Distributed Web Application Firewall

A Distributed Web Application Firewall (also called a dWAF) is a software-based Web Application Firewall that is designed specifically for a virtualized or cloud-based environment. A dWAF is built as independent components that can reside in different locations throughout a company's infrastructure or embedded in other software. By breaking down the traditional WAF functions in to separate components that maintain HTTP traffic, handle black/white/gray listing, business logic and the administration and reporting capabilities, a dWAF is able to effectively reduce resource load on any one's device and spread the footprint across several locations. The segmented design of a dWAF improves scalability by allowing any component to be multiplied without having to match this replication across all three components, preventing a user from having to buy and install several full WAFs. In a virtual, SaaS or cloud environment, the resource intensive functions of a dWAF can be located on the provider's system, leaving a very small footprint on the user's network or Web application itself. This concept was coined by Web application security provider, art of defence, in 2006.
A dWAF is able to live in a wide variety of environments while eliminating the complexity for cloud service providers. An ideal dWAF accommodates this mixed environment through virtual software appliances, plug-ins, software as a service (SaaS) or integrate with existing hardware.
Application layer firewall
History
Cloud computing was not designed for security, however, organizations such as Cloud Security Alliance (CSA) and Open Web Application Security Project (OWASP) are making great strides in helping the industry solve the myriad security problems confronting cloud computing. Benchmark guidelines have been established by the CSA in its’ most recent document, Guidance for Critical Areas of Focus in Cloud Computing, version II.
Characteristics
Web application security in a cloud needs to be scalable, flexible, virtual and easy to manage. It needs to escape hardware limitations and be able to dynamically scale across CPU, computer, server rack and datacenter boundaries, customized to the demands of individual customers. Resource consumption of dWAF is minimal and remains tied to detection / prevention use instances rather than consuming increasingly high levels of CPU resources. Since clouds come in all sizes and shapes, so dWAFs must as well.
dWAFs are able to live in a wide variety of components without adding undue complexity for cloud service providers (i.e. Amazon Web Services). Today’s providers are using a variety of traditional and virtual technologies to operate their clouds, so the ideal dWAF needs to accommodate this mixed environment and be available as a virtual software appliance, a plug-in, SaaS or be able to integrate with existing hardware. Flexibility with minimal disruption to the existing network is central.
A dWAF has a web-based user interface that allows customers to easily administrate their applications. Configuration is based on the applications under protection, and not defined by a singular host, allowing far more granular settings for each application. Ruleset configuration is also supported by setup wizards. Statistics, logging and reporting ought to be intuitive and easy to use and must also integrate seamlessly into other systems. Most importantly for a dWAF, multi-administrator privileges should be made available and flexible enough to effectively manage widely divergent policy enforcement schemes. Cloud providers should look for a set of core protections.
Foundational security using black, and gray listings for application requests and responses are made possible with dWAFs. To make sure pre-set policy enforcements are not activated or deactivated without approval from an administrator, deployment and policy refinement through establishing rulesets is possible in a shadow monitoring or detection only mode. Once the shadow monitoring ruleset is stable, only then should it be allowed to deploy in an enforcement mode on the dWAF. This allows complete transparency for the administrator into the real-world effect of this ruleset, while at the same time allowing layered rulesets to be tested without compromising existing policy enforcement. Avoiding false positives and relaxed established defenses are essential for a real-world, usable dWAF in a cloud.
Automated learning and ruleset suggestions based on intelligent algorithms or recommendations from a static source code analyzer or web vulnerability scanner are also desirable from a manageability view. Again, this only holds true if the administrator retains full control over activation / deactivation of each ruleset. Without this control, wanted traffic may become blocked and policy settings would become compromised.
Pro-active security functions are highly recommended to reinforce any application in a cloud. Detection is simply not enough for today’s web application security. Features like transparent secure session management, URL encryption and form-field virtualization will provide strong deterrence to attack, while saving application development and deployment time. These features are effective because session management, URL encryption and form-field virtualization is done at the dWAF level and not in the application itself.
An authentication framework support that enables businesses to consolidate their applications under one management schema is also desirable for a dWAF. This enables users to handle the authentication in front of their applications rather than behind, which adds another perimeter of security. A consolidation of all applications with dedicated rights-management ability is also a strong usability function that will make an administrator’s life easier.
Integration with existing technology and avoiding vendor-lock-in is a common best-practice for both networking and application security. Any technology that is added to an infrastructure, platform or application itself must connect as seamlessly as possible with existing technology. Security is all about layering technologies to create the best possible protection, so a dWAF must communicate freely between a security incident and the event management system (SIEMs).

 
< Prev   Next >