Proxies, Application Layer Firewalls and WAF

The original motivation of this page was the simple question of what constitutes a good WAF. This is actually difficult to answer as there is no official WAF definition to base upon. There are some efforts to define standard WAF services (e.g. WAFEC), however, the answer will differ considerably depending on someone’s technology background and understanding, regarding the product in focus, the purpose of a solution and of course the concrete project requirements.

A valuable approach to start answering this question is to differentiate between proxies, application level firewalls and possible WAF scenarios. However, an objective answer will always depend on individual project requirements of a security solution, which will include a large list of requirements far beyond basic WAF filtering.

What is a proxy?

A proxy is a standalone entity doing something on behalf of someone else over the network. It is an intermediary function between a client and a server, thus a proxy must provide connection capabilities. Different terms are used for covering outbound (forward proxy) and inbound scenarios (reverse proxy) in the http world. Such distinction is rarely made for other protocol families, where mainly the word proxy is used.

A further distinction needs to be made regarding the degree of which the proxy is aware of both parties (client/server). The absolute minimum is to provide services on a particular connection protocol layer. Any additional functionality on a higher protocol layer would also mean to implement at least parts of this protocol stack.

A proxy which would be able to fully simulate client, server or both would need to implement all required protocols including their behavior. Sometimes the word full proxy is also been heard of. In that sense, products like an Airlock WAF is a full proxy.

What is an application layer firewall?

An application layer firewall is a neutral term for providing filtering capabilities on application layer (i.e. layer 5 and 6). In order to do so it must be able to “understand” application specialties on the session layer and content specialties on the application layer.

An application layer firewall can be implemented as a standalone entity, or as a built in functionality on the application server (e.g. as web server plugin). This functionality is also part of next generation firewalls if specific protocols are covered, this is sometimes also known under the label of deep packet inspection.

The degree of required application awareness becomes a key issue if the application layer is complex. This is the case for securing web applications. It is a lot of effort, not only because it requires a large number of protocols to be fully implemented, it might also to require to understand correct application behavior workflows, and to catch also technology differences of some implementations e.g. of web servers or browsers of different vendors.

WAF (Web Application Firewall)

A WAF is a special version of an application layer firewall for http and https because it simply would be too much to implement such vast functionality on a standard firewall or similar generic security device. However, there is a trend to enrich generic security devices with simplified WAF functionality. Nevertheless, dedicated WAF solutions would not be so popular if web application security would be easy to implement and to operate.

Other reverse or forward proxies which are not http based can also be considered as application layer firewalls if they provide filtering capabilities on layer 5 or 6. However, many such proxy solutions do not provide such filtering because they are merely used as connection proxies. It always makes sense to consider filtering and connection capabilities of such proxy solutions separately.

In this sense, a networked WAF like the Airlock can also be considered as http router having WAF filtering capabilities.

WAF for inbound scenarios

The name WAF implies an application layer firewall which happens to be focused on web applications as major purpose. A web application is waiting for incoming client requests, a WAF would therefore secure inbound connection scenarios to a web application.

This can be realized on the technology layer as part of the application server, as network based WAF (reverse proxy on a different IP address) or as network transparent filtering service on the same IP address as the application. A network transparent WAF is very simple to deploy as it has no network footprint, however, it does not act as proxy which seriously limits its flexibility as security infrastructure. The combination of dedicated networked reverse proxies which communicate with agents on the application server is also possible.

The Airlock is a standalone networked WAF, therefore a dedicated reverse proxy if it is covering inbound scenarios. There is no proxy agent required on the web application server for integrating an Airlock WAF to an application server. Specific agents however are available as modules for offering extended functionality.

WAF for outbound scenarios

A well-known outbound use cases is protecting a user who is browsing on the Internet. Such a solution would protect a user not to download malicious code or for preventing data leakage. This is known as forward proxy, which, however, has nothing to do with a WAF.

Nevertheless, there exist particular forward proxy scenarios where a WAF approach also makes sense, i.e. securing internal business applications when they integrate SOA web services from external partners. Such a solution using the Airlock WAF with the SOAP/XML Validator can filter web services based on expected known behavior of a SOA service (white list approach). The white list needs to be implemented only once and everything else beyond normal in the data payload would be discarded.

2016/02/05、 last update 2018/07/11 ©ACROSEC Inc.