Firewalls come in essentially three varieties: hardware firewalls, software firewalls, and web application firewalls (WAFs). Typically a hosting company or datacenter infrastructure will take advantage of both of the first two types of firewalls for general use. The third type – the focus of this article – started gaining prominence about a half-decade ago (though there is overlap of these categories, as discussed below).
According to the nonprofit Open Web Application Security Project (OWASP), web application firewalls became more prevalent as hackers started focusing their efforts on apps (e-commerce stores, sales systems, etc.). Essentially, the apps provide different points of entry for intruders, so hackers started zoning in on them. That point of focus has many times allowed them to enter without being noticed (because standard firewalls have been centered on general network activity rather than the range of issues specific to web apps).
Why is a web application firewall necessary?
The basic need for firewalls specific to web apps is that Hypertext Transfer Protocol (HTTP) is relatively simplistic. Obviously, that protocol defines the back and forth of Internet interaction. Web applications, meanwhile, have become more and more sophisticated as time has gone on. The apps have outgrown the language used to communicate them in a sense, security-wise. Specialized protective software – the web application firewall – bridges the divide so that apps aren’t as vulnerable.
There is an additional disconnect between HTTP and web app security related to state. HTTP is stateless, and web apps are typically stateful. In other words, the latter utilizes previous processing information whereas the former does not. This disparity means an additional incompatibility between the two, beyond general complexity: essentially, a web app is “on its own” to establish its parameters and protect itself (enter the WAF).
What exactly is a web application firewall?
By definition (per OWASP), a WAF is a piece of software intended to protect a web app that is on the level of the application. Nonetheless, a WAF is not defined by the web app: it’s not a customized solution specific to that application but – similarly to a general software firewall – one that contains parameters to protect against intrusion into a wide variety of frameworks and scripts.
To be clear, there is overlap between the different types of firewalls. Software and hardwall firewalls are used in their own right to protect networks. However, WAFs – with their specialized function for web applications – can take the form of either of those two main types. They can be implemented either as hardware devices, installed as an actual physical piece of an infrastructure; or they can be used as software, installed on servers or integrated into other devices (e.g., they can be loaded onto hardware firewalls to enhance their protection with WAF capabilities).
Overall function of web application firewalls in an enterprise
Often a company is running dozens of web apps at the same time. Although an enterprise will typically consider the strength of some WAFs more important than others (based on the role played by the app it is protecting), it’s wise to remember that a system may only be as strong as its weakest link. Hackers could be able to access the network, potentially, through any of the firewalls. For that reason, apps that may generally be less vital to business operations should still be reasonably secure.
That said, because of budgetary concerns, systems administration often must place greater or lesser weight on the firewalls protecting certain apps. Here are a few questions that can be asked to strike the proper balance and understand which apps must have the highest degrees of protection:
- Does the app grant availability to sensitive details of any users of the system, whether internal or external parties?
- Does it allow access to proprietary documents or data?
- Does the app play a crucial function within the enterprise? How bad would it be if it went down?
- Is the app itself involved in network or any system protection?
App development & function of individual web application firewalls
Clearly the strength of each firewall should be as strong as possible, as discussed above. However, ideally a firewall is not crucial at the outset. Security should be a major factor for custom apps during their development. Loopholes in applications are patched as weaknesses become known, but problems discovered when an app has been used for a lengthy period can often mean more time and money for a fix.
A web application firewall comes in handy when it impossible or difficult to make changes to the application, or when the necessary revisions are extensive. The firewall is used when the app itself cannot be changed. Standardly a firewall uses a blacklist, protecting against individual, previously logged attacks. Additionally, it can also use a white list, providing allowable users and instances of interaction for the application.
Web application firewalls play an important role for companies worldwide. We believe strongly in our own firewalls and security at Atlantic.net. In fact, we believe so much in our reliability that we guarantee a complete absence of downtime. Click here to learn more about what makes us different.
By Kent Roberts