04) Does your organisation have web application firewalls (WAFs) implemented to protect web applications?
Answer yes if all web applications hosted by your organisation are protected with WAFs (web application firewalls). If your organisation does not host any web applications, answer 'No' and state this in the notes section.
What is the control?
The term web application firewall (or WAF) refers to a type of gateway that specialises in filtering traffic for web applications. Rather than focusing on network addresses and ports like conventional firewalls, they typically perform a deeper level of inspection and look at requests to web servers. This allows them to detect and drop potentially malicious requests.
Why should I have it?
Since most web servers are intended to serve public content to the wider internet, access to them (or, more specifically, to their web service) cannot be firewalled in a conventional way as that would deny the service itself. WAFs inspect the web traffic itself to a deeper level to detect potentially malicious requests. Such requests could be trying to exploit possible vulnerabilities or requests or submit data that is outside the scope of what the web service is expected to provide or accept.
This places a level of protection around an otherwise exposed service which can hopefully prevent the exploitation of eventual vulnerabilities in your web application. It can also buy precious time in the case a new vulnerability is discovered on your web server (or web application) as the WAF can be likely configured to block traffic matching the profile of a potential attack until you can patch the server or application itself against the vulnerability.
How to implement the control
Web application firewalls can to be hardware appliances, which should be placed on your network in front of your web servers/applications in such a way that all web traffic runs through them.
Alternatively, some WAF providers host the WAF themselves as part of a manage service. In these cases your web servers would typically be configured only to accept connections from the provider’s WAF and your DNS servers should route all people trying to reach your web service to the provider’s WAF.
Most WAF vendors maintain threat intelligence and provide an extensive number of rules against known attacks. It’s therefore important, if you manage your own WAF device, to update their attack signatures or components regularly and immediately in the case of a vulnerability known to affect your web infrastructure.
WAFs typically also allow the creation of bespoke rules which can be tailored to your specific application, these can be used to respond to a threat for which there is no fix yet, or even to temporarily protect out of support systems.
Your network security policy should prescribe the use of WAFs as above where applicable.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
