Everyone knows you need a firewall, but installing one isn’t the final step in keeping your computer network safe. Hackers are continually refining their techniques, and the proof is in the numbers; the number of data breaches in the United States has been steadily rising since 2008. That’s an unfortunate truth; however, the trend doesn’t have to continue. In addition to following standard security procedures, installing a web application firewall, or WAF, is a fast and cost-effective way to enhance the security of your computer network.

What is a Web Application Firewall?

WAFs are not designed to protect the “perimeter” of a computer network. Instead, they act as a guard intended explicitly to monitor web-based traffic. In practice, a WAF resides in front of a web application, like a bodyguard in front of the president, and screens all ingoing and outgoing HTTP traffic to block anything malicious. WAFs are programmed to detect several common threats, some of which we’ll address now.

How WAFs Protect Networks  

Importantly, WAFs are designed to work in conjunction with a full suite of security products like traditional firewalls and intrusion prevention systems. While they are quite effective at blocking certain types of attacks, they are not designed to protect against every threat. With that in mind, here are three of the most common cyber-attacks that WAFs help to prevent.

SQL Injection

A SQL vulnerability allows a hacker to inject malicious code, allowing them to do many things that you’d prefer they didn’t. That includes downloading the contents of an entire database, including intellectual property and customer information. Or, if they don’t steal the data, they can modify or delete it. An SQL attack is often the result of a software security vulnerability (less than perfect backend code). A WAF can protect against an SQL injection by preventing requests associated with suspicious signatures. Without a WAF, it’s easier for a nefarious character to pass off a fraudulent claim as authentic.

Path Traversal

A path traversal attack, also known as a directory traversal attack, is an exploit whereby a hacker accesses data stored outside of the root folder. That data can include config files and other sensitive files not meant for public consumption. To commit a path traversal attack, a hacker attempts to use absolute file paths to gain access to data. In this way, he or she isn’t exploiting a bug in the software; instead, they’re exploiting a lack of security. A WAF protects against this attack by scanning HTTP requests and preventing hackers from uploading attack archives to the system.

XSS Attack

An XSS attack, or Cross-Site Scripting attack, is an exploit where a hacker runs a malicious script in a user’s browser, ostensibly acting on behalf of a benign web application. XSS attacks are one of the most common exploits seen today, and they can have a variety of adverse outcomes from malware infection to user account deletion. The problem is that XSS attacks are simple, effective, and often not guarded. It’s been suggested that up to three-quarters of all websites are vulnerable to this type of exploit.

Similar to SQL injection attack prevention, a WAF can prevent an XSS attack by scanning security signatures. Requests associated with suspicious signatures are blocked. For this reason, a WAF provider must regularly update their security database as new attack vectors become known.

Why WAFs are Critical

Data breaches are expensive. Despite this, a PT Security study claimed that “One out of three web applications was graded as having an inferior level of security; this represents an increase of 15 percent over 2017.” If their data is reliable, it indicates that security is getting worse over time. Given that the stakes are higher than ever, and millions of people are uploading their entire lives to the internet, it doesn’t pay to run a network with vulnerabilities. Being safe is a heck of a lot better than being sorry.

To that end, WAFs are one of the most effective tools at discerning fraudulent web traffic. Hackers today have become increasingly adept at disguising their code, interlacing it with seemingly safe website traffic, such that other security systems may fail to detect it. Yet a WAF, with its ability to scan every HTTP request, can catch attacks that other security countermeasures miss. Programmers are not perfect, and even if the backend code is buggy, a WAF can stop a hacker from exploiting it.  

Types of Web Application Firewalls

Like all great things, a WAF comes in several flavors. A blacklist WAF blocks malicious traffic by comparing signatures to a database of known exploits. As mentioned above, to be effective this database ought to be regularly updated as new threats are discovered. A whitelist WAF works differently, by only allowing traffic from trusted websites. This more restrictive security model may not work for all users, however, many WAFs enable users to create a hybrid between whitelist and blacklist protection. In terms of implementation, there are three ways to integrate a WAF in your network.

Network-Based WAF

A network-based WAF is typically hardware-based. The main advantage is a reduction in latency owing to their local installation. Since rules and settings can be replicated across different appliances, network-based WAFs are suitable for enterprise use. The downside of a network-based WAF is the costs associated with the purchase, storage, and maintenance of physical equipment; this is the most expensive option.

Host-Based WAF

More price friendly than a network-based WAF, a host-based WAF is one integrated into an application’s software. The benefit here is a reduction in hardware cost as well as an increased ability to customize the WAF’s working parameters. A host-based WAF, however, depends on local server resources and can be challenging to integrate into an existing system.

Cloud-Based WAF

Finally, a cloud-based WAF provides the easiest implementation experience. All that’s required is a simple DNS traffic redirect to filter traffic through the WAF. Unlike a network-based WAF, there is no upfront hardware cost. Instead, there is a monthly or annual service charge. The downside is the lack of control. With a cloud-based WAF, a third-party controls security and may or may not make certain features available. The implementation is fast and straightforward, but there is a lack of customization possibility as compared to a host-based WAF.

The Last Word

No matter what your business, if it involves a computer, you should be using a WAF to keep your network secure. A web application firewall is a highly effective, affordable security solution that can prevent the expense and embarrassment of dealing with a preventable security breach. For more information on protecting your digital infrastructure, reach out to Vandis via phone (516-281-2200), email(info@vandis.com), or our contact form.