Podcast: What is a WAF and How Are They Different from Firewalls
Web application firewalls (WAFs) have become ubiquitous in our always connected, cloud-driven world. Any device that is exposed to the internet is vulnerable and WAFs can eliminate the risk of entire classes of attacks and vulnerabilities from ever threatening system security. However, not all WAFs and configurations are created equal. Good WAFs block what you do not want let in but offer access to what you do. Bad WAFs can either let in bad things or inadvertently block good things. In the latter case, business users are likely to complain and WAF configurations are often made more permissive as a result or turned off altogether. This can lead to an even more vulnerable security posture because there is an assumption of some protection when in fact, the defenses have been neutered.
WAFs and ModSecurity Rules
In this week’s Linux Security Podcast, Atomicorp CEO Mike Shinn discusses the origin of WAFs, how they have evolved and what makes them effective or ineffective. Mike is also one of the earliest contributors to the open source Modsecurity WAF framework and has built over 10,000 rules to support it. WAFs are driven by rules and Mike goes into detail about Modsecurity as well as open source rules such as OWASP and other options for more advanced protection. He even outlines the differences between WAFs and traditional firewalls.
Atomicorp provides unified workload security for cloud, data center or hybrid platforms. Built on OSSEC, the World’s Leading Open Source Server Protection Platform. See our products.
Podcast Transcript: What is a WAF and How Are They Different from Firewalls
Bret Kinsella: [00:00:00] This is Episode 5 of the Linux Security Podcast. Today’s topic — What is a web application firewall?
Bret Kinsella: [00:00:16] Welcome to the Linux Security Podcast. I’m Brett Kinsella. I’ll be your host today and we speaking with Mike Shinn, CEO of Atomicorp, author of Troubleshooting Linux Firewalls and a noted contributor to the ModSecurity open source project. He’s also a Linux user since the early 1990s. Today we will be talking about web application firewalls. Mike welcome.
Mike Shinn: [00:00:37] Thanks Brett. Glad to be here.
Bret Kinsella: [00:00:38] Great. So why don’t we start with telling people what a web application firewall is and who needs one.
Mike Shinn: [00:00:46] So a web application firewall by its name is a type of firewall that’s specifically designed to protect web applications. Where it’s different from typical firewalls is that it’s really a special kind of web server and what it does is it brokers the connections to whatever the web servers are that you’re protecting. And the answer to who needs it is anybody that has a web server is going to need a web application firewall. If you don’t have one bad things are going to happen to you.
Bret Kinsella: [00:01:19] So how is this different from a regular firewall?
Mike Shinn: [00:01:19] It’s a good question. So most firewalls are fairly lightweight. That is to say that the purpose of a firewall sort of paradoxically is to make it possible for people to get on the Internet. And that’s an important distinction because firewalls are typically deployed at the edge of networks they need to be very fast. They need to be lightweight and they need to not get in the way which sounds like it’s not a firewalls job but that is in fact practically what a firewalls job is. And everyone has one of these in their home. And if that thing was not allowing you get to the internet you would be upset. Really the purpose of a web application firewall is to make it more difficult for an adversary to attack a web server. Web servers don’t need to be able to connect to the Internet in the same way that you do from your laptop or your phone. A web server needs a lot more protection than a typical network does as well because web servers run highly complex software that is exposed to the Internet. So a good way to think about that would be if you allowed every one in the world to connect to your phone, your laptop, your I pad your TV, any intelligent device that you have you allowed every single person in the world to connect into it and interact with it. A typical firewall wouldn’t be well equipped to defend you against attacks for that. So things like Web Application Firewalls are highly advanced firewalls that are designed to protect things from the whole world in cases where the whole world needs to be able to communicate with that device. So these are much more sophisticated firewalls than what we typically consider to be a firewall.
Bret Kinsella: [00:03:09] Give me some examples of elements of a web application firewall that make it more sophisticated than a traditional firewall.
Mike Shinn: [00:03:15] Well the one thing that I discussed earlier was they’re basically web servers. They’re highly sophisticated web servers so a web application firewall has to be able to do much of the same things that a web server does. It needs to be able to accept the requests from the user, it needs to be able to interact with them, and needs to be able to set up encrypted connections. But it also needs to be able to interact with the data that is coming from the actual web server as well as the data that’s coming from the user. It needs to be able to analyze it in ways that a typical firewall wouldn’t. So it needs to be able to operate as a web application itself. It needs to be able to understand what’s going on with the web application so they tend to be much more sophisticated devices. The other thing that’s different too is that Web Application Firewalls are also available as software. And that’s important because more often than not Web Application Firewalls are installed directly on the web servers these days people are typically not using appliances to protect their web servers and really that’s largely driven by movement into cloud environments like Amazon (AWS) and Microsoft Azure and Google and IBM’s Cloud and others where it’s bring your own security and deploying the web application firewall on each of those web server instances makes more sense. It’s more flexible it’s more scalable. So that’s another key difference between Web Application Firewalls and traditional firewalls as that Web Application Firewalls can be installed on the devices that they’re protecting.
Bret Kinsella: [00:04:55] Yeah that’s great. Well, tell me some things that you in your experience define as making a good Web Application Firewall versus things that maybe are bad for the Web Application Firewall.
Mike Shinn: [00:05:09] Yeah. Pretty much the biggest one is false positives. Counterintuitively… or though if you’re an end user this probably doesn’t sound counter-intuitive to you… a false positive, that is when a piece of software security software believes something is an attack when it’s not, typically that software will block that action. That can be certainly very frustrating to the end user and it may cause significant disruption to the organization or the business when it’s doing that. So the first thing about a Web Application Firewall is it needs to not generate false positives. It has to be smart enough to understand what is normal and acceptable behavior for that web application. It’s great if it can detect attacks but if it’s generating false positives it’s gonna get turned off which defeats the whole purpose of having a Web Application Firewall.
Bret Kinsella: [00:06:06] Makes a lot of sense. So how was Mod Security different from a proprietary WAF and maybe you could just tell the listeners what mod.security is in case you’re not familiar with it.
Mike Shinn: [00:06:16] So ModSecurity is this neat little project that came out… jeez… way back in 2005. So it’s 12 years going on 13 years old now. It is an open source Web Application Firewall. If you’re familiar with other open source security tools like Snort or OpenVAS or OSSEC it’s just like that it’s an open source web application firewall. It’s a framework for creating web application firewalls. What’s nice about it is it’s open source you have all the source code therefore you. The way that the rules and the logic in it are structured is relatively easy to understand. There’s a vibrant community for it and a number of vendors including major cybersecurity vendors now use mod security as their WAF when they sell you a WAF, it’s actually just mod.security under the covers so it’s really the Snort of web application firewalls.
Bret Kinsella: [00:07:14] Tell me about rules and ModSecurity. So mod.security is Web Application Firewall which essentially is defanged because it doesn’t ship with rules and there’s several sources for rules. So tell me how that setup architecturally and then what the ModSecurity rules are designed to do and how you think about the different types of rules.
Mike Shinn: [00:07:34] Yeah. That’s a good point to bring up so mod security is a bit like Microsoft Word. Having Microsoft Word does not make you Shakespeare. You still have to write your plays. So ModSecurity is a framework. It allows you to construct whatever it is that you need to be able to protect your web application in the form of web application firewall. So like any firewall that hasn’t been configured it doesn’t do anything until you configure it that way. So the way the architecture mod.security works is that you plug it into your web server or plug it into some software that you’re using as a proxy to your web server and then you add in what ModSecurity calls rules and those rules can be used to define things that are allowed. Things that are not allowed. Things that maybe are just suspicious and they can do some more complex things too. You can count things so for example you could look at how many times a particular event occurs and then maybe take some action based on that or generate an alert. So it’s only as good as the ruleset that it has and it’s important to go back to what I talked about earlier about how Web Application Firewalls are different from traditional firewalls. A web application firewall is a really advanced piece of software. It’s not just looking at “do you allow people to connect to a particular port on a system?” that is sort of traditional firewall does a web application firewall is looking at the content it’s looking inside those packets and it’s saying you know “Is this or is this not an acceptable thing that this user is doing? Or is this or is this not an acceptable thing that the web server is doing?” And then it’s taking some set of actions based on that.
Mike Shinn: [00:09:20] So it the rule sets can be fairly sophisticated and may need to be depending on what your needs are. There are some open source rules sets out there that you need to tune for your purposes and there are some commercial rules sets out there that are pre tuned that generally meet the security requirements of most users and they shouldn’t need to to do anything to make the Web Application Firewall work. But either way you have to have rules for a web application firewall to do anything.
Bret Kinsella: [00:09:50] Well that’s great Mike. So where can listeners find more information about a WAF or where can they download a WAF?
Mike Shinn: [00:09:57] Yeah. They can just go to our website. We, of course, host all of the mod security builds for all the major Linux platforms… Ubuntu, CentOS, RedHat, Amazon environments, source code as well. And then we also make rules available… free rules available for your ModSecurity environment. And of course if you have any questions you can go to our forums or you can reach out to us and we’d be happy to help you out with any issues you might have with ModSecurity.
Bret Kinsella: [00:10:23] Well, thank you very much Mike. Appreciate you giving your insight to the Linux security community.
Mike Shinn: [00:10:29] Thanks Brett. This was fun.
Atomicorp provides unified workload security for cloud, data center or hybrid platforms. Built on OSSEC, the World’s Leading Open Source Server Protection Platform. See our products.