WAF Security
When people think about security, probably their first thought is about anti-malware scanners. This is entirely understandable. In actual fact, however, you also need to think about web applications firewall, (WAF) security. Here is a quick guide to help.
What is a web applications firewall (WAF)?
A web applications firewall is essentially a mirror image of a regular firewall. A regular firewall shields internet users from malicious websites. A WAF security shields web servers from users with malicious intentions. Just like a regular firewall, a WAF screens all traffic (outgoing as well as incoming) for signs that anything is amiss. It can also be used to prioritize traffic that is known to be safe.
WAF security - what it means in practice
Sadly, nobody has yet invented a "silver-bullet solution" for all security issues. Instead, you have to mix and match different solutions to get the security protection you need. WAF security is focused on layer seven of the OSI seven-layer model. In other words, it protects website applications from threats such as cross-site forgery, cross-site scripting, and SQL injection attacks as well as application-level DDoS attacks. It can also provide some level of protection against infrastructure-level DDoS attacks.
WAFs and DDoS
Given that DDoS attacks are such a major nuisance in today's online landscape, it's worth taking the time to understand where your WAF fits into your strategy for keeping them at bay.
As previously mentioned, there are two main types of DDoS attacks. These are infrastructure-level DDoS attacks and application-level DDoS attacks. Both attack strategies aim to use fake traffic to cripple a website.
- Infrastructure-level DDoS Attacks
- Application-level DDoS Attacks
Infrastructure-level DDoS attacks do this by sending an overt barrage of traffic, which is impossible to miss but very hard to manage. Application-level DDoS attacks do this by targeting high-value areas of a website, like a login page or the payment page.
They aim to send just enough fake traffic to slow down the targets without sending so much that their victim can easily see that they are under attack. Even when these attacks are detected, it can be very difficult to identify the defining characteristics of the attacking traffic, which is a prerequisite to putting a stop to the attack.
WAFs do play a role in managing DDoS attacks. That role is, however, more one of giving you a baseline view of your legitimate traffic (both source and volume) than in managing DDoS attacks. In theory, a WAF does have the functionality to handle DDoS attacks. In practice, the problem is that even a robust WAF is unlikely to have the necessary power to handle the sort of traffic volumes involved in modern DDoS attacks.
If you're running a really small site and your budget is really tight, then you might be OK with just a firewall, especially if you have robust infrastructure and plenty of bandwidth. These days, however, most businesses will probably benefit from supplementing their WAF with a dedicated DDoS mitigation service.
These are very similar to WAFs but, as their name suggests, they are optimized specifically for DDoS and only activate when DDoS attacks are detected. They can provide invaluable extra support for your firewall.
Getting the most out of WAF security
The key point to understand about WAF security is that it is based on rules. The better you can fine-tune those rules, the better your WAF can protect your website. There are two ways WAFs can apply their rules. These are blacklisting and whitelisting. Most WAFs can now use either approach or even both together.
Odd as it may sound, it can be advisable to start with whitelisting traffic you know to be safe. As a minimum, whitelist the "good bots", like the ones the search engines use to crawl your site. This will avoid them being blocked from your site, even temporarily, if someone has to clamp down on bots in general (and botnets in particular).
It's probably fair to say, however, that, for the most part, the focus of a WAF (and the IT team behind it) will be on blacklisting traffic that is known to be malicious and identifying any malicious traffic which isn't on the blacklist.
It would be lovely if you could just "set and forget" this blacklist, but in reality, you're probably going to need to update it, at least periodically. For example, IP addresses you block because you know you don't have customers in those territories may need to be unblocked if you expand into them. Likewise, open IP addresses may have to be closed off if they become a threat. Make a point of keeping a close eye on this.
Please click here now to have your website scanned, for free, by cWatch from Comodo.