August Blog: Why you Probably Need a Web Application Firewall
by Brad Rudisail, MCITP, MCSE, Virtualization Administrator, Network Engineer
While Ransomware stole most of the cybersecurity headlines in 2016, data breaches continued to plague companies and institutions at a record setting rate. 4,149 data breaches resulted in the compromise of more than 4.2 billion records, shattering the record set in 2013 of just over 1 billion. According to a global study compiled by IBM and the Ponemon Institute entitled, The 2017 Cost of Data Breach, the total cost of a data breach is $3.62 million on average. The average cost per data record is $141. The United States is the most expensive country with an overall cost of $7.35 million due to the aftermath costs of litigation and lost business. What’s more, according to the study, there is a 26 percent probability a company will have a data breach involving a minimum of 10,000 lost or stolen records over a 24-month period. Those are not very good odds.
So how are hackers pulling off these attacks so frequently? According to the annual Verizon Data Breach Investigations Report, the most popular method of conducting a data breach is through a web application attack. This may seem surprising considering the fact that every enterprise has some type of perimeter firewall in place. Oftentimes, web application servers are correctly isolated in a DMZ for additional protection behind the walled perimeter. Meanwhile the firewall is correctly configured with unnecessary ports closed going in and out of the firewall. UTM firewall appliances provide additional security components such as web filtering gateways and intrusion protections systems (IPS). All of this, to no avail. How is this possible?
The unfortunate reality is that a traditional perimeter firewall is not designed to protect against web application attacks. Their purpose is to secure the enterprise at large, not an individual asset. Their protection is primarily geared towards layers 3 and 4 of OSI model. Port level protection is useless as hackers simply use ports 80, 443 or other standard ports that are open in order to accommodate the function of the web application itself. Although modern day firewalls do utilize some degree of application layer scanning in order to interpret types of traffic such as peer-to-peer sharing and media streaming, these processes are often not intelligent enough to discern the complicated interaction exchanges between users and the application. Just as an online retail customer can interact with an online retail site, hackers can conduct malicious interactions as well. These attacks predominantly occur as SQL injections, cross-site scripting and malicious file executions.
Whether you host your web applications on premise or in the cloud, you need a security solution that is designed with the exclusive purpose of preventing unauthorized access to your web application systems. That solution is a Web Application Firewall, a highly specialized security tool specifically designed to protect web applications, not the servers. A WAF actually resides at the outer edge of your network in front of the public side of a web application and analyzes incoming traffic. That is all it does, and it does it very well.
A modern day WAF is designed to protect against these and other OWASP Top Ten application risks. WAFs are able to discern fraudulent interactions from legitimate traffic. This is a highly complex task as hackers today weave their attack code within safe-looking website traffic. A WAF accomplishes this by intercepting and analyzing all HTTP request before they reach the web application.
WAFs are also designed to perform SSL termination. Much of today’s web traffic is encrypted in order to protect the data being transferred within the web session. HTTPS works both ways however, in that it also protects malicious hacking code from being scrutinized as well. Many hackers take advantage of this, using HTTPS as a camouflage to avoid detection. Because a WAF stands between the public and the web application, it is able to decouple the traffic between the web server and the internet. SSL certificates are hosted on the WAF, thus terminating the encrypted connection. Traffic is then forwarded to the web application in HTTP and analyzed. In a sense, the WAF is working as an inbound or reverse proxy. Response traffic is then sent back to the WAF where it is then encrypted and forwarded to the user using the HTTPS protocol.
Two highly recommended WAF product are offered by Barracuda and Fortinet. Both companies offer their WAF solutions in the form of a physical or virtual appliance as well as cloud based. Pricing and licensing options will depend on the type of format you require. Both protect your web application sessions based on the latest application vulnerabilities, bots, suspicious URL and data patterns as well as specialized heuristic detection engines.
Because hackers today specialize their attacks, your enterprise needs the specialized tools to combat their attempts. The WAF should be a standard tool in the security arsenal of any company that depends on web applications to interact with their customer audience.