Page 32 - Informatics, July 2021
P. 32
Technology Update
ly in the traffic path between the requestor (for protection device like an IPS or network firewall may have limited to no resources to build security
example, a browser client) and the Web applica- Normalization - Attackers often manipu- controls into the application or fix vulnerabilities
tion server. Within the in-line model, WAF can be late an exploit payload to bypass WAF detection in source code
configured in a) routed b) Bridged or c) Reverse (for example by URL-encoding portions of the
Proxy method to inspect and process the traffic. payload). WAFs normalize the requests to perform SSL & Weak Cypher Overrides
In-line WAFs actively block the requests that analysis and bust the evasion by attackers e.g. Encryption protects data in the traffic stream
violate the rule sets. This architecture demands escaped and encoded characters, self-referenc- from prying eyes and the option here is to give the
caution to ensure no service interruption surpris- ing paths, international character sets, etc. keys to the WAF so the stream can be decrypted,
es happen in production. Alternately, it is possi- inspected, and processed. Additionally, WAF plugs
ble to run a WAF in-line, but keep it in a moni- APIs - WAFs offer API support to build custom the weak ciphers to prevent side-channel or down-
tor-only (or passive) mode. detection techniques or rules for specialized grade attacks. When a client tries to use disabled/
assessments, such as logic checks. These APIs are vulnerable SSL/TLS protocols or cipher suites, the
TAP/ SPAN integrated with the WAF parsing engine request is redirected to specific error page/s. At
This mode is also known as “passive” mode
because the WAF is kept out of the traffic path
and monitors traffic from a tap or span port. Tap/ Application Fortification
span WAFs are often used to collect data for use
in investigatory or forensic analysis. This mode SQL
supports traffic blocking by communicating to Path Injection Code
another system (like a network firewall) and Transversal Injection
having that system perform the blocking. Header Cross-Site
Further, an Application Firewall can be Tampering Scripting
network-based or host-based, or cloud-based. It
is primarily deployed in the reverse-proxy mode OS Command Remote File
Inclusion
and is placed in front of one or more websites or Injection Pattern Recognition
applications.
We can deploy a WAF appliance ON-Premise
or have a hosted virtual appliance. An evolving Encoding Vulnerability
Probes
architecture is Cloud-delivered WAF as-a-service.
Cloud and Virtualization are driving the need Data Masking Server Masking
for new architectural models in Web Application Extension Cookie
Firewalls. Cloud-based WAFs intercept traffic Type Upload Inspection Session Protection Tampering
before it enters the organization’s network. Virtu- Web
alized environments present a unique challenge Server
because the VMs running on top of a hypervisor Session
form their mini-network where traffic is passed MIME Type App Masking Hijacking
from server to server without having to traverse
the network. To prevent application attacks intra- Denial of
VM, a WAF needs to be able to see the traffic. This Malware Service
can be accomplished by using an API to monitor Inspection Signature DB
activity via the hypervisor. WAF can fit in an orga-
nization’s architecture easily with its various form Known Viruses/ Cross-Site
factor choices. A host WAF is a software option Trojans/ Worms Request forgery
Protocol
where the software is installed on the same Compliances Spammer Bad User
Agents
server that the Web application is running. Bots
Detection Techniques
WAFs (most of them) use a blended approach the same time, a WAF can define cipher suite over-
of different techniques to ensure the most accu- Special WAF Features rides for each version of the SSL/ TLS protocols.
rate detection coverage. These techniques are: Virtual Patching
Signatures - Similar to the signatures for WAF helps to shorten the window of exposure Emergency Hosting (Audit Exemption)
anti-virus and Intrusion Prevention Systems (IPS) to vulnerabilities. If your application is hosted Web Application Firewall is vital to enable
WAF signatures match a pre-set string or regular on a platform that has a known vulnerability, but emergency hosting as it dynamically models an
expression (RegEx) to the traffic looking for you have not had a chance to patch it yet, you application structure and its elements. It under-
known attacks. WAF ships with a set of signatures can write a rule that looks for traffic attempting stands the expected application responses and
and these are updated by the OEMs regularly with to exploit that vulnerability and block the traffic usage. Accordingly, it profiles the URLs, Directo-
the evolution of attacks. until you can get the vulnerable system patched. ries, Cookies, Form fields, URL parameters, HTTP
Rules - Rules define how to inspect a web This is known as virtual patching. Virtual patches methods, and Referrers. Having understood the
request and what to do when the request matches are a key component of a strong WAF, often application, it provides a Layer-7 shield around
the inspection criteria. Generally, it links together requiring integration with a vulnerability scanner. it. This protective shield, however, must not be
a series of strings with logical operators like AND, It is always difficult to keep pace with the construed as a replacement of necessary audit
OR, NOT and may contain nested statements at number of vulnerabilities and updates on open- compliance which has to be met anyhow. WAF
any depth. WAFs can also “learn” traffic patterns source servers that we commonly use today eg. service essentially takes care of vulnerabilities
on the fly and look for anomalies on a set of base- Drupal, WordPress, Joomla, etc. Their vulnerabili- that are either altogether new or are missed/
line rules. This intelligence can be used for a new ties can be taken care of by virtual patching. Virtual uncovered via penetration testing or source code
rule setting for the WAF or on a complimentary Patching helps to protect legacy applications that reviews.
32 informatics.nic.in July 2021
