In my previous articles, I mentioned firewalls, so I decided to dedicate this entire article to that topic. First, I want to give a basic explanation of firewalls and more information about web application firewall so you can make a more informed decision. I have mainly mentioned the usage of web application firewalls to prevent attacks such as SQL Injection, XSS (cross-site scripting), cookie poisoning, etc.
What is a firewall?
A firewall is software or hardware used to monitor network data (traffic) and compare it against a set of rules. Depending on the rules, traffic will be passed or blocked. On the Internet, you might hear this analogy:
a firewall is a guard or gatekeeper at the entrance of an event. This gatekeeper can check the ID of individuals against a set of rules before letting them enter (or leave).
But before I explain more, I need to cover some basics – OSI layers and TCP/IP.
Layers of the OSI model and TCP/IP
The OSI Model (Open Systems Interconnection Model) is used to describe how a network system functions. This model is split into seven abstraction layers:
- Physical – lowest level responsible for a physical connection between devices, transmitting bits from one node to the next. This layer converts data to 0s and 1s to the next Data Link layer.
- Data Link – this layer is responsible for checking if data transfer is error-free (error checking/formatting) between one node to another in the physical layer. The primary purpose of the data link layer is to help the sender send a set of meaningful bits to the receiver.
- Network – this layer is responsible for defining which physical path the data will take. It is taking care of the transmission of data from one host to another that are on different networks.
- Transport – transmits data using transmission protocols (TCP and UDP). It contains information if the data transmission is successful, and then, if yes, it transmits the data. If an error is found, the data is re-transmitted.
- Session – this layer maintains connections and is responsible for controlling ports and sessions.
- Presentation – this layer ensures that data is in a usable format. It is also where encryption occurs.
- Application – this layer interacts with the user and displays the received information to them.
*OSI model was published in 1984 by the International Organization for Standardization (ISO). For more information of the layers (and their functions), you can check out this
site.
Keep in mind that today’s Internet is based on the TCP/IP stack. OSI model is an abstraction, and something we use to learn about the internet protocols. The implementation is based on the TCP/IP stack, not the OSI model.
TCP/IP layers are the four layers of the TCP/IP model: link layer, network, transport, and application. Data is passed in a particular order. (From the bottom layer to the top layer and back)
If you want to read about TCP/IP layers, check out this
site.
Classifications of firewalls
There are a few classifications for firewalls.
The first one is a hardware or software firewall. Hardware is when the firewall is separate hardware through which the network traffic is going (such as Cisco ASA). A software firewall is software that comes with the OS, such as Windows Defender Firewall – which is also called a host firewall. On Linux, you usually get a built-in host firewall called
ufw (uncomplicated firewall). You can also install a third-party solution (Comodo, Norton, etc.)
The second one is the classification by personal or commercial use. Personal is mainly for use at home and it is designed for small networks. The commercial firewall is designed to protect medium to large networks.
However, the most important classification is by the layers on which the firewall operates. Firewalls mainly focus on layers 3 and 4 (sometimes even 2). Next-generation firewalls cover layers 5, 6, and 7.
The third classification is based on firewall abilities:
- Packet-Filtering FirewallCircuit-Level Gateway
- Stateful Inspection Firewall
- Proxy Firewall – all traffic goes through WAF on its way to the server
- Next-Generation Firewall (NGFW)
- Cloud Firewall or Firewall as a Service (FWaaS)
I will focus on the Web Application Firewall, an example of Proxy Firewall and Firewall as a Service (FWaaS).
Web Application Firewall
Definition of WAF by OWASP on their
site:
A “‘ web application firewall (WAF)'” is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications.
The proxy firewall inspects the content of the payload (packets). As a difference between the third classification from the paragraph above, this one is not limited to packet headers.
FWaaS is a hardware firewall in a cloud environment. Its features depend on the service provider, and it benefits from the scalability of cloud architecture.
Types of Web application firewalls
There are three types of web application firewall: hardware, software, and cloud-based. All of them have advantages and disadvantages, and it is very important to know them before choosing the right one for your web application.
1-
Hardware – This hardware solution is installed locally in LAN close to application and web servers. This solution is good because it can be modified, and it supports configurations and updates. It is very fast, and it has high performance. This type is perfect for big organizations when the application has many visits on daily basis. For small organizations, it is not cost-efficient because it can be costly.
List of WAFs: WAPPLES, Imperva SecureSphere, Barracuda Web Application Firewall, Citrix Netscaler Application Firewall, Fortinet FortiWeb, F5 BIG-IP Application Security Manager (ASM).
2-
Software – this one is different than a hardware firewall because you would need a virtual machine instead of dedicated hardware. Of course, as you can guess that this solution is usually cheaper than hardware. The advantage is that it can be used in your on-prem systems, while you can also deploy it in the cloud. A disadvantage is that it is slower because it runs on a VM. This solution is suitable for small and medium organizations.
3-
Cloud – this firewall is provided and managed in the form of software as a service – SaaS. This solution is entirely in the cloud. This solution is good because the service provider provides optimizations and updates, so you would not need to manage anything. On the other hand, it is also a disadvantage because if you require some customizations, you can simply not do it, or if there exists such an option, it will probably be more complex in some way. This solution is good for small and medium organizations which don’t have enough resources that would focus on the management of WAF.
*List of software and cloud-based WAFs will be covered in the next part of the article.
How is WAF configured?
WAF can be configured in three different ways:
- Whitelisting
- Blacklisting
- Hybrid
If you choose to use the whitelisting model, you would usually start by blocking everything (no Internet at all!), and then you would go on gradually from there, allowing only what’s necessary for your application.
On the other hand, the blacklisting model is the opposite of whitelisting. You would need to create a list of criteria by which the traffic will be blocked.
The third model is hybrid. If you decide to use this model, you will probably have an application with some specific criteria required where you will combine whitelisting and blacklisting. Ideally, you will use the best of both worlds, so to speak.
To choose a model, you would first need to define the needs for your application. (You might also want to consider your infrastructure.)
