WAF (Web Application Firewall) is a firewall for web applications. It is a traffic filtering tool that works at the application level and protects web applications by analyzing HTTP/HTTPS traffic and XML/SOAP semantics. WAF can be installed on a physical or virtual server and detects a wide variety of types of attacks.

The firewall acts as a proxy server, but due to the ability to study HTTPS traffic by verifying the certificate of a specific server, WAF is designed to perform additional operations: load balancing on the server, termination of SSL traffic, etc. WAF can work with clustering and acceleration of applications.

Safety models and operating modes

WAF can be integrated into the network as:

• Screen. Real-time network monitoring using the SPAN port.
• Gateway. There are 3 proxy modes: transparent, bridge and reverse.

WAF works according to the following security models:

• Negative. A kind of “blacklist” that prohibits the reception of specific information specified in the settings. Protects web applications at the application level (similar to IPS), but is able to assess potential threats in more detail and is more often used to provide protection against “popular” and specific types of attacks. Analyzes vulnerabilities of specific web applications.
• Positive. A “white list” that allows the reception of specific information that was previously specified in the settings. It allows you to get maximum protection, because it is used as an addition to models. It uses a different type of logic: rules that define what is specifically allowed.

An example of Negative work is to prohibit a predefined “bad” HTTP GET request and allow everything else.

An example of how Positive works: to allow the previously specified HTTP GET requests for a given address and prohibit everything else.

WAF Features

• Quickly respond to any kind of attacks on web applications that are included in the OWASP Top 10 (Open Web Application Security Project – an open web resource security project).
• Protection is provided by the specified active rules.
• Check the HTTP/HTTPS traffic coming to the application and other requests addressed to web applications, and then make decisions based on the specified rules and policies (block, allow, send a notification).
• To maintain the stable operation of the Negative and Positive security models, as well as to comply with all the rules set within their framework.
• Check and analyze content created using HTML and DHTML, as well as CSS and HTTPS and HTTP application transfer protocols.
• Prevent information leakage by checking HTTP/HTTPS traffic coming from web applications, and take specified measures based on specified active rules.
• Constantly keep an event log and record in it all completed operations, analytical information and other events that have occurred.
• Analyze web services (partly public) using XML analysis (eXtensible Markup Language), structured SOAP messaging, and check HTTP web servers for interaction models.
• Check all incoming data used to send/receive information from web applications.
• Protect against attacks directed specifically at the Web Application Firewall itself.
• Terminate TLS and SSL – decrypt and verify traffic before sending it to a web application.

The main difference between a firewall and other methods of protecting web applications is a deep analysis of the traffic of application-level protocols.