Web Application Firewalls – CompTIA Security+ SY0-401: 1.1

Firewalls now examine port numbers and applications as they traverse the network, but what’s protecting our servers from malicious user input? In this video, you’ll learn how a web application firewall (WAF) can protect from attacks that take advantage of unexpected application use.

<< Previous Video: Spam FiltersNext: Application Aware Security Devices >>

A newer type of security technology that we’ve seen over the last few years is something called a web application firewall. You’ll hear this referred to as a WAF. A web application firewall is looking at web conversations, and it’s trying to determine based on that web conversation if the information within your packets, within that conversation, is legitimate.

You’ll often see this used to make sure that when people are inputting information into a web form that that information is correct. If you’re trying to put in a serial number, or the date, or a ZIP code, this particular web application firewall technology is looking to see, is that really is zip code you’re adding in there? Is that really a serial number?

The reason that’s important is that if you try to put unexpected information into one of these fields and you’re able to manipulate the application, you can often find exploits that might give you direct access to the database that’s contained behind it, or direct access to the web server on which this particular application is running.

So by having this additional check of that input data, you’re hopefully protecting against things like database injections and things like buffer overflows. And those are very bad things, because often that does allow somebody some very detailed access to some very sensitive data. You want to try to avoid that.

Because of these web application firewalls’ ability to look and validate this input, it can prevent things like sequel injections. The very crafty hackers will go into a field that is supposed to be for a ZIP code and they’ll, instead, add special characters and their own sequel commands to try to gain access to the raw data in the database. Now the only way they be able to do that is if the application wasn’t written well, and it’s allowing some of these types of input.

But even if the application isn’t written well, having this web application firewall gives you another line of defense. You may not be able to check all the different ways to validate data inside of your application, but your web application firewall certainly can. And it can check and make sure that somebody’s a trying to do a SQL injection right there at your ZIP code field and it will prevent that data from blowing through and on to your database.

You see this a lot in things called the payment card industry data security standard, the PCI DSS. If you do a Google search for that, you’ll see a lot of information about that because you don’t want people have access to credit cards, and so the payment card industry came up with a series of standards that people have to follow if you store credit card information on your servers.

One aspect of the PCI DSS standard is that you have to have web application firewalls, because if somebody is going to that ZIP code field and they are typing in something that would give them access to the sequel database, then they would also have access to, potentially, credit card numbers that might be in that database. So you can start to see why having something at the application level, to be able to validate input into those web fields, becomes critically important, especially when sensitive data is involved.