I-firewall yesicelo sewebhu (WAF) lisebenza njengesixhobo sokhuseleko esisetyenziswa ukuqinisekisa ukuba akufakwa kungenxa yokungafunwa kwizicelo zewebhu. Ngokuqhelekileyo lihlala lisixhobo sokhuseleko esikwi-top ye-server yewebhu kwaye likhusela kuzo zonke izoyikiso ezivela kwi-intanethi okanye ngaphaya komda wenethiwekhi.

Ngaphandle kwe-Layer 3 (Inethiwekhi) kwaye ne-Layer 4 (Yothutho) firewalls, ezingakwazi ukubona imibuzo emibi yesicelo sendlela, I-WAF yi-Layer 7 firewall enokubona ngaphaya kwamaphepha akhusiweyo. Ukusebenzisa i-WAF kuvumela imibutho ukuba ikhusele ubukho bayo kwi-intanethi ngokuchasene neentlupheko ezininzi zewebhu ezisekwe kwi-intanethi, kubandakanya ukusebenzisa cross-site scripting (XSS), SQL injections, kwaye cross-site request forgery (CSRF). Ezi ntlupheko zinganika abahlaseli ithuba lokuba bangaphanga ulwazi olubalulekileyo, bathabathe ii-server zewebhu, okanye baqhube uhlaselo kwezinye iinkqubo, enokuba yintlekele kwizicelo zewebhu.

Iingxaki

1. Iinkonzo ezincinci zelifu kunye ne-WAF

I-WAFs ayisebenzi kangako ngaphakathi kwezicelo zewebhu zelifu nangaphakathi kweemeko zelifu. Esinye isizathu kukuba imigaqo yokhuseleko ukuba izicelo zewebhu zemveli zibotshelelwe ngaphakathi kwendawo yendawo azisebenzi ngaphakathi kwilifu.

Kumaziko eenkcukacha zemveli, Ii-firewalls zesicelo sewebhu zihlala zifakwe kumda wenethiwekhi ukukhusela izicelo ezisebenza ngaphakathi i-perimeter yenethiwekhi yangaphakathi. Nangona kunjalo, kwiindawo zelifu, izicelo zihlala zithunyelwa koomatshini ababonakalayo okanye izikhongozeli eziguquguqukayo kwaye zinokuvulwa kwaye zicinywe njengoko iimfuno zitshintsha. Oku kuthetha ukuba iindlela zemveli ezisekwe kwi-perimeter yokhuseleko zinokusebenza kancinci kwiindawo zelifu, apho ii-application zinokuhlala naphi na kwinethiwekhi kwaye kunzima ukuziqwalasela kunye nolawulo.

Enye ingxaki kunye nee-application zewebhu ezisekwe efini kukuba zihlala zisasazekile kwaye zinzima ngakumbi kunee-application zesiko zewebhu. Ii-application ezisekwe efini ngokubanzi zenziwe ngenkonzo-encinci ezithetha omnye nomnye nge-API kwaye zinokusebenzisa iindawo ezininzi zedatha kunye neenkonzo zangaphandle. Oku kunokwenza ukuba kube nzima ngakumbi ukufumanisa nokunciphisa umngcipheko wokhuseleko, ngoba iintshaba zingavela nanini na kwinkqubo ye-architecture ye-application.

2. I-WAF kunye neengxaki ze-API

Ii-API (ii-interface zokuhlela ii-application) zingezona ndlela ziphambili zonxibelelwano phakathi kweenkonzo-encinci kwaye zisetyenziselwa ukuvumela unxibelelwano phakathi kweenkonzo zangaphandle kunye nee-application. APIs use different communication protocols and traffic patterns than traditional web applications, which makes it more difficult for WAFs to accurately identify and protect API traffic. This can lead to false positives or false negatives, weaken security, or block legitimate traffic unnecessarily.

One of the challenges with API traffic is that it can use different protocols such as HTTP, HTTPS, and Web-Sockets, which can contain different types of payloads and headers that make it difficult for the WAF to accurately identify the traffic. For example, some APIs can use binary payloads or encryption, which is difficult for WAFs to interpret and parse.

Another challenge is that APIs can have different traffic patterns than traditional web applications. Ii-API zihlala zinomthamo ophezulu wezithuthi kunye nezicelo ezininzi ngomzuzwana, okwenza kube nzima ukuba i-WAF ihambelane nesantya sezithuthi. Ukongeza, xa kuthelekiswa nezicelo zewebhu, ii-API zihlala zineepateni zezithuthi eziqikelelweyo nezihambelanayo, okwenza kube lula kubahlaseli ukuba bachonge ubuthathaka kunye nokuqalisa uhlaselo.

Kutshanje, iqela lophando lokhuseleko ipapashe indlela entsha yokudlula ii-firewalls ezininzi zesicelo sewebhu, kubandakanya iPalo Alto, F5, IiNkonzo zeWebhu zeAmazon, I-Cloudflare, kunye ne-Imperva. Abathengisi abachaziweyo bavuma (ngokutsho kwabaphandi) ukubhengezwa kunye nokwenza utshintsho kwiimveliso zabo’ Iinkqubo zokuhlola i-SQL ukuxhasa i-syntax ye-JSON.

Izisombululo

1. I-API echaziweyo ye-API

Ukunqoba imiceli mngeni ekhankanywe apha ngasentla, i-WAF kufuneka yenzelwe ngokukodwa ukujongana nokugcwala kwe-API. Oku kunokubandakanya ukuchonga nokukhusela ukugcwala kwe-API kusetyenziswa iindlela ezahlukeneyo, kubandakanya uhlalutyo olusekwe kutyikityo okanye ii-algorithms zokufunda ngomatshini ezinokufumanisa ukungahambi kakuhle kwiipateni zezithuthi. I-WAF inokufuna ukudibanisa nezinye izixhobo zokhuseleko ezinje ngamasango e-API ukubonelela ngesisombululo sokhuseleko esibanzi.

Lilonke, Ukukhusela ukugcwala kwe-API nge-WAF kufuna indlela eyahlukileyo kukhuseleko lwesicelo sewebhu sendabuko. I-WAF kufuneka yenzelwe ngokukodwa ukujongana neeprotokholi zonxibelelwano ezithile ze-API kunye neepateni zezithuthi ukuchonga ngokuchanekileyo nokukhusela izoyikiso zokhuseleko.

2. Ii-WAF ezidibeneyo

Ukuhlangabezana nale miceli mngeni, i-WAF kufuneka yakhiwe ngokukodwa kwizicelo zewebhu zelifu. This may involve deploying a WAF as part of your application architecture rather than as a perimeter-based solution. Ukongeza, WAFs may need to integrate with other cloud-native security tools such as container security platforms and API gateways to provide a more comprehensive security solution.

WAFs can still play an important role in securing cloud-native web applications, but they may need to be adapted and enhanced to address the unique security challenges of cloud-native environments.

3. WAF and defense-in-depth

A WAF should be considered one layer of a multi-layered security approach, along with other security tools such as intrusion detection and prevention systems, secure API gateways, endpoint protection, network firewalls, and access controls. By implementing multiple layers of security controls, Imibutho inokwakha ukhuseleko olomeleleyo ngakumbi kwaye ikhusele ngcono izoyikiso ezahlukeneyo.

Ukusebenzisa i-WAF njengenxalenye yesicwangciso sokuzikhusela okunzulu kunokunceda ukuthintela iintlobo ngeentlobo zohlaselo lwesicelo sewebhu kunye nokunciphisa umngcipheko wokwaphulwa kwedatha kunye nezinye iziganeko zokhuseleko. I-WAF inceda ukubonelela ngokubonakala kwitrafikhi yesicelo sewebhu, Ivumela imibutho ukuba ibeke iliso kwaye ihlalutye iipateni zezithuthi kunye nokuchonga izoyikiso zokhuseleko ezinokubakho. Oku kubaluleke kakhulu kwiindawo zelifu apho izicelo zewebhu kunye nee-API zinokusasazwa ngakumbi kwaye zintsonkothile.

Ngokudibanisa ii-WAF kunye nezinye izixhobo zokhuseleko ezinje ngamasango e-API kunye noLwazi loKhuseleko kunye noLawulo lweSiganeko (SIEM) iinkqubo, amaqela angadala isisombululo sokhuseleko esibanzi esibanika ukubona okungakumbi kunye nolawulo kwindalo yabo yeefu.

4. IiWAF ezisasazwe

I-WAF esasazwe (isivalo sohlelo lokusebenza lwewebhu) yimpendulo kwingxaki yokukhusela iinkonzo ezisasazwe ezisekwe kwifu. Kwezicelo ezidolophini ezindala, i-WAF enye ingafakwa kumda wenethiwekhi ukukhusela usetyenziso lonke. Nangona kunjalo, kwindalo yeefu ezisasazwe ye-microservices, izicelo zihlulwe zibe zicucu ezincinci, izinto ezincinci ezahlukeneyo, nganye inendawo yayo ye-API kunye neemfuno zokhuseleko. Oku kunokwenza kube nzima ukukhusela zonke izinto ngeWAF enye, ngoba into nganye ingadinga imigaqo yokhuseleko kunye nezicwangciso ezahlukeneyo.

A distributed WAF was developed to address this challenge by providing a distributed and scalable security solution for cloud-based micro-services. A distributed WAF consists of multiple instances of a WAF deployed in different locations such as data centers and cloud regions. Each WAF instance can be configured with its own security policy and configuration tailored to the specific needs of the micro-services it protects.

By deploying multiple instances of WAF in different locations, organizations can deploy a more comprehensive and scalable security solution that can adapt to the changing needs of micro-services environments. A distributed WAF can also improve resilience and availability, as it can continue to operate even if one or more instances fail.

Ukongeza, ii-WAF ezisasazwayo zinokudityaniswa nezinye izixhobo zokhuseleko ezifana nee-gateway ze-API kunye neenkqubo ze-SIEM ukuze kubonelelwe ngesicelo sokhuseleko esibanzi seenkonzo ezincinci ezisekwe efini. For example, i-gateway ye-API ingasetyenziswa ukuphatha ukufikelela kwiinkonzo ezincinci, i-WAF esasazwayo ingasetyenziswa ukukhusela ngokuchasene neentsholongwane zewebhu zezicelo, kwaye ukuvumela ukubonwa kokuhamba kwewebhu kunokufezekiswa.

Isiphelo

IiFirewall zeZicelo zeWebhu (ii-WAF) zidlala indima ebalulekileyo ekukhuseleni izicelo zewebhu kwizihlaselo ezivela kwi-intanethi, kubandakanya ukufaka kwe-SQL, umtlalo wedatha kwezinye iisayithi (cross-site scripting) (XSS), kwaye cross-site request forgery (CSRF). Nangona kunjalo, izicelo zewebhu kunye nee-API ezihamba nomoya zivelisa imingeni ethile kuma-WAF ngenxa yobunzima bazo nokusabalele kwiindidi zazo, oku kwenza kube nzima kuma-WAF ukufumanisa ngokuchanekileyo nokunciphisa izingozi zokhuseleko.

Ukujolisa kule mingeni, WAFs need to be specifically designed for cloud-native web applications and integrated with other cloud-native security tools, including container security platforms and API gateways. Ukongeza, WAFs should be considered as one layer of a multi-layered security approach, including other security tools such as intrusion detection and prevention systems, secured API gateways, endpoint protection, network firewalls, and access controls.

By integrating WAFs with other security tools and deploying multiple layers of security controls, organizations can create a more comprehensive security solution that provides more visibility and control over their cloud environment.