WAF

Web application firewall (WAF)

Table of Contents

Introduction4

Web application firewall (WAF)5

Firewall rule components8

Chain Types and Chain Decision Policy10

Advantages and Disadvantages of WAF13

Web Application Firewall Architecture16

WAF Placement17

Security Model17

Operating Modes18

Additional Features20

Products and Solutions21

Non-Commercial Web Application Firewalls21

ModSecurity - www.modsecurity.org21

Commercial Web Application Firewalls22

Barracuda Networks - www.barracudanetworks.com23

Breach Security - www.breach.com24

Deny All - www.denyall.com24

F5 - www.f5.com25

Imperva - www.imperva.com25

Other Vendors26

Implementation, Tuning and Maintenance26

PCI Compliance27

Main WAF Attributes28

Recommendation29

References33

Introduction

Over the past few years, a clear trend has emerged within the information security landscape; web applications are under attack. “Web applications continue to be a prime vector of attack for criminals, and the trend shows no sign of abating; attackers increasingly shun network attacks for cross-site scripting, SQL injection, and many other infiltration techniques aimed at the application layer.” (Sarwate, 2008) Web application vulnerabilities can be attributed to many things including poor input validation, insecure session management, improperly configured system settings and flaws in operating systems and web server software. Certainly writing secure code is the most effective method for minimizing web application vulnerabilities. However, writing secure code is much easier said than done and involves several key issues. First of all, many organizations do not have the staff or budget required to do full code reviews in order to catch errors. Second, pressure to deliver web applications quickly can cause errors and encourage less secure development practices. Third, while products used to analyze web applications are getting better, there is still a large portion of the job that must be done manually and is susceptible to human error. Securing an organization's web infrastructure takes a defense in depth approach and must include input from various areas of IT including the web development, operations, infrastructure, and security teams.

One technology that can help in the security of a web application infrastructure is a web application firewall. A web application firewall (WAF) is an appliance or server application that watches http/https conversations between a client browser and web server at layer 7. The WAF then has the ability to enforce security policies based upon a variety of criteria including signatures of known attacks, protocol standards and anomalous application traffic.

Web application firewall (WAF)

The Semantic Web builds on application-domain ontologies in order to provide a framework for web -resource reasoning and inter-operation. Semantic Web applications are typically modelled at the application-domain (knowledge) level and tend not to consider the underlying infrastructure: it is assumed that this infrastructure is suitably configured to support the application and its web-resources. However, there are situations where the infrastructure configuration may work against the normal operation of the Semantic Web and it becomes necessary to consider some knowledge about the infrastructure and how it relates to the application knowledge(www.scmagazineus.com).

A reality of any practical system—regardless of the application it supports—is that a network access control (NAC) policy is applied to incoming and outgoing traffic. NAC configurations, in particular firewall configurations may run to many thousands of rules and are typically maintained on an ad-hoc basis. New rules are added with little regard to existing rules and may result in an overly-restrictive and/or overly-permissive ...