WAF Operating Modes

WAFs function primarily as firewalls targeting web security, focusing on HTTP requests at the application layer. Their policies and analyses are performed at this layer, allowing for more effective protection.

To understand how WAFs enhance web security compared to traditional firewalls, we can explore their three operational modes: transparent proxy, reverse proxy, and plugin mode.

Transparent Proxy Mode: This mode operates similarly to conventional firewalls, intercepting and forwarding HTTP traffic without altering the communication between the client and server. To decrypt HTTPS traffic, the WAF must synchronize HTTPS keys with the server.

The primary advantage of transparent proxy mode is its straightforward deployment, requiring no modifications to client or server systems. However, it has limitations. Since it does not function as a web service, it cannot modify or respond to HTTP requests, which restricts its capabilities in areas like authentication and content filtering.

In contrast, reverse proxy mode requires clients to send requests to the WAF instead of the server. Here, the WAF acts as a web service, forwarding all HTTP requests to the server.

In this mode, HTTPS certificates can be deployed directly on the WAF, allowing it to decrypt HTTPS traffic and then proxy requests to the server using HTTP. This capability enables the WAF to provide additional features, such as front-end authentication and comprehensive isolation between client and server communications.

However, reverse proxy WAFs come with their own challenges. They require more robust hardware due to their added functionalities, and if a reverse proxy WAF fails, client requests cannot be fulfilled, even if the server is operational. In contrast, a transparent proxy WAF failure only affects web protection, while communication between client and server remains intact.

Lastly, plugin mode integrates the WAF directly into the web server as a plugin, rather than functioning as a separate security product. A common method for embedding a WAF into server logic is through Aspect-Oriented Programming (AOP).

While AOP is widely supported and simplifies WAF deployment in plugin mode, it does have drawbacks. Running a WAF alongside the server consumes additional resources, potentially impacting web service performance. Additionally, changes to the WAF necessitate corresponding adjustments to the server, complicating upgrades compared to proxy-mode WAFs.

In summary, WAFs excel at handling HTTP protocols, offering greater expertise and flexibility than traditional firewalls. Depending on requirements, costs, and hardware environments, organizations can choose the most suitable deployment mode.

WAF Functions

Understanding WAF operational modes reveals its flexibility in deployment compared to traditional firewalls. WAFs can provide various forms of web service protection, implementing features tailored to HTTP requests, such as HTTP data parsing and HTTPS decryption.

1. HTTP Parsing Capabilities: WAFs must parse HTTP requests, which include vital components like request URLs, parameters, HTTP headers, and POST body content. They also need to identify attack signatures that may be concealed within complex data formats like JSON or XML.
2. Web Security Protection: After analyzing and decrypting HTTP requests, WAFs can provide robust security protection by utilizing three primary methods of analysis:
   • Signature Matching: WAFs maintain a database of known attack signatures. If an HTTP request matches an entry, an attack is indicated.
   • Regular Expression Matching: This method allows for partial matches to identify potential threats, such as SQL injection attempts.
   • Behavior Analysis: WAFs analyze patterns in request behavior to detect unusual activity indicative of an attack.

When an attack is detected, WAFs can intercept malicious requests to safeguard web services.

3. Auditing and Alerting: WAFs also play a crucial role in auditing web security. They log valuable information regarding attack attempts, which helps developers enhance security measures. Furthermore, WAFs can provide comprehensive logs detailing user behavior and system performance, serving as useful tools for statistical analysis.
4. Data Protection and Virtual Patching: Reverse Proxy or Plugin Mode WAFs can also process data in HTTP requests to deliver added data protection. For instance, they can encrypt cookie content to ensure secure storage in browsers, while still allowing the server to receive plaintext data.

Moreover, WAFs can offer virtual patching to mitigate vulnerabilities in plugins. By blocking exploit paths or analyzing request data, WAFs can temporarily shield web applications until proper upgrades and patches can be applied.

Conclusion

This article has examined the operational modes and key functions of Web Application Firewalls (WAFs). To summarize, WAFs are specialized firewalls designed for web security, operating in various modes—transparent proxy, reverse proxy, and plugin—across different network and system layers. They address numerous web security challenges, analyzing and intercepting attacks while also providing auditing, alerting, and data protection features.

When selecting a WAF, it's essential to consider feature completeness and usability. An effective WAF should be deployable at a manageable cost while addressing critical web security issues. Furthermore, ease of configuration and ongoing maintenance are vital. A quality WAF should facilitate handling missed attack requests and reducing false positives, providing user-friendly interfaces for developers and operations teams to manage security rules effectively.