against these vulnerabilities isn’t really ideal as you are extending more resources for security. Rather than continuously writing scripts to keep up with the constant new vulnerabilities, with a WAF, you can just update the signature of any new vulnerability and that is that. No additional work is required. It is quite convenient and one of the most effective ways to keep your web application secure. Below, let’s look at the possible attacks a WAF can help protect against.
A WAF Protects Against:
- DDoS Attacks: These attacks are prevented by WAFs through everyday scanning of applications, monitoring, Global Threat Intelligence, and AI to identify pretender bots, malicious requests, unauthorized sources, etc and block them. With managed WAFs like AWS WAF or even Azure's WAF, it gives you control over which traffic to allow or block by creating security rules.
- SQL Injection Attacks: WAFs mitigate almost all SQLi Attacks, however, they could produce false positives. The rulesets that are set by default, or the rulesets that you might happen to configure, will most likely flag down any instance of an SQLi attack it finds. It is not the most effective way to block out SQLi attacks so you can even specify your WAF ruleset even further. You can cross reference the SQLi attacks with popular, well known malicious source IP addresses to confirm whether the SQLi attack was a valid attack or not. This process can be very time consuming but it is all for the sake of security. Furthermore, you can establish a ruleset that sets all events of an SQLi attack to not severe and then cross examine those events with blacklisted sources or globally known threat signatures. If it comes back to a match, then you can specify an action for that event e.g block that incoming traffic or drop the connection.
- Cross-Site Scripting (XSS) Attacks: In the case of XSS attacks, most WAFS rely on signature based filtering to identify and block malicious requests. These signatures are usually apart of a large list of well-known signatures or blacklisted signatures that are then used to mitigate these attacks. AWS, on the other hand, allows you to block, allow, or monitor requests based on Cross-Site Scripting match conditions. Once the match condition is found within a web application and that condition is met, you can choose to do one of the following above. Moreover, being the most WAFs have some type of AI real-time detection, this ensures protection without the time-consuming process of manually configuring the web application firewall.
- Cookie Poisoning: A Cyber Criminal can alter a cookie to gain unauthorized access to a user's account or possibly even send false information & commands back to the back-end, or the server. A WAF will protect against cookie poisoning by detecting cookie "set" commands sent by the web server and intercepting all HTTP requests in order to compare them to the information present in the received cookie. The cookie is then only accepted if the information is deemed accurate and not tampered with, preventing any kind of forgery or manipulation by an attacker.
What makes a good WAF?
Web Application Firewalls are valued by security-conscious enterprises as a vital component in an efficient security system for validating website security and strengthening their security. As WAFs become increasingly mission-critical, it is also vital that they are also easy to use. On top of being easy to use, being able to scale the WAF to the amount of applications you have is just as equally important. Moreover, a good WAF protects your application against layer 7 threats by dynamically monitoring traffic and providing signatures, so security is another factor to keep in mind. Your WAF, regardless of its depth of features, is just one component of a multi-layered security plan. You can go a long way toward guaranteeing full protection for your business essential apps by ensuring that you utilize a WAF and other security measures.
Some Available Commercial WAFs on the Market
These are in no general order, just some of our favorite and recommended WAFs:
- Cloudflare WAF Solution: Personally, this is one of my personal favorites as it is scalable (due to the cloud architecture) and it thwarts many different types of attacks. The default rulesets that come with the Cloudflare WAF solution are enough to keep even some large corporations web apps safe and moreover, it allows you to customize rulesets that will tend to your specific needs. On top of being scalable and reliable, it is also fairly easy to use. Being that it is one general control panel that manages everything, it does not require excessive training and understanding. The Cloudflare WAF also manages to detect zero day attacks before they even emerge and is ready to use within seconds after creating new rulesets, compared to other WAFs which may take a little longer to start up. Learn more about the Cloudflare WAF here.
- AWS WAF: Another one of our favorites is the AWS Web Application Firewall. AWS being the most popular choice to host web applications, it is only fair that they provide a firewall solution for your web applications. The AWS WAF gives you control over the traffic that reaches your web apps and allows you to block common attack patterns, such as the attacks mentioned in the OWASP Top 10. The reason why the AWS WAF is amongst one of the most used is because of its convenience. It is all managed through AWS of course but there are also rules that you can configure yourself or you can even use a pre-configured ruleset that you can just check off if you’d like to use it. Just like the Cloudflare WAF Solution, AWS also prioritizes speed without risking security. According to AWS, they state that their “WAF supports hundreds of rules that can inspect any part of the web request with minimal latency impact to incoming traffic.” Not only does AWS provide speed, security, and reliability, but they also provide scalability within seconds and moreover, they allow you to use the AWS WAF across any web application you deploy. Not to mention that the AWS WAF is amongst a few web application firewalls that allows you to monitor, track, and mitigate bot traffic to your web applications without affecting other traffic to your application. Follow the links below to further look into the AWS WAF:
- Azure WAF: Another great WAF solution would be none other than the Azure WAF. Like AWS, Azure is considered to be a solid choice for hosting websites and applications. Being that it is amongst one of the more popular choices, it is also in the crosshairs of Cyber Criminals. The Azure Web Application Firewall provides a centralized protection of your web applications from common exploits and vulnerabilities. Azure built their Core Rule Sets around the OWASP Top 10, just as AWS has. The Azure WAF sits in the Application Gateway meaning that you can create many different WAF policies and properly route them to the correct applications using the Application Gateway. Below are some of the features from the WAF documentation provided by Microsoft, and a tutorial on how you can get started configuring your WAF:
Some Open-Source WAFs Available
These are in no general order, just some of our favorite and recommended Open source WAFs:
- OctopusWAF: OctopusWAF is a highly customizable Open-Source WAF for high performance applications. It is entirely created in C language and also uses libevent to make multiple connections. Essentially, libevent is an API that returns a callback function when a specific event occurs on a file descriptor or after a timeout has been reached. The event-driven architecture is optimized for vital, high-performance Web applications. This tool is very light and can be deployed in any manner that suits your needs. This resource turns perfect for protecting specific endpoints that need customized protection. OctopusWAF has the following features:
- Reverse proxy functions
- Detects anomalies using regex using lib PCRE resources
- Detects security anomalies using algorithms for matching string like DFA, horspool or karp-rabin
- Detects security anomalies using libinjection
- Options to save logs
- ModSecurity: ModSecurity is an easy-to-install, dominant open-source web application firewall that starts working immediately after installation. It comes with a plethora of options that you can use to secure your web apps. ModSecurity gives you entire control over extending the tool's capabilities to meet your specific demands. Additionally, the community base for ModSecurity is quite large and they are constantly rolling out releases and updates. Trustwave just recently returned ModSecurity back to the open-source community so we cannot wait to see what people come up with. ModSecurity offers:
- Real-time application security monitoring and access control
- Full HTTP traffic logging
- Continuous passive security assessment
- Web application hardening
- Shadow Daemon: Shadow Daemon is a web application firewall that intercepts requests and filters out potentially harmful inputs. To maximize security, flexibility, and expandability, it is a modular system that separates web application, analysis, and interface. Shadow Daemon is totally open source, which means that anybody may examine and modify it. Shadow Daemon also employs tiny connections at the application level to intercept requests. This ensures that the examined data is identical to the web application's input data, which many firewalls fail to accomplish successfully. Shadow Daemon supports the following languages:
Moreover, Shadow Daemon can detect the following attacks:
- SQL injection
- XML injection
- Code injection
- Command injection
- Backdoor access
- Local/remote file inclusion
Shadow Daemon is a great open source WAF that provides discrete protection and secure architecture.
As we took a closer look at the type of attacks that can be executed against web applications and as we see how detrimental these attacks can be to daily users and companies alike, a WAF is the perfect solution to help protect your sites and applications. Whether you’re using AWS, Azure, Cloudflare, or any other hosting service, a WAF can safely and easily be deployed as a tool to protect yourself, your company, your hardware and resources, and your information by reducing the attacks carried out on them.