spot_imgspot_imgspot_imgspot_img
HomeArchitectureHow a WAF protects your applications

How a WAF protects your applications

-

Every team that hosts an application in the public cloud need to think about protecting it against hackers. For internet accessible applications, such as websites and APIs this is an absolute must. If you do not put enough time and effort in it, your data is in severe danger. Especially with serverless computing, take special care to protect your resources since the entire security context is different compared to the more traditional deployment models such as Virtual Machines or containers. In this article we’ll explore what is a WAF and how it can help you to protect your applications.

A short note on Firewalls

Everyone needs a firewall to protect their network and applications. In traditional data-centers the firewall serves as the core point of entry and/or exit for any traffic entering or leaving the (internal) network. Your entire network, thus your entire data-center infrastructure depends on how well or how bad your firewall is setup. Given this, you can imagine that the firewall team pushes changes back to changes which are our of their control. Push-back in this perspective is a good thing since you don’t want your organization to be exposed to risks you can’t handle. However, you still want to bring your applications to production, do you?

What is a WAF
source: https://pixabay.com

Before we dig into WAFs let’s first capture the main concepts of traditional firewalls. Professional firewalls use hardware or software or a combination of both.

Hardware based firewalls

Typical hardware based solutions for Small Business Network (SMB) looks like small routers. Their main function is to block malicious traffic and filter it based on predefined rules. Some advanced products also let’s you enable your own rules. Sometimes they also offer a traffic shaper on Layer 7 traffic as well as a content filter. Typical products are the Ubiquiti or Protectli Firewall Appliance.

These solutions are not enough for enterprise grade companies. You require professional products which are completely customizable to a huge number of use cases. Popular firewall products that serve enterprises are the Cisco Meraki MX and the Palo Alto Networks NGFW – PA Series. Organizations who chose these kind of solutions don’t spare on expense. They need a reliable solution that scales, professional support and a lot of advanced features such as serving remote locations and offices through VPN and SD-WAN capabilities. Besides this, professional solutions need to filter, log and provide good visibility into your network traffic.

Software based firewalls

On the contrary software based firewalls lack a physical device. However, they need to provide the same features like hardware based firewalls. In case we focus on network based firewalls, the following methods are used to control traffic:

  • Proxy service: this service sits between the computers which make the request to the proxy and the other end of the line. Network addresses are hidden and the proxy serves as a pass-through gateway to the receiver.
  • Packet filtering: data is analyzed by the use of so called filters. Only allowed data is passed through, other data is blocked or rejected (and logged).
  • Stateful inspection: this is often referred as the “next-generation firewall that tracks communication packets over time. Only packets which provide a valid response are allowed.

From the perspective of the cloud consumer, (almost) everything is based on virtualized or non-physical resources. WAF also falls under the category of a (special type) of software based firewall. It sits between external facing applications and the device from which end-users connect to these applications.

Requirements

Based on the knowledge we got so far, what are typical requirements for Web Application Firewalls? Your application needs to be protected against attacks such as:

  • Attacks that misuse or exploit any known or unknown weakness in your application. Concrete examples are malformed requests which trigger unwanted behavior of your application or reveal information you would normally hide from your end-users.
  • DDoS attacks which stand for Distributed Denial of Service. This type of attack basically floods your application with a lot of (invalid) requests. It makes your application become unresponsive or your cloud infrastructure scales up (sometimes infinitive) and you end up with a huge cloud bill if you do not set any upper limits.
  • Bad Bots: think of content scrapers that systematically steal the information of your website or scan your application for weaknesses such as bad security configuration or vulnerabilities. You need to keep bad bots out and only allow friendly bots such as search engine bots which index their search results (if you want this off course).

Types of protections

Let’s zoom in into some of the wide known application weaknesses you can encounter. OWASP provides a nice list of common security issues and serves as a trustful source for a lot of WAF vendors. Think of the following types of protections:

  • SQL injection
  • Cross-Side Scripting (XSS)
  • Session Hijacks
  • Outdated (legacy) security protocols such as TLS <= 1.2 or even no secure connections at all
  • Vulnerabilities and other known exploits
  • Bot protection

Common solutions

As an end-user there is plenty to choose from, whether you’re running on AWS, Azure or another cloud. Amazon offers AWS WAF to sit in front of your Application Load Balancer that acts as your single point of entry for your web applications, your REST APIs or your GraphQL APIs.

Microsoft offers Web Application Firewall on Azure Application Gateway as their cloud native solution. This WAF also sits in front of your application load balancer. It is based on the Core Rule Set (CRS) from the OWASP project.

Besides AWS and Azure, you can choose Cloud Armor from Google to protect your cloud workloads and also your on-prem hosted applications. Besides the usual types of protection, Cloud Armor also offers Geo-based access control.

WAF

So how do you actually deploy a WAF. For the sake of simplicity we concentrate on Azure’s solution.

Provisioning

In short, you would provision the WAF using an ARM template or a Terraform script. Provision it using IaC is always the best choice since you can repeat the process over and over again and every change can be traced back to where it originated from.

Besides the required information for the back-end services and other network related aspects such as Address Prefixes, Network Security Groups and Security Rules, you can also define the following WAF specific parameters and/or values:

  • Whether or not to enable the firewall
  • The mode of the firewall (f.e. alert or prevent)
  • The type of the ruleset (OWASP) and the ruleset version
  • Various limits in terms of max request body (the actual message of a message sent to a REST service) and the maximum filesize of an uploaded file
  • A reference to the actual firewall policy

What is a WAF
source: https://pixabay.com

The last element should be defined in the IaC template. You need to specify the custom rules (for example Block all traffic which does not originate from a certain network segment (subnet)).

Sample code

A snippet from the above mentioned IaC template can be found below:

(...) 
       "webApplicationFirewallConfiguration": {
          "enabled": true,
          "firewallMode": "Prevention",
          "ruleSetType": "OWASP",
          "ruleSetVersion": "3.1",
          "requestBodyCheck": true,
          "maxRequestBodySizeInKb": 128,
          "fileUploadLimitInMb": 100
        },
        "firewallPolicy": {
          "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AGWafPol01'))]"
        }
      }
    },
    {
      "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
      "apiVersion": "2020-06-01",
      "name": "[variables('AGWafPol01')]",
      "location": "[parameters('location')]",
      "properties": {
        "customRules": [
          {
            "name": "CustRule01",
            "priority": 100,
            "ruleType": "MatchRule",
            "action": "Block",
            "matchConditions": [
              {
                "matchVariables": [
                  {
                    "variableName": "RemoteAddr"
                  }
                ],
                "operator": "IPMatch",
                "negationConditon": true,
                "matchValues": [
                  "10.10.10.0/24"
                ]
              }
            ]
          }
        ],
(...)

Updates

The good thing about WAFs is that they are updated regularly and automatically to provide the most sophisticated ways to protect you against these kind of threats. On top of that, you don’t need to change your back-end systems to enable or configure a WAF. Logs are automatically collected to Azure Monitor in case of Azure based WAF and to CloudWatch in case you host your WAF on Amazon.

Azure & Policies

Azure has a great number of predefined policies. These policies define what you are allowed to do in Azure and what not. Typically, Cloud platform teams roll these out in conjunction with security departments such as CISO. Common policies include the need to add tags (meta-data) to various resources (to be able to classify the resources) or to restrict the types of Virtual Machines you are allowed to deploy. Other policies concentrate on security frameworks like CIS and NIST. One of the core principles is to keep your cloud resources secure and policies help to prevent the deployment of unwanted resources.

What is a WAF
source: https://pixabay.com

The Azure WAF supports policies too. Common policies for your WAF include the following:

  • Block traffic from certain IP addresses. There are templates available to block traffic based on an IP Block list as well as a Geo Block List. This makes it a flexible solution.
  • DDoS protection. Policies which implement the so called “RateLimit” help to prevent your service from receiving too much “unwanted traffic” which poses a threat to your business continuity. Malicious traffic should be bounced back and/or limited. For example you can limit the number of requests to 100 in 1 minute. Everything that goes beyond this limit should be logged and rejected. Permanent bans should apply to sources which do you don’t trust anymore.
  • Control allowed HTTP methods. Your REST API might be protected to only allow certain HTTP methods such as GET and POST but not DELETE. With a WAF you can control exactly that, including extra filters like IP Addresses of which the traffic originates from.

Be sure to set the correct priority so the rules gets evaluated in the right order. More information about WAF custom rules can be found at Microsoft’s’ tech-community website.

WAF and the API Gateway

Many developers choose to develop their software using cloud native serverless services. AWS offers Lambda for that. A WAF helps to protect the APIs you expose to the internet through an API Gateway. Both work in conjunction of each other.

A WAF enables you to to configure a set of rules which are like an Web Access Control list. This lists offers various ways to protect your application since they block the typical attack vectors we talked about earlier. Since an API Gateway handles traffic on the application layer (7) of the OSI model, you can also filter traffic based on HTTP headers, specific query strings and request bodies. It let’s you analyze the headers of messages and block malicious ones.

This makes it a very strong application firewall that works on a sophisticated manner, much more sophisticated compared to a network based load balancer (a classic one). Keep in mind that in the cloud nearly everything has an identity and this identity is used to authenticate and authorize to services, a modern WAF perfectly fits into this picture.

Typical challenges

Since developers are pushing the limits of software development practices, they also need to deploy and maintain their own firewalls. Properly configuring a WAF requires expert-level network infrastructure skills. Not all developers have these kind of skills, so that requires another course for them to acquire the knowledge. Or let the security department step in.

And with the frequent number of changes of their applications, it’s hard to keep your WAF aligned with the application requirements. It’s to easy to forget about the WAF and carry on with the next version of your application. However, you can’t update your application and WAF in isolation.

Another thing to keep in mind are the performance implications. Since you don’t know exactly how a WAF works under the hood (remember, it’s a service from a cloud provider), you also don’t know about the performance implications. You need to carefully craft your performance tests with and without your WAF in place.

Runtime Application Self-Protection

Another alternative for a WAF could be a RASP – Runtime Application Self-Protection which sits very close to your application runtime environment. Since a WAF lacks the contextual information of your application, a RASP defender like the ones from Prisma Cloud has that kind of information. The contextual information is needed to justify if traffic should be let through or not, given the specific information and meta data of the application and it’s runtime environment. A drawback here is the overhead since you add another layer on top of the application itself.

Wrap up

Web Application Firewalls act as modern firewalls for your cloud native applications. They often sit in front of your API gateway or Application Gateway. Besides protecting you from brute force and DDoS attacks, they also offer protection against SQL injection, Cross Side Scripting and other advanced attack vectors like request header or body manipulation. Sometimes a WAF has an impact on the performance of your application, so this is something you need to take into account. Be sure to setup your WAF using IaC and keep it aligned with the application(s) which you intend to protect.

NEWSLETTER

Sign up to receive our top stories directly in your inbox


LET'S CONNECT