Background of WAF solutions

What is a good WAF? This is actually a difficult question to answer as there is no official WAF definition. There are some efforts to define standard WAF services, however, the answer will differ depending on technology background, understanding, product in focus, regarding purpose of a solution and of course its requirements.

Best approach to start answering this question is to differentiate between WAF, proxies and application level firewall functionality and possible solution scenarios. However, an objective answer will always depend on individual project requirements of a security solution, which will include a large list of requirements far beyond basic WAF filtering.

Typical requirements:

  • Ease of operation
  • Update support
  • etc. etc. etc.

What is a proxy?

A proxy is a standalone entity doing something on behalf of someone else over the network. It is an intermediary function between a client and a server, thus a proxy must provide connection capabilities. Different terms are used for covering outbound (forward proxy) and inbound scenarios (reverse proxy) in the http world. Such distinction is rarely made for other protocol families, where mainly the word proxy is used.

A further distinction needs to be made regarding the degree of which the proxy is aware of both parties (client/server). The absolute minimum is to provide services on a particular connection protocol layer. Any additional functionality on a higher protocol layer would also mean to implement at least parts of this protocol stack.

A proxy which would be able to fully simulate client, server or both would need to implement all required protocols including their behavior. Sometimes the word full proxy is also been heard of. In that sense, products like an Airlock WAF is a full proxy.

What is an application layer firewall?

An application layer firewall is a neutral term for providing filtering capabilities on application layer (i.e. layer 5 and 6). In order to do so it must be able to understand application specialties on the session layer and content specialties on the application layer.

An application layer firewall can be implemented as a standalone entity, or as a built in functionality on the application server (e.g. as web server plugin). This functionality is also part of next generation firewalls, sometimes also under the label of deep packet inspection.

The degree of required application awareness becomes a key issue if the application layer is complex. This is the case for securing web applications. It is a lot of effort, not only because it requires a large number of protocols to be fully implemented, it might also to require to understand correct application behavior workflows, and to catch also technology differences of some implementations e.g. of web servers or browsers of different vendors.

A WAF is a special version of an application layer firewall because it simply would be too much to implement it on a standard firewall or similar generic security device. However, there is a trend to enrich generic security devices with simplified WAF functionality. Nevertheless, dedicated WAF solutions would not be so popular if web application security would be easy to implement and to operate.

Other reverse or forward proxies which are not http based can also be considered as application layer firewalls if they provide filtering capabilities on layer 5 or 6. However, many such proxy solutions do not provide such filtering because they are merely used as connection proxies. It always makes sense to consider filtering and connection capabilities of such proxy solutions separately.

In this sense, a networked WAF like the Airlock can also be considered as http router having WAF filtering capabilities.

WAF for inbound scenarios

The name WAF implies an application layer firewall which happens to be focused on web applications as major purpose. A web application is waiting for incoming client requests, a WAF would therefore secure inbound connection scenarios to a web application.

This can be realized on the technology layer as part of the application server or as network based WAF (reverse proxy on a different IP address). However, a combination of separated reverse proxy which communicates with agents on the application server is also possible.

The Airlock is a standalone network WAF, therefore a dedicated reverse proxy if it is covering inbound scenarios. There is no proxy agent required on the web application server for integrating an Airlock WAF to an application server. Specific agents however are available as modules for offering extended functionality.

WAF for outbound scenarios

A well-known outbound use cases is protecting a user who is browsing on the Internet. Such a solution would protect a user not to download malicious code or for preventing data leakage. This is known as forward proxy, which, however, has nothing to do with a WAF.

Nevertheless, there exist particular forward proxy scenarios where a WAF approach also makes sense, i.e. securing internal business applications when they integrate SOA web services from external partners. Such a solution can filter web services based on expected known behavior of a SOA service (white list approach). The white list needs to be implemented only once and everything else beyond normal in the data payload would be discarded.

2016/02/05 © ACROSEC Inc.