In this age of rogue hackers, government red teams, and everyone else under the sun with computer access, a few books, and an MO – what do you count on to keep them out? I tell you many organizations have blurred lines with security products, to the point that incidents are reported and brought to light by the web server! Why wait to get hacked? My purpose in this article is to shed some light on the least drafted player and what it offers to your defense on your network, I am talking about the Web Application Firewall.
Web Application Firewalls (WAF) have become an extremely sophisticated over recent years to maintain security at layer 7 while ensuring to reduce business impact (example; latency). A WAF can do several things at once-
- Inspect any http traffic on any port, whether you are using https (I hope) or http. Even inspect other protocols (depending on the vendor).
- Stop malicious traffic from reaching your web server/web applications. Whether signature base or custom rules.
- Serve as an investigation tool, you don’t always want to block the bad guy, maybe watch him for a while, study the enemy, become one with him/her!
There are 3 different ways (to date) to use or deploy your best friend on premise. Different vendors have different methods of usage as well. You have to ensure you know what you want your all-star to accomplish. The better the position the WAF is in and the better it is administrated, the better your defensive posture will be, the most you will get out of it. The deployment models are bridge, sniff, and reverse proxy. Each with its own pros/cons:
- Pros: invisible to the network devices around it, quietly inspect all traffic. Attacker will have an extremely difficult time determining what kind of WAF it is (vendor wise). Easy to setup does prevent an active response to malicious traffic. Can set it and forget it.
- Cons: To date cannot support TLS 1.2 ECDHE ciphers or MSSL connections. Can set it and forget it.
- Pros: Same as Bridge, except it provides a reactive approach to malicious traffic, since it is not in-line with the network, this WAF receives a copy of the traffic after it has made it to the server.
- Cons: same as Bridge model.
3. Reverse Proxy
- Pros: Provides an active response to malicious traffic. Supports TLS 1.2 and MSSL.
- Cons: Huge administrative over-head, can not set it and forget. Is an end point on the network and can be probed for identification.
This is just a quick summary of how the WAF can be deployed. You can go down a complex road; which involves hands-on support or not, basically putting the all-star in a position to stop the pass but not the run and hope that the running back doesn’t hit the hole. APTs never sleep and even when they know you have the money to spend on that all-star, they will not shy away from drawing up a play and executing.
You may think that getting this all-star alone solves all your problems, wrong. Think about it, if the WAF is not managed by skilled workers, you lose. If BAU activities are not performed on the WAF, you lose. If you get DoS/DDoS while it is deployed as model A or B, you lose, and if the WAF is deployed as model C…you lose it all. Including the ability to comeback.
The WAF is key player to defend your network; you must know how you want to use it, the deployment model you desire, and how it is to be managed. Most importantly, it should never be the one-man show. Add the WAF but leave some cap space for other all-stars.
Guest Author: Johnny
Hello world, my name is Johnny (aka j_madeyoulook). I love Information technology and how it works. Most importantly, I love the journey it takes to obtain results. Something about clicking on a button and boom your order is on the way, intrigues me. After spending a few years in the IT service world (Help Desk and installing network infrastructures), I began to teach myself how to hack, obtained my CEH, got my first CyberSec gig and underwent what seemed like a boot-camp at application vulnerability testing. As a result, I learned that to know what to defend is to know your enemy. Cyber space is so massive, random and at times secretive.
Currently, I am in my happy place where I practice the techniques used and try to discover new ones, as well as come up with ways to stop those techniques from succeeding when being excised by the wrong hands. I am here to share my thoughts on both worlds of CyberSec, defense/offense, and learn from the Hack-ed community. It is a pleasure to be here.