What is Web Application Firewall?
Web Application Firewall is subscription-based software that runs on the SMA appliance and protects Web applications running on servers behind the appliance. Web Application Firewall also provides real-time protection for resources such as HTTP(S) bookmarks, Citrix bookmarks, offloaded Web applications, and the Secure Mobile Access management interface and user portal that run on the SMA appliance itself.
Web Application Firewall provides real-time protection against a whole suite of Web attacks such as Cross-site scripting, SQL Injection, OS Command Injection, and many more. The top ten vulnerabilities for Web applications are tracked by OWASP, an open source community that focuses its efforts on improving the security of Web applications. Secure Mobile Access Web Application Firewall protects against these top ten, defined as follows:
|A1 - Cross Site Scripting (XSS)||XSS flaws occur whenever an application takes user supplied data and
sends it to a Web browser without first validating or encoding that content. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface Web sites, and possibly introduce worms.|
|A2 - Injection Flaws||Injection flaws, particularly SQL injection, are common in Web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.|
|A3 - Malicious File Execution||Code vulnerable to remote file inclusion (RFI) allows attackers to
include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.|
|A4 - Insecure Direct Object Reference||A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.|
|A5 - Cross Site Request Forgery (CSRF)||A CSRF attack forces a logged-on victim's browser to send a
pre-authenticated request to a vulnerable Web application that then forces the victim's browser to do a hostile action to the benefit of the attacker. CSRF can be as powerful as the Web application that it attacks.|
|A6 - Information Leakage and Improper Error Handling||Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data or conduct more serious attacks.|
|A7 - Broken Authentication and Session Management||Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.|
|A8 - Insecure Cryptographic Storage||Web applications rarely use cryptographic functions properly to
protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.|
|A9 - Insecure Communications||Applications frequently fail to encrypt network traffic when it is
necessary to protect sensitive communications.|
|A10 - Failure to Restrict URL Access||Frequently, an application only protects sensitive functionality by
preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and complete unauthorized operations by accessing those URLs directly.|
In addition to the top ten threats listed previously, Web Application Firewall protects against Slowloris HTTP Denial of Service attacks. This means that Web Application Firewall also protects all the backend Web servers against this attack. Many Web servers, including Apache, are vulnerable to Slowloris. Slowloris is especially effective against Web servers that use threaded processes and limit the amount of threading allowed.
Slowloris is a stealthy, slow-acting attack that sends partial HTTP requests at regular intervals to hold connections open to the Web server. It gradually ties up all the sockets, consuming sockets as they are freed up when other connections are closed. Slowloris can send different host headers, and can send GET, HEAD, and POST requests. The string of partial requests makes Slowloris comparable to a SYN flood, except that it uses HTTP rather than TCP. Only the targeted Web server is affected, while other services and ports on the same server are still available. When the attack is terminated, the Web server can return to normal within as little as 5 seconds, making Slowloris useful for causing a brief downtime or distraction while other attacks are initiated. After the attack stops or the session is closed, the Web server logs can show several hundred 400 errors.
Offloaded Web Application Protection
Web Application Firewall can also protect an offloaded Web application that is a special purpose portal created to provide seamless access to a Web application running on a server behind the SMA appliance. The portal must be configured as a virtual host. It is possible to disable authentication and access policy enforcement for such an offloaded host. If authentication is enabled, a suitable domain needs to be associated with this portal and all SonicWall Inc. advanced authentication features such as One Time Password, Two-factor Authentication, and Single Sign-On apply to the offloaded host.
Application Profiling (Phase 1) allows the administrator to generate custom rules in an automated manner based on a trusted set of inputs. This is a highly effective method of providing security to Web applications because it develops a profile of what inputs are acceptable by the application. Everything else is denied, providing positive security enforcement. This results in fewer false positives than generic signatures that adopt a negative security model. When the administrator places the device in learning mode in a staging environment, the SMA appliance learns valid inputs for each URL accessed by the trusted users. At any point during or after the learning process, the custom rules can be generated based on the “learned” profiles.
Rate Limiting for Custom Rules
You can track the rate at which a custom rule, or rule chain, is being matched. This is extremely useful to block dictionary attacks or brute force attacks. The action for the rule chain is triggered only if the rule chain is matched as many times as configured.
Cookie Tampering Protection
Cookie Tampering Protection is an important item in the Payment Card Industry Data Security Standard (PCI DSS) section 6.6 requirements and part of the Web Application Firewall evaluation criteria that offers strict security for cookies set by the back end Web servers. Various techniques such as encryption and message digest are used to prevent cookie tampering.
Credit Card and Social Security Number Protection
Credit Card/SSN protection is a Data Loss Prevention technique that ensures that sensitive information, such as credit card numbers and Social Security numbers are not leaked within Web pages. After such leakage is detected, the administrator can choose to mask these numbers partially or wholly, present a configurable error page, or simply log the event.
Web Site Cloaking
Web Site Cloaking prevents guessing the Web server implementation and exploiting its vulnerabilities.
PDF Reporting for WAF Monitoring and PCI DSS 6.5 and 6.6 Compliance
PDF reporting is introduced for Web Application Firewall Monitoring and PCI DSS 6.5 and 6.6 Compliance. You can generate the reports on the Web Application Firewall > Status page. The timeline for generating the data published in the reports is configurable on the Web Application Firewall > Monitoring page.
Was This Article Helpful?
Help us to improve our support portal