Why You Need a Web Application Firewall (WAF)
One of the mantras for today’s enterprise could be, “living on the edge.” With the proliferation of the cloud and the digital services and mobile apps that it hosts, today’s enterprise is all about the edge. Chances are your company or organization has a web presence on the Internet thanks to Web 2.0, which gives your customers the ability to interact with your web sites and their integrated web applications that service requests. Unfortunately, it also gives hackers the ability to interact as well. According to the 2016 Verizon Data Breach Investigation Report, 40% of all data breaches involved web application attacks.
It happens every day, and many IT managers are initially baffled as to how their web servers were compromised behind the firewall. The fact is however, a traditional firewall does very little to protect a multitier web application. This is because a perimeter firewall opens the common ports such as 80 and 443 that are required so that users can access and interact with the hosted sites. Hackers use these same ports as well. Thus, a traditional firewall cannot stop a SQL injection or DDOS attack. A web application based security system must be able to do more than open and close ports. It must be able to discern incoming traffic.
What a WAF Is and Is Not
In order to properly shield your web applications, you need a Web Application Firewall (WAF). Unlike a traditional firewall, a WAF does not provide perimeter protection for the entire enterprise. It is a highly specialized security tool specifically designed to protect web applications, not the servers. A WAF actually resides at the outer edge of your network in front of the public side of a web application and analyzes incoming traffic. That is all it does and it does it very well. Unlike traditional security devices that focus on layers 3 and 4 of the OSI Model, a WAF focuses on the application layer (layer 7). Because a WAF is so specialized, many network managers make the mistake of not justifying the investment in one. In today’s hyper connected environment however, this is a major oversight as web applications interact directly with the backend database servers that hold the precious data of the enterprise such as the personal information of online retail customers that hackers so covet.
Sometimes there is a misconception that an Intrusion Protection System can supplement a firewall enough to protect web applications. While an IPS can monitor incoming network traffic, it is not equipped to interpret the complex nature of HTTP traffic. Like a perimeter firewall, an IPS is designed to protect a network at large, not a dedicated edge based application. It can be deployed as a hardware appliance, inline web server or server plugin.
Why You Need a WAF
Just as an online retail customer can interact with an online retail site, hackers can conduct malicious interactions as well. These attacks predominantly occur as SQL injections, cross-site scripting and malicious file executions. A modern day WAF is designed to protect against these and other OWASP Top Ten application risks. WAFs are able to discern fraudulent interactions from legitimate traffic. This is a highly complex task as hackers today weave their attack code within safe-looking website traffic. A WAF accomplishes this by intercepting and analyzing each and every HTTP request before they reach the web application.
WAFs are also designed to perform SSL termination. Much of today’s web traffic is encrypted in order to protect the data being transferred within the web session. HTTPS works both ways however, in that it also protects malicious hacking code from being scrutinized as well. Many hackers take advantage of this, using HTTPS as a camouflage to avoid detection.
Because a WAF stands between the public and the web application, it is able to decouple the traffic between the web server and the internet. SSL certificates are hosted on the WAF, thus terminating the encrypted connection. Traffic is then forwarded to the web application in HTTP and analyzed. In a sense, the WAF is working as an inbound or reverse proxy. Response traffic is then sent back to the WAF where it is then encrypted and forwarded to the user using the HTTPS protocol.
Just because you do not host your own web applications does not mean you do not need a WAF. Many large cloud vendors offer WAF subscription services, but if they don’t, you can count on Total Uptime. Our WAF can protect your infrastructure no matter where it resides: in the cloud, on-premise, and anywhere in between.
For the same reason that today’s web applications demand layer seven security protection, they also demand layer seven load balancing and failover protection as well. Security and fault tolerance are vital to ensure that your web applications are not compromised or disrupted.
Other posts you might like...
The True Costs of Downtime for IT
Downtime is a dirty word in the IT business. Unplanned outages are unacceptable and should not be tolerated. In a universe where customers expect services to be available 99.999% of the time, any time your IT service offering is down is costly to your business.
The Need for Increased Availability is Now
Our predictions for the last half of 2017: Ransomware will keep evolving, the rise of IoT will pave way for increased DDoS Attacks, IPv6 Traffic will continue to grow exponentially, Machine Learning and AI will be applied to enhance security, and the need for increased availability is now.read more
5 Ways to Increase Application Availability
A service provider that offers software-as-a-service or another cloud-based solution should understand what customers are looking for and what compels those very customers to choose an off-premise, “cloud-based” solution vs. the more traditional on-premise, self-hosted solution.read more