Web-based applications provide businesses with a great deal of flexibility by giving users anytime, anywhere access to internal systems and data. But because they circumvent the organization’s security perimeter, web-based applications can also expose sensitive data to hackers.
Organizations unwittingly leave themselves open to attack because they don’t understand that perimeter defenses cannot protect web-based applications. Traditional firewalls are designed to restrict access to certain ports or services from unauthorized access. Intrusion detection and prevention systems operate at the network layer rather than the application layer and rely upon attack signatures and other patterns of behavior to keep out “bad traffic.” These techniques are simply not effective at preventing attacks on web-based applications.
Web application firewalls, on the other hand, are based upon the web application’s logic rather than on generic traffic patterns. Sometimes called “deep packet inspection firewalls” because they look at every request and response within the web service layers, web application firewalls apply rules and policies to identify known “good traffic.”
Using these policies, web application firewalls block all application traffic that doesn’t appear to be coming from legitimate sources. This makes web application firewalls particularly effective against hackers scanning ports looking for vulnerable web servers to use in denial-of-service attacks. They also protect e-commerce sites from the theft of sensitive customer information through application logic attacks.
Web application firewalls can detect and mitigate patternless exploits in real time, adding accurate, complementary protection to existing firewalls and intrusion detection and prevention systems. In addition, application layer packet inspection and behavioral logic protect against counterfeit application activity.
This simply means that the web application firewall verifies that data flowing through the web server does not vary from accepted norms. It can prevent a web page from automatically running a script or installing code on the user’s machine. This capability offers strong protection from SQL injection, buffer overflows, form-field manipulation, session hijacking and other known exploits.
Some web application firewalls are also configurable to scrub any identifiable information such as Social Security numbers, credit card numbers, account numbers and patient health data. This provides an added measure of protection and aids in regulatory compliance.
For example, Payment Card Industry (PCI) data security standards are intended to protect credit card numbers and other personal information transferred during online transactions. PCI standards recommend web application firewalls as one of two options for protecting against unknown attacks on web applications. The other option is to review the security of individual web applications and fix flaws.
Naturally, it is important to have web applications that are inherently secure. But in today’s ever-changing threat landscape, a web application firewall adds a critical extra layer of protection.
Web-based applications connect back-end systems to the Internet — and potentially expose a company’s critical data to external attacks. While web application firewalls don’t eliminate the need for rigorous testing, patching and securing of web applications, they are impressive in their ability to identify, isolate and eliminate many of the most common types of web application attacks.