What’s a “WAF?”

One of my first jobs in Cybersecurity was working for an Industrial Control System (ICS)/critical infrastructure device manufacturing company. We had a tiny team that supported a large organization, so I was exposed to, and required to maintain several different security products, and one of them included something called a “WAF” or “Web Application Firewall,” (which is what I would pick as the system to protect a web server in addition to an IPS). Here’s a great quote that explains very simple what a WAF is in better terms than I can from a security vendor called Lanner Electronics Canada, Ltd. (2021):

"Web Application Firewall (WAF) is a solution (hardware or software) that works as an intermediary between external users and web applications. This means all HTTP communication (request-response) is analyzed by the WAF before reaching the web apps or users.

In order to perform the HTTP traffic monitoring and analysis, the WAF applies a set of previously defined rules that make possible the detection of malicious HTTP requests such as Cross-Site Scripting (XSS), SQL Injection, Dos or DDoS attacks, cookie manipulation, and many others."

WAFs act as an intermediary between the web user’s browser and the content and information returned from the webserver/web application over ports 80 and 443 (HTTP and HTTPS, respectively). They are limited to the application layer, but typically only web technologies as the application in question. They are extremely valuable in that they help prevent, detect, block, log, etc. common web attacks and most of what you would see in the OWASP Top 10 (Open Web Application Security Project, 2017), which is an excellent resource to measure your web protection technology stack against since these are considered an industry standard for most crucial web security threats to protect against/focus on.

What’s an “IPS?” and is it an “IDS?”

According to the well-known security firm Check Point Software (2021), an IPS is a device that can detect and/or prevent certain network-based attacks. These could include a specific technique such as Denial of Service or Distributed Denial of Service or attempts to exploit a specific vulnerability. In addition, Check Point Software (2021) notes that the modern IPS evolved out of the IDS (Intrusion Detection System), which performs just the detection of the same types of activities as an IPS but cannot perform the “protection” or blocking piece. Modern IPS is essentially an IDS but with the option to block instead of monitor and alert. Check Point Software (2021) also mentions that many of these technologies are now being included in Unified Threat Management (UTM) platforms as well as what are being referred to as “next-gen firewalls.”

Choices, choices, choices…

With everything I’ve described above, if I were planning to protect a web server (and had a large budget), I would utilize a WAF for the actual website/application itself, an IPS to detect attempted attacks and vulnerabilities outside of the HTTP/HTTPS protocol suite, and if the WAF product didn’t include the IPS with a “next-gen”/application layer firewall, I’d also include one as an independent device. This should provide maximum attack surface protection against the most known threats for the webserver and site/application itself and other DMZ devices. If I could only pick one technology to protect the web-server (not big budget), I would choose a WAF and rely on open source technologies and protection methods like built-in IP-Tables or Windows Firewall, Windows Server Hardening (which you should be doing anyway), and if Linux were the chosen operating system, I would leverage the commonly forgotten about SELinux which provides exceptional control and granularity about how the Linux Operating system interacts within itself and what is/isn’t allowed between applications and the OS kernel (Red Hat Inc., 2019). A combination of these open-source/built-in tools, in addition to an enterprise WAF which typically costs, should provide a level of protection suitable for most organizational risk profiles based on previous experience in this space.


References: