Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 31 of 53

Firewalls (WAFs) are among the few technologies specifically designed to eliminate malicious web requests from attackers. This is because they have a better framework in place to understand the underlying web application. Believing that the other lines of defense can detect and block a malicious web request is imprudent, and the case for must-have WAF technology as the next line of defense is nearly irrefutable. After incoming traffic originating from malicious bots has been removed from the traffic streams (by way of the bot management solution), the next line of defense comes into play. Cloud-based WAFs are imperative to identify attacks targeting web applications. Operating differently from network firewalls, WAFs are tasked with blocking attacks that take advantage of known vulnerabilities in commonly used web applications, in addition to attacks targeting poor coding practices. Operating as a sort of plug-in within the reverse proxies themselves, WAFs are a critical layer of defense to protect public-facing web applications. Because WAFs have knowledge only of traffic that traverses TCP ports 80 and 443, all other incoming traffic is most often simply dis‐ carded by the other upstream lines of defense. Traffic on ports 80 and 443 is inspected by the WAFs and compared against a long list of rules that most often dictate what an incoming web request should look like. There are many malicious examples of web requests that can inject code into web applications, allow an attacker to gain privileged access, or manipulate applications to expose sensi‐ tive data, so incoming requests need to be deeply scrutinized. This is performed by comparing all incoming web requests against a long list of rules commonly bundled into rulesets. Today, most WAF vendors have implemented the OWASP ModSecurity Core Rule Set (CRS), which contains generic attack detection rules for use with ModSecurity or compatible WAFs. The whole point of having WAF technology deployed is to eliminate malicious web requests that easily pass through all previous lines of defense. Some WAF vendors have limited or no ability to create "custom rules" outside of the CRS, whereas other WAF vendors completely support customization. The ability to write custom rules allows for more flexibility and provides surgical detection and mitigation of very specific web requests and their associated attacks. When 22 | Chapter 3: Cloud-Based Lines of Defense for Web Application Security

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth