The market for cybersecurity solutions never declines; there are always new and more malicious threats around the next corner. The market has never seen as much demand as during the recent COVID-19 crisis.
With COVID-19 as a backdrop, the types of attacks hitting web applications and API gateways have grown in frequency, sophistication and severity, meaning that the demand for WAF (and DDoS) capabilities has never been greater. With attacks becoming more advanced, the need to protect at multiple levels becomes critical. A robust security-by-design strategy that takes a 360-view of cybersecurity is the best way to reach a certain level of safety. This, of course, means everything from basic security measures, such as TLS encryption, to educating employees within an organization about the kinds of threats out there, from careful access control to constant monitoring.
End-to-end security solutions and threat intelligence are never off the agenda. No one piece of software or hardware can protect you from everything; one key piece is the web application firewall (WAF).
What is a web application firewall (WAF)?
A web application firewall is a common security measure used to protect web applications, websites and systems from a number of security threats and vulnerabilities, such as malware infection, SQL injections and other malicious requests.
A WAF lets you protect your backend from a traffic overload; that is, whether the traffic is a legitimate attack or an automated threat trying to exploit your site vulnerabilities.
How does a WAF work?
At its most basic, a WAF inspects incoming traffic to your web application. Because Varnish is a reverse proxy (origin shield, load balancer, etc.), Varnish already sees everything your backend receives and sends. Varnish is thus well-positioned to grab suspicious traffic and ‘sanitize’ it.
A WAF lets you apply rules/policies to restrict or filter traffic that a piece of software or hardware can send or receive. For WAFs, we refer to HTTP traffic. The firewall will be able to inspect both requests and responses to detect potential threats or anomalies.
More broadly, WAFs can be hardware, software or cloud based, and what type you need will depend to some extent on the type of traffic you get and how much control you want to have over the rulesets and policies that govern how your WAF inspects and filters incoming HTTP requests.
A cloud-based WAF lives at the edge of your network, inspecting traffic as requests arrive. The WAF detects malicious requests and prevents them from ever reaching your web application. The WAF is programmed to monitor, inspect, and filter incoming HTTP traffic and identify threats. These kinds of WAFs are simpler to manage: they offer greater control while requiring less maintenance.
A hardware-based WAF is a physical appliance installed on your local LAN; the on-premise WAF offers low latency but higher operating costs. A VM-based WAF runs on a virtual machine: less resource-intensive but higher latency.
When should a WAF be used?
A WAF is always a good idea. A barrier between the free flow of incoming, and possibly malicious, traffic, is useful when you have a service with security vulnerabilities. And most services have a vulnerability of one kind or another. A good example here is a content management system (CMS), which will be vulnerable to an SQL injection. When you know there is a vulnerability but can’t wait for the next release for a fix, you could make a WAF your middleman. The Varnish WAF can add a policy to block suspicious requests that look like potential attacks. The WAF can prevent these requests from ever reaching your backend.
What comes in must go out, right? A configuration issue could expose PHP code, or credit card information. A WAF can block responses that look like unprocessed PHP code or that contain sensitive information.
All businesses can be more secure with a WAF in place. This is especially true in a number of cases:
- When using legacy web applications, a WAF can provide that extra layer of security.
- Businesses using big-target content management systems, such as WordPress, Joomla, and Drupal, can be particularly vulnerable; a WAF can mitigate risk.
- Security-aware organizations should adopt a WAF layer in their architecture. With cloud WAFs, you can set your own web application security rules using flexible programming, such as with Varnish WAF and its Varnish Configuration Language (VCL).
With the Varnish WAF, you get out-of-the-box protection for your traffic, as well as the flexibility of VCL for setting and adjusting your own WAF security logic as part of your comprehensive cybersecurity profile.