What does a Web Application Firewall do? How is it different from traditional network devices?

What is a WAF?

The full name of WAF is (Web Application Firewall), which is referred to as WAF.

An internationally recognized statement is that a Web application firewall is a product that specifically provides protection for Web applications by executing a series of security policies for HTTP/HTTPS.

Common deployment methods of WAF:

Common WAF deployment methods: WAF is generally deployed before the Web server to protect Web applications.

So what can a WAF do?

• WAF can filter HTTP/HTTPS protocol traffic and protect against Web attacks.
• WAF can perform security audits on Web applications
• WAF can prevent CC attacks
• Application Delivery
• CC attack: A large number of requests are made to the applications that consume the most application resources, such as WEB query database applications, thus causing the server to deny service. More detailed CC attack introduction:
• Application delivery: It actually refers to Application Delivery Networking (ADN), which uses corresponding network optimization/acceleration equipment to ensure that users' business applications can be delivered to internal employees and external service groups quickly, securely and reliably.

From the definition, we can see that the purpose of application delivery is to ensure the reliability, availability and security of key business of enterprises. Application delivery should be the same as many technologies, such as WAN acceleration, load balancing, Web application firewall... There are different products and focuses for different application needs.

What can’t a WAF do?

• WAF cannot filter other protocol traffic, such as FTP and PoP3 protocols
• WAF cannot implement traditional firewall functions, such as address mapping
• WAF cannot prevent DDoS attacks at the network layer
• Antivirus

The difference between WAF and traditional security devices:

Features of traditional safety equipment:

• IPS: Protection against worms, network viruses, and backdoor Trojans, but does not have the security protection capabilities of the WEB application layer.
• Traditional FW: As an access control device between the intranet and the extranet, it provides 3-4 layers of security protection, but does not have the security protection capabilities of the WEB application layer.

WAF features:

WAF is a professional application layer security protection product.

• Possess threat awareness capabilities
• Possess HTTP/HTTPS deep detection capability. High detection rate, low false positive rate/low missed negative rate
• high performance
• High stability in complex environments

Main functions of WAF:

• WAF mainly provides defense through many built-in security rules.
• It can protect against common OWASP TOP10 attacks such as SQL injection, XSS, web page tampering, and middleware vulnerabilities.
• When an attack is discovered, the IP can be locked, and after the IP is locked, the website business will not be accessible.
• It also supports preventing CC attacks, using a concentration and rate dual detection algorithm.

Major WAF manufacturers:

• Domestic: ANHENG, NSFOCUS, Venusstar
• Foreign: Flytower, Barracuda, Imperva

The development history of WAF

The development of WAF has mainly gone through IPS architecture, reverse proxy, transparent proxy and flow mode.

Features of IPS architecture:

Advantages:

• Built on the original IPS architecture, easy to deploy
• Do not change the packet content
• Better performance

Disadvantages:

• High false positive and false negative rates
• Difficult to resolve HTTP slow attacks and fragmentation attacks
• Difficult to implement complex applications, such as application delivery

Reverse proxy features:

Advantages:

• Single-arm deployment, no need to be connected in series in the network
• Achieving application delivery
• Good safety protection capability

Disadvantages:

• Will change the content of the data packet
• Poor performance
• The network configuration needs to be changed and fault recovery is slow.

Transparent proxy features:

Advantages:

• Semi-transparent deployment, no need to change network configuration
• Achieving application delivery
• Good safety protection capability
• Fast fault recovery

Disadvantages:

• Less changes to data packet content
• Average performance

Streaming mode features:

Advantages:

• Fully transparent deployment, no changes to network configuration or data packet content
• Achieving application delivery
• Good safety protection capability
• Fast fault recovery
• Good performance

Disadvantages:

• The attack strength against specially constructed attacks depends on the WAF cache size

WAF Key Technologies

WAF's transparent proxy technology principle:

Transparent proxy technology is based on TCP connection, the proxy technology of the application layer of the network protocol stack, which realizes the establishment of two-way independent TCP connection with the client and the server, and isolates the direct TCP connection establishment between the client and the server. The communication process is as follows:

WAF mainly changes the following data packet content items:

• Client TCP source port
• Client source MAC/Server source MAC address
• Long and short connection protocol versions
• MIME Type

Web application security protection strategy:

Regular expression matching method based on WEB attack feature library; strategy rules are organized into rule linked lists, and deep inspection of request headers, request submission content, response headers, response content bodies, etc. are performed one by one for matching inspection.

The following attacks can be prevented:

• HTTP protocol compliance
• SQL injection blocking
• Cross-site scripting/CSRF attack protection
• Form/cookie tampering protection
• DoS attack protection
• Sensitive information leakage
• Directory traversal
• Anti-scanner detection attack

Web application security audit:

WAF can audit all user access behaviors and uncover potential threats through in-depth analysis of access records. It can also help track down requests that are missed by attack protection.

Anti-CC:

The principle of CC attack is that the attacker controls certain hosts to continuously send a large number of data packets to the other server, causing the server resources to be exhausted until it crashes. CC is mainly used to consume server resources. Everyone has this experience: when a web page is visited by a large number of people, it takes a long time to open the web page. CC simulates multiple users (the number of threads is the number of users) to continuously access pages that require a large amount of data operations (that is, a large amount of CPU time), resulting in a waste of server resources. The CPU is at 100% for a long time, and there are always endless connections until the network is congested and normal access is terminated.

Principles of preventing CC attacks:

• Multiple DOS policies can be defined
• Supports multiple URL matching algorithms
• Support application layer IP matching algorithm

Web delivery:

"Application delivery" actually refers to Application Delivery Networking (ADN), which uses corresponding network optimization/acceleration equipment to ensure that users' business applications can be delivered to internal employees and external service groups quickly, securely and reliably.

From the definition, we can see that the purpose of application delivery is to ensure the reliability, availability and security of key business of enterprises. Application delivery should be the same as many technologies, such as WAN acceleration, load balancing, Web application firewall... There are different products and focuses for different application needs.

WAF can generally deliver applications through:

• Web acceleration and data compression optimize server performance.

Multiple deployment modes of WAF

WAF generally supports transparent proxy, reverse proxy, bypass monitoring, and bridge mode deployment modes.

Transparent proxy serial mode:

The transparent proxy deployment mode supports transparent serial deployment. It can be connected in series in the user network to achieve plug-and-play without the user having to change the network equipment and server configuration. It is easy to deploy and can be applied to most user networks.

Deployment features:

• No need to change the user network structure, it is transparent to the user
• Strong safety protection performance
• Fast fault recovery, supporting Bypass

The transparent proxy serial mode is the most commonly used deployment mode and has good defense effect.

Reverse proxy mode:

Reverse proxy is divided into two modes, reverse proxy (proxy mode) and reverse proxy (traction mode).

Proxy Mode:

WAF uses the reverse proxy mode to access the network environment in a bypass manner. It is necessary to change the destination mapping table of the network firewall. The network firewall maps the business port address of the WAF to hide the IP address of the server.

That is, in the figure, when the external network visits www.test.com, it will be resolved to 110.1.1.1. On the network firewall FW, the nat-server technology will be used to resolve the external network address 110.1.1.1 to the internal network address 192.168.1.1. 192.168.1.1 is the business port address of WAF. WAF will access the backend server 192.168.1.100 and return the packet to WAF, which then returns it to the user, playing a proxy role and hiding the real web server address.

Deployment features:

• Can be deployed in bypass mode, opaque to user networks, and has strong protection capabilities
• The fault recovery time is slow, bypass is not supported, and the domain name or address needs to be remapped to the original server during recovery.
• This mode is used in complex environments, such as environments where devices cannot be directly connected in series.
• When accessing, you need to first access the business port address configured by WAF.
• Support VRRP master/backup

Traction Mode:

WAF uses the reverse proxy mode to access the network environment in a bypass manner. It is necessary to perform policy routing PBR on the core switch to direct the traffic from the client to the server to the WAF. The next hop address of the policy routing is the business port address of the WAF.

Deployment features:

• Can be deployed in bypass mode and is not transparent to the user network.
• The fault recovery time is slow, bypass is not supported, and the router policy routing configuration needs to be deleted during recovery.
• This mode is used in complex environments, such as environments where devices cannot be directly connected in series.
• Still access the website server when accessing

Bypass monitoring mode:

Use bypass monitoring mode, mirror the server port on the switch, and copy a copy of the traffic to the WAF. The deployment does not affect online services. In bypass mode, the WAF will only issue an alarm but not block it.

Transparent bridge mode:

Transparent bridge mode is truly transparent and will not change any content of the data packet, such as the source port and TCP sequence number. Bridge mode does not track TCP sessions and can support asymmetric routing environments.

WAF reliability deployment - HA active-standby mode under transparent proxy:

In dual-machine HA mode, WAF works in Active and Standby modes, that is, when one WAF is in detection and protection mode, the other is a standby and does not work. When the main WAF fails, or the uplink and downlink connected to the main WAF fail, the standby WAF will negotiate to enter the detection and protection mode.

• Traffic switching: judge based on the traffic flow, and go to the direction where the traffic comes from.
• When there is traffic on both sides at the same time, the master-master mode needs to be used and no heartbeat line is required.

WAF reliability deployment - HA active-standby mode under reverse proxy:

WAF negotiates the master-slave relationship through the VRRP protocol under the reverse proxy. Under normal circumstances, only the master works and the backup does not work. When a problem occurs on the WAF master, the backup automatically switches to the master to work.