Firewalls come in essentially three varieties: hardware firewalls, software firewalls, and web application firewalls (WAFs). Typically a cloud hosting company or data center infrastructure will take advantage of both of the first two types of firewalls for general use. The third type – the focus of this article – started gaining prominence about a half-decade ago (though there is an overlap of these categories, as discussed below).
According to the nonprofit Open Web Application Security Project (OWASP), web application firewalls became more prevalent as hackers started focusing their efforts on apps (e-commerce stores, sales systems, etc.). Essentially, the apps provide different entry points for intruders, so hackers started zoning in on them. That point of focus has often allowed them to enter without being noticed (because standard firewalls have been centered on general network activity rather than the range of issues specific to web apps).
Why is a web application firewall necessary?
The basic need for firewalls specific to web apps is that Hypertext Transfer Protocol (HTTP) is relatively simplistic. Obviously, that protocol defines the back and forth of Internet interaction. Web applications, meanwhile, have become more and more sophisticated as time has gone on. The apps have outgrown the language used to communicate them in a sense, security-wise. Specialized protective software – the web application firewall – bridges the divide so that apps aren’t as vulnerable.
There is an additional disconnect between HTTP and web app security related to the state. HTTP is stateless, and web apps are typically stateful. In other words, the latter utilizes previous processing information, whereas the former does not. This disparity means an additional incompatibility between the two, beyond general complexity: essentially, a web app is “on its own” to establish its parameters and protect itself (enter the WAF).
What exactly is a web application firewall?
By definition (per OWASP), a WAF is a piece of software intended to protect a web app that is on the level of the application. Nonetheless, a WAF is not defined by the web app: it’s not a customized solution specific to that application but – similarly to a general software firewall – one that contains parameters to protect against intrusion in a wide variety of frameworks and scripts.
To be clear, there is an overlap between the different types of firewalls. Software and hardwall firewalls are used in their own right to protect networks. They can be implemented either as hardware devices, installed as an actual physical piece of infrastructure, or used as software, installed on servers, or integrated into other devices (e.g., they can be loaded onto hardware firewalls to enhance their protection with WAF capabilities). However, with their specialized function for web applications, WAFs can take the form of either of those two main types.
The overall function of web application firewalls in an enterprise
Although an enterprise will typically consider the strength of some WAFs more important than others (based on the role played by the app it is protecting), it’s wise to remember that a system may only be as strong as its weakest link. Often a company is running dozens of web apps at the same time. Hackers could be able to access the network, potentially, through any of the firewalls. For that reason, apps that may generally be less vital to business operations should still be reasonably secure.
That said, systems administration often must place greater or lesser weight on the firewalls protecting certain apps because of budgetary concerns. Here are a few questions that can be asked to strike the proper balance and understand which apps must have the highest degrees of protection:
- Does the app grant availability to sensitive details of any users of the system, whether internal or external parties?
- Does it allow access to proprietary documents or data?
- Does the app play a crucial function in the enterprise? How bad would it be if it went down?
- Is the app itself involved in network or any system protection?
App development & function of individual web application firewalls
Clearly, the strength of each firewall should be as strong as possible, as discussed above. However, ideally, a firewall is not crucial at the outset. Security should be a major factor for custom apps during their development. Loopholes in applications are patched as weaknesses become known, but problems discovered when an app had been used for a lengthy period can often mean more time and money for a fix.
A web application firewall comes in handy when it is impossible or difficult to make changes to the application or when the necessary revisions are extensive. The firewall is used when the app itself cannot be changed. Standardly a firewall uses a blacklist, protecting against an individual, previously logged attacks. Additionally, it can also use a white list, providing allowable users and instances of interaction for the application.
Web application firewalls play an important role for companies worldwide as well as our VPS hosting service. We believe strongly in our own firewalls and cloud hosting security at Atlantic.net. In fact, we believe so much in our reliability that we guarantee a complete absence of downtime. Learn more about what makes us different and why our VPS hosting is world-class!
By Kent Roberts