Web aplikazioaren suebakia (Waf) Web aplikazioetara nahi ez den sarbidea zaintzeko erabiltzen den segurtasun tresna da. Sarritan segurtasun-gailua da web zerbitzari baten gainean kokatzen dena eta sareko perimetrotik haratago.

Geruza ez bezala 3 (Sare) eta geruza 4 (Garraiatu) suebakiak, aplikazio-mailako kontsulta kaltegarriak identifikatzeko gai ez direnak, WAF Geruza bat da 7 pakete enkriptatuak gainditu ahal dituen suebaki bat. WAF bat erabiltzeak erakundeek beren presentzia onlinea defenda dezaten aukera ematen die internet bidezko hainbat web erasoren aurka, guztizko guneetan script-a sartzea barne (XSS), SQL injezioak, eta cross-site request forgery (CSRF). Eraso hauek erasoilei informazio kritikoa lapurtzeko ahalmena eman diezaiekete, web zerbitzariak kontrolatzeko, edo beste sistemaren aurkako erasoak abian jartzeko, hau web aplikazioentzat suntsitzailea izan daiteke.

Arazoak

1. Hodei-natibo mikrozerbitzuak eta WAF-a

WAF-ak ez dira eraginkorrak hodei-natibo web aplikazioen barruan eta hodei inguruneetan barruan. Arrazoi bat da segurtasun arauak, aplikazio web tradizionalek on-premises inguruneetan zituztenak, ez direla baliagarriak hodeian.

Datu-zentro tradizionaletan, web aplikazioen suebakiak normalean sarearen ertzean instalatzen dira barne-sarearen perimetroan exekutatzen diren aplikazioak babesteko. Hala ere, hodeiko inguruneetan, aplikazioak askotan malguak diren makina birtualetan edo edukiontzietan hedatzen dira eta eskaria aldatzen den heinean piztu eta desaktibatu daitezke. Horrek esan nahi du perimetroan oinarritutako segurtasunerako ikuspegi tradizionalak hodeiko inguruneetan eraginkortasun txikiagoa izan dezakeela, non aplikazioak sarean edozein lekutan egon daitezkeen eta monitorizatzeko eta kontrolatzeko zailagoak diren.

Hodeiko jatorrizko web aplikazioen beste erronka bat da askotan web aplikazio tradizionalak baino banatuagoak eta konplexuagoak direla. Cloud-native applications are typically composed of micro-services that communicate with each other via APIs and may use multiple data stores and third-party services. This can make identifying and mitigating security risks more difficult, as attacks can occur at any point in the application architecture.

2. WAF and API challenges

APIs (application programming interfaces) are the primary methods of connectivity between micro-services and are also used to enable communication between external services and applications. APIs use different communication protocols and traffic patterns than traditional web applications, which makes it more difficult for WAFs to accurately identify and protect API traffic. This can lead to false positives or false negatives, weaken security, or block legitimate traffic unnecessarily.

One of the challenges with API traffic is that it can use different protocols such as HTTP, HTTPS, and Web-Sockets, which can contain different types of payloads and headers that make it difficult for the WAF to accurately identify the traffic. For example, some APIs can use binary payloads or encryption, which is difficult for WAFs to interpret and parse.

Another challenge is that APIs can have different traffic patterns than traditional web applications. APIs typically have a high volume of traffic with many requests per second, making it difficult for the WAF to keep up with the pace of traffic. Additionally, compared to web applications, APIs often have more predictable and consistent traffic patterns, making it easier for attackers to identify vulnerabilities and launch attacks.

Berriki, a security research group metodo berri bat argitaratu du web aplikazioen suebaki anitz saihesteko, Palo Alto barne, F5, Amazon Web Services, Cloudflare, eta Imperva. Zehaztutako hornitzaileek aitortu dute (ikertzaileen arabera) Argitalpenak eta beren produktuetan aldaketak eginda’ SQL ikuskapen prozesuak JSON sintaxia onartzeko.

Irtenbideak

1. API zehaztutako anomaliak

Goian aipatutako erronkak gainditzeko, WAF bat bereziki diseinatu beharko litzateke API trafikoa kudeatzeko. Horrek API trafikoa identifikatzea eta babestea barne har dezake hainbat teknika erabiliz, Sinaduretan oinarritutako analitika edo ikaskuntza automatikoko algoritmoak barne, trafiko ereduetan anomaliak detekta ditzaketenak. WAF batek beste segurtasun tresna batzuekin ere integratu behar du, hala nola API atebideekin, segurtasun irtenbide integralagoa eskaintzeko.

Orokorrean, API trafikoa WAF batekin segurtatzeak web aplikazioen segurtasun tradizionalarekin alderatuta hainbat urrats desberdin eskatzen ditu. WAF batek komunikazio protokolo eta trafiko bidezko API espezifikoak behar bezala identifikatu eta defendatu ahal izateko bereziki diseinatua izan behar du.

2. WAF integratuak

Erronka hauei aurre egiteko, WAF bat bereziki hodei-natibo web aplikazioetarako eraiki behar da. Honek zure aplikazio arkitekturaren parte gisa WAF bat ezartzea inplikatu dezake, perimetroko soluzio moduan baino. Additionally, WAF-ek beste hodei-natibo segurtasun tresnekin integratu behar izan dezakete segurtasun soluzio osoago bat eskaintzeko, hala nola edukiontzi segurtasun plataforma eta API atariak.

WAF-ek oraindik ere paper garrantzitsua jokatu dezakete hodei-natibo web aplikazioak segurtatzeko, but they may need to be adapted and enhanced to address the unique security challenges of cloud-native environments.

3. WAF and defense-in-depth

A WAF should be considered one layer of a multi-layered security approach, along with other security tools such as intrusion detection and prevention systems, secure API gateways, endpoint protection, network firewalls, and access controls. By implementing multiple layers of security controls, organizations can build a more robust security posture and better defend against various threats.

Using a WAF as part of a defense-in-depth strategy can help prevent a wide variety of web application attacks and reduce the risk of data breaches and other security incidents. A WAF helps provide visibility into web application traffic, enabling organizations to monitor and analyze traffic patterns and identify potential security threats. This is especially important in cloud environments where web applications and APIs can become more distributed and complex.

By integrating WAFs with other security tools such as API gateways and Security Information and Event Management (SIEM) systems, organizations can create a more comprehensive security solution that gives them greater visibility and control over their cloud environment.

4. Distributed WAFs

A distributed WAF (web application firewall) is the answer to the challenge of securing distributed cloud-based micro-services. For traditional monolithic applications, a single WAF can be deployed at the network edge to protect the entire application. Hala ere, in cloud-based distributed microservices environments, applications are split into smaller, modular components, each with its own API and security requirements. This can make it difficult to protect all components with a single WAF, as each component may require different security policies and configurations.

A distributed WAF was developed to address this challenge by providing a distributed and scalable security solution for cloud-based micro-services. A distributed WAF consists of multiple instances of a WAF deployed in different locations such as data centers and cloud regions. Each WAF instance can be configured with its own security policy and configuration tailored to the specific needs of the micro-services it protects.

By deploying multiple instances of WAF in different locations, organizations can deploy a more comprehensive and scalable security solution that can adapt to the changing needs of micro-services environments. A distributed WAF can also improve resilience and availability, as it can continue to operate even if one or more instances fail.

Additionally, distributed WAFs can be integrated with other security tools such as API gateways and SIEM systems to provide a more comprehensive security solution for cloud-based micro-services. For example, an API gateway can be used to manage access to micro-services, a distributed WAF can be used to protect against web application attacks, and visibility into web application traffic can be achieved.

Conclusion

Web Application Firewalls (WAFs) play a significant role in defending web applications from internet-originating attacks, including SQL injections, cross-site scripting (XSS), eta cross-site request forgery (CSRF). Hala ere, cloud-native web applications and APIs pose particular challenges for WAFs because of their complex and distributed nature, making it difficult for WAFs to properly detect and mitigate security risks.

To address these challenges, WAFs need to be specifically designed for cloud-native web applications and integrated with other cloud-native security tools, including container security platforms and API gateways. Additionally, WAFs should be considered as one layer of a multi-layered security approach, including other security tools such as intrusion detection and prevention systems, secured API gateways, endpoint protection, network firewalls, and access controls.

By integrating WAFs with other security tools and deploying multiple layers of security controls, organizations can create a more comprehensive security solution that provides more visibility and control over their cloud environment.