The web application firewall (WAF) is a security tool used to guard against unwanted access to web applications. It is often a security device that sits on top of a web server and guards against threats from the internet or from beyond the network perimeter.

Unlike Layer 3 (Network) and Layer 4 (Transport) firewalls, which are unable to identify malicious application layer queries, WAF is a Layer 7 firewall that can see past encrypted packets. Using a WAF enables organizations to defend their online presence against numerous internet-based web attacks, including cross-site scripting (XSS), SQL injections, and cross-site request forgery (CSRF). These attacks can give attackers the ability to steal critical information, take over web servers, or launch assaults against other systems, which can be disastrous to web applications.

Problems

1. Cloud-native micro-services and WAF

WAFs are less effective within cloud-native web applications and inside cloud environments. One reason is that the security rules that traditional web applications were bound by within on-premises environments are not applicable inside the cloud.

In traditional data centers, web application firewalls are typically installed at the edge of the network to protect applications running within the perimeter of the internal network. However, in cloud environments, applications are often deployed in virtual machines or containers that are flexible and can be turned on and off as demand changes. This means that traditional perimeter-based approaches to security can be less effective in cloud environments, where applications can reside anywhere on the network and are more difficult to monitor and control.

Another challenge with cloud-native web applications is that they are often more distributed and complex than traditional web applications. Cloud-native applications are typically composed of micro-services that communicate with each other via APIs and may use multiple data stores and third-party services. This can make identifying and mitigating security risks more difficult, as attacks can occur at any point in the application architecture.

2. WAF and API challenges

APIs (application programming interfaces) are the primary methods of connectivity between micro-services and are also used to enable communication between external services and applications. APIs use different communication protocols and traffic patterns than traditional web applications, which makes it more difficult for WAFs to accurately identify and protect API traffic. This can lead to false positives or false negatives, weaken security, or block legitimate traffic unnecessarily.

One of the challenges with API traffic is that it can use different protocols such as HTTP, HTTPS, and Web-Sockets, which can contain different types of payloads and headers that make it difficult for the WAF to accurately identify the traffic. For example, some APIs can use binary payloads or encryption, which is difficult for WAFs to interpret and parse.

Another challenge is that APIs can have different traffic patterns than traditional web applications. APIs typically have a high volume of traffic with many requests per second, making it difficult for the WAF to keep up with the pace of traffic. Additionally, compared to web applications, APIs often have more predictable and consistent traffic patterns, making it easier for attackers to identify vulnerabilities and launch attacks.

Recently, a security research group published a new method for bypassing multiple web application firewalls, including Palo Alto, F5, Amazon Web Services, Cloudflare, and Imperva. The specified vendors acknowledged (according to the researchers) the disclosure and made changes to their products’ SQL inspection processes to support JSON syntax.

Solutions

1. API Specified Anomalies

To overcome the challenges mentioned above, a WAF should be specifically designed to handle API traffic. This may include identifying and protecting API traffic using a variety of techniques, including signature-based analytics or machine learning algorithms that can detect anomalies in traffic patterns. A WAF may also need to integrate with other security tools such as API gateways to provide a more comprehensive security solution.

Overall, securing API traffic with a WAF requires a different approach than traditional web application security. A WAF must be specifically designed to handle API-specific communication protocols and traffic patterns to accurately identify and defend against security threats.

2. Integrated WAFs

To meet these challenges, a WAF should be built specifically for cloud-native web applications. This may involve deploying a WAF as part of your application architecture rather than as a perimeter-based solution. Additionally, WAFs may need to integrate with other cloud-native security tools such as container security platforms and API gateways to provide a more comprehensive security solution.

WAFs can still play an important role in securing cloud-native web applications, but they may need to be adapted and enhanced to address the unique security challenges of cloud-native environments.

3. WAF and defense-in-depth

A WAF should be considered one layer of a multi-layered security approach, along with other security tools such as intrusion detection and prevention systems, secure API gateways, endpoint protection, network firewalls, and access controls. By implementing multiple layers of security controls, organizations can build a more robust security posture and better defend against various threats.

Using a WAF as part of a defense-in-depth strategy can help prevent a wide variety of web application attacks and reduce the risk of data breaches and other security incidents. A WAF helps provide visibility into web application traffic, enabling organizations to monitor and analyze traffic patterns and identify potential security threats. This is especially important in cloud environments where web applications and APIs can become more distributed and complex.

By integrating WAFs with other security tools such as API gateways and Security Information and Event Management (SIEM) systems, organizations can create a more comprehensive security solution that gives them greater visibility and control over their cloud environment.

4. Distributed WAFs

A distributed WAF (web application firewall) is the answer to the challenge of securing distributed cloud-based micro-services. For traditional monolithic applications, a single WAF can be deployed at the network edge to protect the entire application. However, in cloud-based distributed microservices environments, applications are split into smaller, modular components, each with its own API and security requirements. This can make it difficult to protect all components with a single WAF, as each component may require different security policies and configurations.

A distributed WAF was developed to address this challenge by providing a distributed and scalable security solution for cloud-based micro-services. A distributed WAF consists of multiple instances of a WAF deployed in different locations such as data centers and cloud regions. Each WAF instance can be configured with its own security policy and configuration tailored to the specific needs of the micro-services it protects.

By deploying multiple instances of WAF in different locations, organizations can deploy a more comprehensive and scalable security solution that can adapt to the changing needs of micro-services environments. A distributed WAF can also improve resilience and availability, as it can continue to operate even if one or more instances fail.

Additionally, distributed WAFs can be integrated with other security tools such as API gateways and SIEM systems to provide a more comprehensive security solution for cloud-based micro-services. For example, an API gateway can be used to manage access to micro-services, a distributed WAF can be used to protect against web application attacks, and visibility into web application traffic can be achieved.

Conclusion

Web Application Firewalls (WAFs) play a significant role in defending web applications from internet-originating attacks, including SQL injections, cross-site scripting (XSS), and cross-site request forgery (CSRF). However, cloud-native web applications and APIs pose particular challenges for WAFs because of their complex and distributed nature, making it difficult for WAFs to properly detect and mitigate security risks.

To address these challenges, WAFs need to be specifically designed for cloud-native web applications and integrated with other cloud-native security tools, including container security platforms and API gateways. Additionally, WAFs should be considered as one layer of a multi-layered security approach, including other security tools such as intrusion detection and prevention systems, secured API gateways, endpoint protection, network firewalls, and access controls.

By integrating WAFs with other security tools and deploying multiple layers of security controls, organizations can create a more comprehensive security solution that provides more visibility and control over their cloud environment.