Web Application Firewall: stay ahead of the curve

In one of the previous posts, we talked about repelling DDoS attacks using traffic analysis using the Netflow protocol. Of course, DDoS is far from the only problem that a resource may face. The imagination of the intruders is very, very great, and they have enough technical means. Plus, do not forget that some of your resources may well run on software with zero-day vulnerabilities.

So it turns out that a web application can be attacked from several fronts at once – here you have cross-site scripting, and SQL injection, and authorization bypass, and remote code execution, in general, you know. In the eternal struggle of the shield and sword against this kind, a protective screen for web applications was invented, catching such activities and blocking them even before they are executed on your site.

In this post, we will explain how WAF from Beeline Business, what advantages it has and how to quickly connect it for your company.

Why WAF is needed at all

Last year Positive Technologies released his study “Web Application Vulnerabilities 2019”, according to which the share of web applications containing high-risk vulnerabilities has already reached 67%. The most common problems are insufficiently protected authorization zone, SQL injection and reading arbitrary data. Plus, the percentage of systems in which data leaks are possible is growing.

The importance of protecting web applications is also highlighted by one of the reports from Gartner analysts:

  • Application Layer Firewalls (WAFs) differ from Next Generation Firewalls (NGFWs) and Intrusion Prevention Systems (IPS). WAF protects every single application from attacks.
  • Even with NGFW and IPS, WAF is often the only solution that inspects both encrypted and unencrypted incoming web traffic.
  • The most important factor in choosing a WAF is a clear understanding of the amount of work to be performed by employees. Particular attention should be paid to the absence of false positives.
  • Typically, enterprises focus on securing publicly available user web applications while neglecting equally important internal applications.

The main differences between WAF, IPS and NGFW (Gartner)

The consequences of such leaks and hacks are quite obvious and not very pleasant for companies (and their clients especially): here you have personal data, including payment information, and trade secrets with confidential documents, and access to internal systems. In general, the jackpot, in the event of a breakdown of which the company suffers both reputationally and financially. As expected, financial institutions suffer the most from this, but not only:

According to Positive Technologies

To protect against this, companies have information security specialists who determine the permissibility of using one or another software, as well as general security policies. At the same time, general trends – an increase in the number of applications themselves, the active use of various APIs, work in a mixed environment (in-house applications, private and cloud) actively hint that many processes should be automated.

Especially in the field of information security.

The main problems for companies trying to deploy such solutions on their own were that the response time to an active threat was quite long, as was the cost of ownership of the solution itself. I wanted, as usual, to make it faster and more accessible. And, ideally, also with a cloud version of the solution, which can be quickly connected and conveniently administered.

Therefore, we decided to offer exactly automated mechanisms for protecting, blocking and repelling attacks using our protective shield.

First of all, we took OWASP’s list of the top 10 threats to web applications in 2020 and implemented protection against them on both models (positive and negative).

  1. Injection.
  2. Broken Authentication.
  3. Sensitive Data Exposure.
  4. XML External Entities (XXE).
  5. Broken Access Control.
  6. Security Misconfiguration.
  7. Cross-Site Scripting XSS.
  8. Insecure Deserialization.
  9. Using Components with Known Vulnerabilities.
  10. Insufficient Logging & Monitoring.

In addition to this, our WAF protects against brute force, data extraction, API attacks, unwanted crawling, botnets, and slowloris and HTTP dynamic floods.

Of course, there is also a reflection of zero-day attacks, including HTTPS, as well as blocking traffic by geography.

In addition, our WAF supports a unique machine learning-based automatic policy creation algorithm that is perfect for automatically generating security policies for a web application.

The configured WAF will know well the structure of your resource, so it will be able to automatically block any actions that are not typical for its work.

By the way, there are a couple of myths about the redundancy of the very essence of WAF and its necessity. The following is usually cited as an example:

Security gateway and session monitoring will protect me

Web applications should be accessible to everyone, so all you have to do is allow all inbound traffic on ports 80 (HTTP) and 443 (HTTPS) and hope everyone plays by the rules. Session monitoring for presence, identification and blocking of executable code is not a substitute for analyzing web application traffic, so exploiting a vulnerability through a legitimate web request is not difficult with an all-in-one security gateway.

Then it will definitely protect the network web application security scanner

Not really. Network security scanners are designed to detect insecure configurations, missing updates, and server and network device vulnerabilities, not web application vulnerabilities. The architecture of the solutions, the huge number of rules and features to be checked when scanning a network, still sometimes allow manufacturers of network scanners to offer additional functionality to search for vulnerabilities in web applications under a separate license or even free of charge.

But the usability and quality of their work are far from even the average level of professional web application scanners, and trust in such products cannot be restored after finding critical vulnerabilities where the universal scanner has worked 100%.

How it works

We built the solution on the equipment of the Israeli company Radware, which has long been a leader in information security services. One of the important advantages of the solution is its automatic operation: threat analysis and optimization of standardized rules for web applications are carried out without the participation of an administrator.

There are three connection methods, which are determined by where you decide to conduct traffic analysis:

  1. On our virtual machines in our data center
  2. On our equipment at the client’s premises
  3. On the client’s virtual machine.

Schematically, everything looks like this:

In addition to three connection options, there are two deployment options:

  1. Inline (only from the cloud) – monitoring or active blocking of malicious requests.
  2. Out of pass (locally at the customer) – only monitoring of malicious requests is supported.

Thanks to automatic optimization of the standardized rules, we managed to achieve the lowest possible false positive value. It is almost close to zero. Of course, sometimes it happens (less than 1%), this is due to errors in the description of the rules of operation of a particular site, because WAF as a mechanism describes only permitted actions, and everything else is prohibited.

Solution benefits

As part of our web application firewall, we offer a best-of-breed solution that:

  • provides complete protection against the 10 most dangerous vulnerabilities according to OWASP;
  • certified by ICSA Labs;
  • has a unique feature for automatic policy creation;
  • and supports negative and positive safety models.

We also have a convenient personal account, which collects reports on all detected threats and blocked attacks, access to which is carried out using the employee’s login and password only from a specific IP.

Usually, a single service is considered to connect WAF to a specific client site. In our case, if a client has, say, two sites on the same server that are accessible from two different IPs, we still consider this as one a WAF provisioning service by simply summing up the customer’s total traffic.

More useful information:

  • Individual virtual machine for each client in cloud hosting.
  • WAF automatically adjusts to changes in site content, which greatly simplifies administration.
  • In cloud hosting, the SSL certificate for access to the site is not transferred to the operator, but is uploaded by the client in the personal account in the crypto container, which ensures security in accordance with the banking standard PCI DSS.
  • 24×7 support by qualified specialists in the field of information security of the partner – EKON Technologies.
  • 3 options for implementing the solution – cloud, client VM, dedicated equipment in the client’s loop.

You can connect WAF from Beeline on the product page… You will have a free test month, if you don’t like it, turn it off, if you like it, we will continue working.

Similar Posts

Leave a Reply