WAF – What, where, how and why?

In a world where new cyber-attacks are created and appear each and every day, we have to continuously search for and establish new security controls and protection mechanisms. Most common cyber security threats found today often involve data exfiltration and occur at the application level, which is why many NGFW and IPS/IDS systems are powerless to protect against such attacks. Additionally, most communications – especially those integrated in web applications – are encrypted these days, which poses an additional problem for such devices. Web Application Firewall, i.e. WAF products are designed specifically for web applications – they analyze each HTTP request at the application level and provide full decryption of SSL/TLS traffic.

Want to learn more about Web Application Firewall? Watch the video!

WAF products are essential for establishing effective multi-layer protection. Technology behind Web Application Firewalls hasn’t really changed over the last few years. WAF systems inspect requests for compliance with RFC documents and apply different attack signature comparisons to decide if the request is valid or not. New functionalities have been added to enable user session- and behavior-monitoring via WAF applications, aimed at preventing potential brute force attacks and session hijacking. IP reputation-based filtering and feeds were also added to block known attack sources such as botnets, anonymizers, and similar threats. Most WAF products still use relatively passive technologies and mechanisms with limited or no ability for inspecting the client.

Positioning WAF devices in network-communication-application environments

One question which frequently pops-up is where to place such devices? There is more than one solution, of course. Communication path between the user and target application often has multiple points where a WAF device can be set up. However, that does not mean that each of these points is equally favorable. Ideally, WAF will be implemented behind a system used to perform load distribution and traffic optimization in any given environment. This enables it to optimize usage, performance, and reliability, while simultaneously offering protection for data center applications – especially if such applications are publicly available.


Threat landscape in the modern online world

Most threats facing today’s IT systems are automated in nature with attackers using automated application scanning to search for new vulnerabilities. Distributed denial-of-service (DDoS) attacks are fully automated and can generate high-volume flood-based attacks exceeding 1Tbps. Automated attacks are difficult to detect because they are often designed to mimic perfectly legitimate traffic. CAPTCHA and similar technologies are used to detect such attacks; however, these verification methods have been proven insufficient over time and often impair the experience of legitimate users.

Completely new threats are also emerging, such as credential stuffing. Credential Stuffing is a special type of attack whereby millions of username and password combinations stolen during previous breaches are used to gain unauthorized access to user accounts. According to recent threat reports, exploitation of stolen account credentials was the most common type of attack in 2017. Credential stuffing attacks are very difficult to detect because not only does malicious traffic look legitimate, they are often executed very slowly to avoid detection as brute force attacks.

Malware is ever-present in all online environments and is used to exploit browser vulnerabilities and target users on the other side of screen. There are many methods for distributing and delivering malware – from e-mail attachments to malicious links shared on social networks and in ads. Machines infected by malware are used to perform DDoS attacks, identity theft, and collect data. Available detection and mitigation methods are limited unless the client machine is supervised by an experienced IT team.

Finally, there are DDoS attacks. They are not just volumetric by nature. Many are also computational – used to consume resources such as CPU and memory – and bog down the performance of application or database servers. Detecting DDoS attacks can be relatively difficult, as most such attacks appear to be valid traffic, often consistent with standard incoming data checks.

Simply put, these attacks can go unnoticed and bypass virtually all traditional WAF solutions since they appear perfectly legitimate. Functionality of IP reputation databases and feeds is also somewhat crippled due to the ever-increasing number of compromised devices, which are becoming more diverse: modems, IoT devices… There is absolutely no doubt we need a more advanced WAF device and technology to protect ourselves from such emerging threats.


F5 Application Security Manager – ASM

F5 ASM (Application Security Manager) is a certified web application firewall (WAF) which provides comprehensive and proactive protection from general and targeted attacks over the network application layer. Like most other web application firewalls, ASM uses a positive security model under which all traffic is forbidden until explicitly allowed. This logic means ASM lets through only valid, non-malicious and authorized requests and automatically protects critical web applications from suitable attacks. Application Security Manager protects your system from various application, infrastructure and network attacks such as cross-site scripting, SQL injection attacks, cookie/session poisoning, parameter tampering, forceful browsing, DOS attacks and many more… BIG-IP ASM protects applications based on comprehensive security policies regardless of whether they are located in traditional, virtual or private cloud environments. ASM evaluates threats and prevents their execution, providing visibility and a very high level of flexibility which helps ensure smooth, reliable and secure performance of web applications.

Figure shows percentages of web application exposure to attacks which OWASP cites as the ten most common web application risks. Users can implement ASM to protect their systems from all such risks and additionally take advantage of integrated security rules and attack patterns which are used to protect from entire classes of HTTP and HTTPS threats. ASM is the only web application firewall that monitors and remembers normal behavior of applications it secures and can provide protection against all attacks that deviate from normal application behavior.


Advanced WAF technology – F5 Advanced WAF

F5 recently added a product called “Advanced WAF” to its portfolio, once again confirming why F5 is the market leader in WAF technologies. Advanced WAF comes supplied with all mechanisms required to detect and mitigate advanced attacks present in today’s online world.

Various features of this security solution include the following:

  • Proactive Bot Defense – utilizes fingerprinting technology and challenge/response techniques combined with behavioral analysis to enable session-level threat detection and block automated threats. This is a much more advanced and efficient solution than relying on IP reputation databases to protect against botnet attacks.
  • Layer 7 Behavioral DoS detection and mitigation – F5 Advanced WAF is able to dynamically profile traffic and create signatures for abnormal traffic patterns, stopping DDoS attacks before they reach your application.
  • DataSafe – provides credential protection by dynamically, on-the-fly and in real-time encrypting page content to prevent man-in-the-browser attacks caused by malware. DataSafe also encrypts data entered into the browser by the user – on-the-fly and in real-time.
  • Anti-Bot Mobile SDK – browser is not present when using mobile apps, meaning that PBD protection loses its efficiency. The Anti-Bot Mobile SDK is here to help prevent botnet attacks even on mobile devices.


Final thoughts…

At a time when we engage in most of our private and business communications using numerous applications and software solutions, we should focus our attention on protecting them. 42% of businesses that have been targeted by cyber-attacks in the past year pointed to external sources, with the two most widely used attack methods aimed at web applications and various software vulnerabilities. Malicious sources are constantly attacking applications which is why security professionals are looking for WAF devices to protect web applications from most sophisticated breaches, including zero-day attacks, and ensure safety of applications of all shapes and formats. F5 Advanced WAF is a dedicated security platform offering most advanced application security features on the market today.


Complete the form and get useful links such as F5 Advanced WAF video & webinar!

[Form id=”120″]