This article from our per secteam provides insight into what a Web Application Firewall (WAF) / Application Layer Gateway (ALG) is, how it works, how it differs from a regular firewall, why it is needed and what benefits it offers.
Essentially, a visible proxy server differs from a transparent proxy server in the network infrastructure. With a transparent proxy server, it is not obvious to at least one communication partner that an additional instance (proxy) is available as a central communication bridge. The communication partners assume that they are communicating directly. The proxy server is therefore “invisible”. The network infrastructure is configured so that all requests are automatically routed through a proxy instance. The proxy then acts as a representative communication partner.
A visible proxy server, on the other hand, appears as a visible, independent instance and is addressed via its own public IP address
Interfaces that are offered to the outside world are always the target of attacks, be it services to gain access to the devices themselves, such as SSH and/or FTP, or limiting the availability of the application, for example through denial of service Attacks (see also Distributed Reflective Denial of Service attacks). Such attacks can easily be carried out from the script kiddie level.
Applications are often developed by humans and in one way or another have bugs or vulnerabilities that cannot be discovered even after unit testing. Therefore, they are constantly exposed to attacks that exploit their vulnerabilities. Such attacks require advanced skills, which also means attackers are after expensive assets. A web application firewall can help you with this.
In order to be able to protect applications, web application firewalls/application layer gateways offer a number of mechanisms. These are:
These create normal requirement profiles of applications and servers and then differentiate anomalous requirements from the normal requirement profiles that have already been created.
This is a feature that identifies attacks by matching attack patterns with the database of signatures of known malware.
eg allowing connections to a single IP
Web application firewalls are capable of working in two modes: passive mode and active mode.
Web application firewalls operating in this mode examine the data content of network traffic flowing through them and actively protect against threats by blocking or removing them. This ensures that such threats do not reach the application servers.
There is usually a misunderstanding about what the difference is between one Firewall and a web application firewall. Here are some explanations based on the layers they work on (OSI layers), their functions (what they do) and the locations where they are deployed (network location).
The firewall works at layers 3 and 4. Web application firewalls work up to layer 7.
A firewall serves as a security boundary between a trusted network and an untrusted network, where it determines what traffic should be allowed, while web application firewalls control the data content of the protocols at Layer 7 and detect protocol violations and malicious content.
Firewalls are most often placed at the edge of networks and between internal and DMZ networks, while web application firewalls are also placed in front of applications and servers, providing protection against threats that target those servers or the entire network.
As mentioned earlier, web application firewalls protect against attacks that are generally focused on applications and servers. Examples of such threats include:
• Infected or unauthorized file attachments
• Layer 7 DDOS attacks
• SQL injection
• Cross-site scripting attacks
• Zero-day attacks
• HTTP verb tampering
Web Application Firewalls/Application Layer Gateways Although similar in definition to the traditional firewall, they are different and have a unique role in defending a network. It is important to understand this difference to ensure an adequate line of defense to prevent serious cyberattacks.
