WAF and Web Entry Server Technology

A WAF security solution is normally used for securing web applications in order to protect against attacks on the application layer. It filters requests that exploit application programming errors and application weaknesses or related vulnerabilities on the underlying application platform or system.

An enterprise WAF solution like Airlock is typically deployed in front of web applications (network or service based solution). However, a WAF is just one important element in an orchestrated security setup. Following high level picture shows the main elements for securing external facing web applications:

Security measures for web applications

  • WAF: Protects against application layer attacks
  • Failover/Hardening: Deploy specially secure and failsafe applications, platforms and systems in such environments
  • Dos/DDos measures: Have counter measures ready in case of massive connection based attacks
  • Firewall: Only few necessary network ports on the firewall are open
  • IDS/IPS: Use intrusion detection and prevention systems on the internal side in order to catch real threats – and to limit the number of false alerts
  • DMZ: “Demilitarized zone” network with restrictive setup for hosting web applications

A WAF is a great tool in order to secure web applications against existing and future threats. Virtual patching enables the application owner to handle upcoming security threats with more room to maneuver, allowing to fix security issues in applications not in panic mode but within the normal application development cycle.

However, there is another good argument for having a WAF: A WAF can be far more than just a WAF. It can be an enabler for many enterprise scenarios at the boundary.

Web Entry Server: A WAF can be far more than just a WAF

Looking at above picture, it is fairly obvious that a networked WAF (reverse-proxy) is the perfect place for value added services to applications. Unifying portal services, user authentication, access authorization, handling of security sessions, identity management and high availability and failover scenarios are typical useful services to business, however, they are difficult to implement. Giving your developers a 500 page best practice security guide and providing training is fine, but don’t expect that all applications will reach the same security level overnight.

The Web Entry Server approach leverages the security infrastructure of a WAF based security gateway, creating a unique breed of framework that can be reused by all applications, reducing development cost, time to market and at the same time propping up the security level. This approach is known in the Swiss financial industry as “Swiss Style Web Entry Server” which is used to protect import applications, i.e. Internet banking.

Advantages:

  • All applications are protected on a same security level
  • All users are protected on the same security level
  • Security changes can be applied centrally
  • Developers leverage an existing security framework
  • Operators can leverage an existing security framework

Many firms with sensitive applications like Swiss banks combine a Web Entry with an appropriately designed DMZ network and Identity management solutions. Such a Web Entry design bundle is not only focused on security, but also on fostering reuse and integration. Web Entry Server, WAF based security infrastructureThe Web Entry scenario is very flexible and supports a vast range of enterprise solutions, e.g. customer portals, Intranet remote access for employees or partner portals. Identity management is a key driver in order to enable such approaches.

WAF or Web Entry scenarios are inbound focused only (reverse proxy scenarios). However, a WAF can also be used for outbound scenarios. An outbound WAF with SOAP/XML filtering capabilities would be a (forward proxy) security infrastructure for consuming external SOA web services, i.e. from business partners.

2016/02/05 © ACROSEC Inc.