網路應用程式防火牆 (WAF) 是一種用來防止對網路應用程式不受歡迎存取的安全工具. 它通常是一個位於網路伺服器上方的安全裝置，用來防範來自網際網路或網路邊界之外的威脅.

不同於第 3 (網路) 層和第 4 (傳輸) 層防火牆, which are unable to identify malicious application layer queries, WAF is a Layer 7 firewall that can see past encrypted packets. Using a WAF enables organizations to defend their online presence against numerous internet-based web attacks, including cross-site scripting (XSS), SQL injections, and cross-site request forgery (CSRF). These attacks can give attackers the ability to steal critical information, take over web servers, or launch assaults against other systems, which can be disastrous to web applications.

Problems

1. Cloud-native micro-services and WAF

WAFs are less effective within cloud-native web applications and inside cloud environments. One reason is that the security rules that traditional web applications were bound by within on-premises environments are not applicable inside the cloud.

In traditional data centers, web application firewalls are typically installed at the edge of the network to protect applications running within the perimeter of the internal network. However, in cloud environments, applications are often deployed in virtual machines or containers that are flexible and can be turned on and off as demand changes. This means that traditional perimeter-based approaches to security can be less effective in cloud environments, where applications can reside anywhere on the network and are more difficult to monitor and control.

Another challenge with cloud-native web applications is that they are often more distributed and complex than traditional web applications. Cloud-native applications are typically composed of micro-services that communicate with each other via APIs and may use multiple data stores and third-party services. This can make identifying and mitigating security risks more difficult, as attacks can occur at any point in the application architecture.

2. WAF and API challenges

APIs (application programming interfaces) are the primary methods of connectivity between micro-services and are also used to enable communication between external services and applications. APIs use different communication protocols and traffic patterns than traditional web applications, which makes it more difficult for WAFs to accurately identify and protect API traffic. This can lead to false positives or false negatives, weaken security, or block legitimate traffic unnecessarily.

One of the challenges with API traffic is that it can use different protocols such as HTTP, HTTPS, and Web-Sockets, which can contain different types of payloads and headers that make it difficult for the WAF to accurately identify the traffic. For example, some APIs can use binary payloads or encryption, which is difficult for WAFs to interpret and parse.

Another challenge is that APIs can have different traffic patterns than traditional web applications. APIs typically have a high volume of traffic with many requests per second, making it difficult for the WAF to keep up with the pace of traffic. Additionally, compared to web applications, APIs often have more predictable and consistent traffic patterns, making it easier for attackers to identify vulnerabilities and launch attacks.

最近, a security research group published a new method for bypassing multiple web application firewalls, including Palo Alto, F5, Amazon Web Services, Cloudflare, and Imperva. The specified vendors acknowledged (according to the researchers) the disclosure and made changes to their products’ SQL inspection processes to support JSON syntax.

Solutions

1. API Specified Anomalies

To overcome the challenges mentioned above, a WAF should be specifically designed to handle API traffic. This may include identifying and protecting API traffic using a variety of techniques, including signature-based analytics or machine learning algorithms that can detect anomalies in traffic patterns. A WAF may also need to integrate with other security tools such as API gateways to provide a more comprehensive security solution.

Overall, 使用 WAF 保護 API 流量需要與傳統 Web 應用程式安全不同的方法. WAF 必須專門設計以處理特定於 API 的通信協議和流量模式，才能準確識別和防禦安全威脅.

2. 整合型 WAF

為了應對這些挑戰, WAF 應專為雲原生 Web 應用程式構建. 這可能涉及將 WAF 作為應用程式架構的一部分部署，而不是作為基於邊界的解決方案. Additionally, WAF 可能需要與其他雲原生安全工具整合，例如容器安全平台和 API 網關，以提供更全面的安全解決方案.

WAF 仍然可以在保護雲原生 Web 應用程式中發揮重要作用, 但它們可能需要進行調整和增強，以應對雲原生環境的獨特安全挑戰.

3. WAF 和深層防禦

應將 WAF 視為多層安全方法中的一層, 以及其他安全工具，如入侵檢測和防禦系統, 安全的 API 閘道, 端點保護, 網路防火牆, 和存取控制. 通過實施多層安全控制措施, 組織可以建立更強健的安全態勢，更好地防禦各種威脅.

將 WAF 作為深層防禦策略的一部分可以幫助防止各種網頁應用程式攻擊，並降低資料外洩及其他安全事件的風險. WAF 有助於提供對網頁應用程式流量的可見性, enabling organizations to monitor and analyze traffic patterns and identify potential security threats. This is especially important in cloud environments where web applications and APIs can become more distributed and complex.

By integrating WAFs with other security tools such as API gateways and Security Information and Event Management (SIEM) systems, organizations can create a more comprehensive security solution that gives them greater visibility and control over their cloud environment.

4. Distributed WAFs

A distributed WAF (web application firewall) is the answer to the challenge of securing distributed cloud-based micro-services. For traditional monolithic applications, a single WAF can be deployed at the network edge to protect the entire application. However, in cloud-based distributed microservices environments, applications are split into smaller, modular components, each with its own API and security requirements. This can make it difficult to protect all components with a single WAF, as each component may require different security policies and configurations.

A distributed WAF was developed to address this challenge by providing a distributed and scalable security solution for cloud-based micro-services. A distributed WAF consists of multiple instances of a WAF deployed in different locations such as data centers and cloud regions. Each WAF instance can be configured with its own security policy and configuration tailored to the specific needs of the micro-services it protects.

By deploying multiple instances of WAF in different locations, organizations can deploy a more comprehensive and scalable security solution that can adapt to the changing needs of micro-services environments. A distributed WAF can also improve resilience and availability, as it can continue to operate even if one or more instances fail.

Additionally, distributed WAFs can be integrated with other security tools such as API gateways and SIEM systems to provide a more comprehensive security solution for cloud-based micro-services. For example, an API gateway can be used to manage access to micro-services, a distributed WAF can be used to protect against web application attacks, and visibility into web application traffic can be achieved.

Conclusion

Web Application Firewalls (WAFs) play a significant role in defending web applications from internet-originating attacks, including SQL injections, cross-site scripting (XSS), and cross-site request forgery (CSRF). However, cloud-native web applications and APIs pose particular challenges for WAFs because of their complex and distributed nature, making it difficult for WAFs to properly detect and mitigate security risks.

To address these challenges, WAFs need to be specifically designed for cloud-native web applications and integrated with other cloud-native security tools, including container security platforms and API gateways. Additionally, WAFs should be considered as one layer of a multi-layered security approach, including other security tools such as intrusion detection and prevention systems, secured API gateways, 端點保護, 網路防火牆, 和存取控制.

By integrating WAFs with other security tools and deploying multiple layers of security controls, organizations can create a more comprehensive security solution that provides more visibility and control over their cloud environment.