Case study

CategoryArticles
Updated: 8/14/2024Published: 7/11/2022

What is a Web Application Firewall (WAF) and Why Use it?

In this article you will learn:

Understanding the difference between a traditional firewall and a Web Application Firewall (WAF) is essential for modern cybersecurity. As businesses increasingly rely on web applications, WAFs have become crucial for defending against sophisticated DDoS attacks targeting the application layer. This article delves into the specifics of WAF, what they protect against, and how AWS WAF can offer comprehensive protection for your web applications.

The difference between a firewall and web application firewall

The main difference between a firewall and a web application firewall (WAF) definition is that a firewall usually protects network and transport layers (layers 3 and 4). A WAF offers protection on the application layer (layer 7).

What is a web application firewall (WAF)?

A WAF monitors HTTP/HTTPS requests and protects these web applications from malicious activities on layer 7 of the OSI model. Hence, a WAF is a necessary protection against a growing number of web security threats.

Types of WAF

  • Network-based (NWAF): Traditionally hardware-based in an on-premises environment.
  • Host-based: WAF is implemented as an additional application or plugin on a web server.
  • Cloud-based: WAF protection is transferred to an external cloud supplier. WAF is provided as part of the access network (DNS, CDN, or Load Balancer).

In this article, you will mainly learn information about cloud-based WAFs.

What does WAF protect against?

A WAF should protect against the most common malicious web attacks, such as:

the most common malicious web attacks

Common web application attacks and code injection techniques:

  • SQL injection (SQLi): This can be done by entering a malicious code in SQL statements, via web page input (e.g. the user gives you an SQL statement that you will unknowingly run on your database). This malicious code can alter, steal or delete database data.
  • Cross-site scripting (XSS): A malicious script is injected into the code (e.g. HTTP, JavaScript, etc.) of a trusted website, allowing potentially sensitive user data such as cookies to be accessed. The code modified by this attack is not executed on the server but on the user's side.
  • Remote file inclusion (RFI): RFI is the process of embedding external files through vulnerabilities implemented in the web application. If the process allows modification of the path to a processed file (for example, if the path is included as a parameter), the attacker can use this path to input an external malicious file.
  • And more web application attacks and threats from the OWASP Top 10 publication.

DDoS attacks on layer 7 (HTTP Flood):

These are composed of requests (HTTP GETs and DNS queries are popular) that are designed to consume application resources (memory, CPU, bandwidth). An example is an attacker who continuously uses a website functionality (submitting a contact form or any API requests) that they know causes database and application processing so that the underlying web service is busy with malicious requests and can’t deliver to other users anymore. Read more in our article about DDoS protection.

Bad Bots:

Bad bots are often programmed to do a variety of malicious jobs. They can try to break into user accounts, steal data, submit meaningless data through online forms, and perform other malicious activities. Bad bot activity is most often manifested by an abnormal increase or decrease in visits in unusual periods with a high rate of immediate leave (bounce).

StormiTIP

Growing number of attacks

We've seen a rise in DDoS attacks targeting layer 7. To protect our customers' infrastructure, we leverage AWS WAF, which effectively mitigates these threats while ensuring legitimate traffic remains unaffected.

Adam

Benefits of WAF

  • Completes other protective systems such as firewalls and intrusion prevention systems.
  • Lower costs for cloud security by avoiding the need for expensive dedicated hardware or IT security staff.
  • Filters and monitors traffic on the application layer (layer 7) which is not possible with any other type of firewall.
  • Prevents unauthorized transfer of sensitive data away from the application.
  • Reduce the risk of downtime, data theft and security breaches.
  • WAF can be scaled to protect against the largest DDoS attacks on layer 7.

How does a WAF work?

A WAF is usually placed logically between users and web servers and analyzes and compares network traffic with the vulnerability database. A WAF creates a set of rules designed to protect your website and detects unwanted traffic. It usually blocks this traffic but can be set up to only monitor it.

How does a WAF work infographic

Want to find out how a WAF can help your particular use case?

Talk to a waf specialist

AWS Web Application Firewall(AWS WAF)

The AWS WAF is a cloud-based solution that helps prevent attacks on the application layer 7 and a great web application firewall example. Due to the specific nature of these attacks, with an AWS WAF you can easily create customized rules against malicious requests which could have characteristics like being disguised as good traffic or coming from bad IPs, unexpected geographies, etc.

AWS WAF protection is tightly integrated with AWS services that AWS customers use to deliver content such as Amazon CloudFront CDN, the Application Load Balancer (ALB), and the Amazon API Gateway. But AWS WAF can be also used for the protection of services from other providers, but your content has to be served through the CloudFront distribution network.

How does an AWS WAF work?

You use an AWS WAF to control how an Amazon CloudFront distribution, an Amazon API Gateway, an Application Load Balancer or an AWS AppSync GraphQL API responds to web requests.

AWS WAF infographic

What can an AWS WAF do?

  • Blocking of malicious traffic: SQL injection (SQLi), Cross-site scripting (XSS), Remote file inclusion (RFI), DDoS attacks on layer 7, Bad bots based on applied rules.
  • Traffic filtering: Rate-based rules, Ip and geographical filtering, Actions on HTTP/HTTPS traffic (allow/block), Regex and String match support.
  • Monitoring: Amazon CloudWatch metrics/alarms and sampled logs.

Types of rules

Before choosing the right type of security rules, you should understand what vulnerabilities your web application has. If you need help finding this out, contact us for a consultation.

Talk to a waf specialist

1. AWS Managed rules

You can select from a variety of AWS managed rule groups to protect your application from multiple threats. These rules are written by security experts who have extensive and up-to-date knowledge of threats and vulnerabilities.

These managed rules include:

  • Use case specific rules for protection based on your web application characteristics, such as the application OS or database type.
  • Rule groups that can help you mitigate some of the common threats in the OWASP Top 10 publication.
  • An IP reputation list acquired from the Amazon threat intelligence team to block known malicious IPs.

2. Custom rules

You can write custom rules specific to your web application/database to block undesired patterns in parts of the HTTP/HTTPS request, such as headers, method, query string, URI, body and IP address. These custom rules can be used together with AWS Managed Rules.

3. AWS Marketplace Rules

You can also find rules created by security vendors that have built their own rule sets on an AWS WAF on the AWS Marketplace.

4. Advanced Automated Mitigations

AWS provides the AWS WAF Security Automations Solution which automatically deploys a set of AWS WAF rules that filter common web-based attacks, but also provide advanced log analysis. This automated solution leverages AWS WAFs APIs to react to threats detected from logs, honeypot URLs, and more to automatically update rules and block malicious IP addresses. An example of this is shown below.

Benefits of AWS WAF

Easy to deploy:

If you are already using services like Amazon CloudFront or Application Load Balancer, you can be up and running with an AWS WAF within a few minutes. And you don’t have to re-architect your whole network infrastructure when starting with an AWS WAF, which is sometimes necessary for WAFs from other providers. There is also no additional software to deploy, any DNS configuration or SSL/TLS certificate to manage.

Affordable:

Like other AWS services, you pay only for what you use, based on the number of rules you deploy and the volume of web requests your application receives. To optimize costs, it's crucial to limit AWS WAF monitoring to only the parts of your application or website where it's truly needed.

Managed service and rules:

The AWS WAF is a fully managed service, so you don’t have to worry about scaling and updates/patches. With Managed Rules for your AWS WAF, you can quickly get started and protect your web application or APIs against common threats. Managed rules are automatically updated so you can spend more time building applications.

Comprehensive security with Well-Architected review

StormIT team helps organizations protect their websites and applications against all commonly known attacks and exploits by leveraging the protection of AWS Services, such as AWS WAF and AWS Shield. Thanks to the free AWS Well-Architected review, it's easy to understand how to integrate these services into your architecture.

This reference architecture below includes several AWS Edge Services that the StormIT team recommends using because it can help you improve your web application’s resiliency against known web application attacks, but also secure your application and infrastructure in other ways. This architecture is intended for those who use only AWS services.

Here is an example of StormIT's recommended architecture for those who use servers outside of the AWS Cloud.

We offer a free AWS Well-Architected review to evaluate your architecture and guide you in following AWS best practices. Our consultation includes AWS Edge Services like Amazon CloudFront, AWS WAF, Amazon Route 53, and AWS Shield to enhance your application's security.

Book a first session

Similar blog posts

See all posts
CategoryNews

Introducing FlashEdge: CDN from StormIT

Let’s look into some features of this new CDN created and recently launched by the StormIT team.

Find out more
CategoryCase Studies

AWS Well-Architected Review Series: Renewable Energy Industry Client

See how StormIT optimized a renewable energy client's AWS infrastructure through the Well-Architected Framework. Explore now...

Find out more
CategoryCase Studies

Microsoft Windows in AWS - Enhancing Kemper Technology Client Solutions with StormIT

StormIT helped Kemper Technology Consulting enhance its technical capabilities in AWS.

Find out more
CategoryCase Studies

Enhancing Betegy's AWS Infrastructure: Performance Boost and Cost Optimization

Discover how Betegy optimized its AWS infrastructure with StormIT to achieve significant cost savings and enhanced performance. Learn about the challenges faced, solutions implemented, and the resulting business outcomes.

Find out more
CategoryArticles

Amazon RDS vs. EC2: Key Differences and When to Use Each

Discover the key differences between Amazon RDS and EC2! Explore the basics, AWS RDS vs EC2, and which one to choose.

Find out more
CategoryArticles

StormIT Achieves AWS Service Delivery Designation for Amazon DynamoDB

StormIT achieved the AWS Service Delivery designation for Amazon DynamoDB, showcasing our expertise in designing scalable, efficient database solutions, validated through rigorous AWS technical reviews.

Find out more