What is a WAF? – Website Application Security Explained
If a cyber attack targeting your web applications never reaches your website… Did the attack even happen? The answer is YES, and it was most likely a WAF that stopped it. In this article learn more about this intuitive firewall and why your site could benefit from having one.
Today could be the day you meet your brand new head of web security.
And best believe this cyber security guard isn’t your typical “fall asleep on the job” type.
Because he doesn’t just check people’s I.D’s at the door… he checks their address, their height, their eye color, their card expiry date, what they have in their pockets, who they last texted…
You get the point. This fierce protector is ensuring only trustworthy door knockers make it inside your WP doors.
But enough with the small talk, you’ve read the title of this article, and you know the head of security I’m talking about is a Web Application Firewall (WAF).
And today we’ll be covering all things WAF and web application security.
More specifically, we’ll be talking about:
- Why WAFs are important for WordPress site security.
- How they can help you protect your web applications from malicious attacks.
- How they assist you in adhering to various security standards/requirements (e.g. the PSI).
We’ve been hard at work testing and fine tuning this puppy – ensuring it’s giving you the best web application protection possible.
Unlike most in-built security plugin WAFs, ours also forms a protective wall OUTSIDE of your WP borders.
We’ll get into why this is super important later… but first let’s start with the basics:
What is a WAF?
A Web Application Firewall (WAF) is a specific type of firewall that protects your web applications from malicious application-based attacks.
In layman’s terms, WAFs act as the middle person, or security guard for your WordPress site.
Standing guard between the internet and your web applications, all the while monitoring and filtering the HTTP traffic that wants to join your bumping party.
Of course, like any raging WP party there are always gate-crashers to worry about.
The good news is, WAFs use a set of rules (or policies) to help identify who’s actually on your guest list, and who’s just looking to cause trouble.
Not To Be Confused With a Network Firewall…
WAFs should also not be confused with your standard Network Firewall (Packet filtering), which assesses incoming data based on a set of criteria including: IP addresses, packet type, port numbers, and more.
There are a number of other firewall types, but for the sake of brevity, we’ll stay WAF focused in this article.
If you’re interested, here’s a great read detailing the different types of firewalls.
Anyway, back to Network Firewalls…
These types of firewalls are fine, and great at what they do. The only downside is they don’t understand HTTP, and as a result cannot detect specific attacks that target security flaws in web applications.
That’s where WAFs save the day and can help bolster your web security in ways a Network Firewall cannot.
You see, a network is kind of like an onion – there’s layers to it.
And employing different security measures can help you further protect the individual layers.
Peeling Back a Network’s Layers: The “OSI Model”
In order to understand these layers, you need to understand the OSI model.
The OSI model is a framework that divides the overall architecture of a network into seven different sections.
Every layer has its own security postures and mechanisms, and anyone overly concerned with security should know how to detect and establish appropriate security methods for each.
The 7 network layers are as follows:
When analyzing the layers above… your typical Network Firewall helps to secure layers 3 – 4, and a WAF assists with the protection of layer 7.
This should also serve as a reminder that WAFs are NOT a one-size-fits-all solution. And they’re best paired with other effective security measures – such as a quality Network Firewall.
Alrighty, now that we have a basic idea of what a WAF is, let’s dive a little deeper into HOW it actually protects your precious web apps.
How WAFs Protect Your Web Applications From Malicious Attacks
According to a 2019 web applications report by Positive technologies, on average, hackers can attack users in 9 out of 10 web applications.
The report also found that breaches of sensitive data were a threat in 68% of web applications.
Statistics like these reinforce the need for more effective web app protection.
As touched on earlier, WAFs protect your server by analyzing the HTTP traffic passing through – detecting and blocking anything malicious BEFORE it reaches your web applications (see below).
WAFs can also be network (hardware) based, software based, or cloud based – meaning they are virtual or physical in their nature.
When it comes to how WAFs filter, detect, and block malicious traffic – they achieve this in a couple of different ways:
WAF Security Models: Blacklist, Whitelist, Or Both
A WAF typically follows either a “Blacklist” (negative) or “Whitelist” (positive) security model, or sometimes both.
When employing a Blacklist security model, basically you can assemble a list of unwanted IP addresses or user agents that your WAF will automatically block.
The Whitelist model does the opposite, and allows you to create an exclusive list of IP addresses and user agents that are allowed. Everything else is denied.
Both models have their pros and cons, so often modern WAFs will offer a hybrid security model which gives you access to both.
How WAFs Guard Your Web Apps Against The “The OWASP Top 10”
As well as performing based on one of the three security models mentioned above, WAFs come automatically armed with a specific set of rules (or policies).
These policies combine rule-based logic, parsing, and signatures to help detect and prevent a number of different web application attacks.
In particular, WAFs are well known for protecting against a number of the top 10 web application security risks, which are listed every year by OWASP.
This includes malicious attacks such as cross-site request forgeries, cross-site-scripting (XSS), file inclusions, and SQL injections.
Another effective safeguard you’ll hear many WAF providers talk about is something called a “virtual patch.”
A VP is essentially a rule (or often a set of rules) that can help resolve a vulnerability in your software without needing to adjust the code itself.
Many WAFs (including our own!) can deploy virtual patches to repair WordPress core, plugin, and theme vulnerabilities when required.
WAFs Also Help You Meet Legal Security Standards
If your organization works with, processes, or stores sensitive information (credit card details etc.), it’s important you comply with security requirements and standards.
WAFs can help businesses of all sizes comply with regulatory standards like the PCI, HIPAA, and GDPR – making the firewall valuable from both a compliance and a security perspective.
For example, the number one requirement for organizations under the Payment Card Industry Data Security Standard (PCI) is: “Installing and maintaining a firewall configuration to protect cardholder data.”
WAF Security Plugins… The Good and The Ugly
There are plenty of great WAF plugins out there to choose from.
Some follow a “SAAS” model, offering an easy and stress-free introduction to the world of application firewalls.
On the other side of the coin…
Some Security Plugins Get WAFs Oh So WRONG!
It’s all dependent on the level at which your WAF sits.
For example, some plugin WAFs sit at the DNS Level, which usually means the firewall monitors and filters HTTP traffic before it reaches their cloud proxy servers.
This is the recommended level for these kinds of firewall plugins.
Then you have other WordPress security plugins with built-in WAFs that sit at the application level.
Meaning the firewall examines incoming traffic after it has already reached your server – but prior to loading WordPress scripts.
According to our in-house firewall/hosting expert and CTO Aaron Edwards, there are a few big problems with this.
Here’s what he had to say on the matter during the security episode of our HelloWP podcast:
“In my opinion, a firewall has no business being in a plugin. First of all, they’re already inside of your application before the firewall starts working on it.
So, it’s technically possible that an exploit or something that happened to your system can disable that firewall.
Another problem is it’s much slower, because every request has to go through PHP and it has to do all these filters and more at the PHP-level.
It’s like putting a fence inside of your house.” – Aaron Edwards, CTO at WPMU DEV.
Introducing WPMU DEV’s Brand New WAF!
Unlike the naughty plugins above, our WAF builds a fence on the OUTSIDE of your house as it analyzes all traffic before it hits WordPress.
We’ve done extensive testing and fine tuning to ensure it will not slow your site down. And we keep it updated with the latest rules, and add any new known vulnerability footprints nightly.
It also couldn’t be easier to manage!
To access and activate our WAF (if you’re a member) simply navigate to our Website Hub and click on the website you’d like to set up, or manage your firewall on.
You can then access the firewall through either the “Hosting” or the “Security” tabs. For this example let’s go through Hosting.
Next select the “tools” toolbar, and then you should see the “Web Application Firewall” option.
Once you’ve clicked through, you’ll be given the option to protect your site with our firewall.
After you elect to do so, the firewall will activate and begin protecting your site.
You’ll also now see the “Whitelist” and “Blacklist” fields that appear below.
We already maintain a set of rules that will identify unsafe traffic – but as mentioned above, admins can Whitelist (allow) or Blacklist (block) IP addresses and user agents as they see fit by filling out these fields.
Scroll past the whitelisting and blacklisting rules and you’ll find our final WAF feature: The ability to disable specific WAF rule Ids.
This feature can come in handy if specific WAF rules are not compatible with your site, and are causing false alarms.
Simply enter the rule Id that’s causing problems, and it’ll be immediately disabled.
Rule Ids and errors can be found in your “WAF Log.”
The WAF log itself can be found under the “Logs” tab, which is in the same toolbar as “Tools” was above.
Logs can come in handy when you want to see where attacks are coming from, which requests have been blocked, and what rules those requests triggered.
For example, let’s say you’re performing a valid action on your site, and for some reason you get blocked.
The logs allows you to understand exactly why this happened, so you can whitelist a particular IP, or disable a specific WAF rule.
After all, you wouldn’t want your security guard kicking your best friends out of the club!
And don’t worry, if this sounds at all complicated, our members get access to 24/7 round the clock support, and someone will always be on hand to help out with any difficulties.
You Can Never Have Too Much WordPress Security
As I touched on earlier, WAFs aren’t the answer to ALL of your security problems.
Doing simple things like installing a Network Firewall, keeping WordPress up to date, ensuring your PHP is up to date, and making sure your sites are constantly backed up – can all go a long way to protecting your sites.
And although we don’t think a WAF belongs inside of a plugin, security plugins still have their place, and can be a handy last line of defense.
Speaking of WordPress security plugins, you can’t go past our own Defender.
Yep, this guy’s as mean as he looks when it comes to fighting off hackers and bots (although he’s a teddy bear outside of the cyber-security ring).
In short, Defender can also help protect you from: Brute force attacks, SQL injections, Cross-site scripting XSS, and more!
He also handles operations like: malware scans, and two-factor authentication login security.
Choose Your Own WAF Path
Don’t you just love it when the conclusion of an article ends with “it depends”?
Well, sorry to be a bummer, but when answering the question of: “Do I need a WAF?”
It does indeed depend on your personal situation!
Do you need one? No. Should you have one? Of course!
The more security layers you can cover, the safer yours and your client’s data will be.
Speaking of client data, if your website does collect client data it’s vital that you have extra security measures like WAFs and Network Firewalls in place.
Not just for protection, but to protect your reputation, and to adhere to website security regulations and standards.
This is especially important for eCommerce sites, and sites that handle a ton of monetary transactions every day.
We’re Not Ones To Toot Our Own Horn, But…
Finally, if you’re already a WPMU DEV member and you don’t currently host any sites with us, be sure to migrate a site over, or whip up a test site if you want to give our new WAF a no-hassle whirl.
Other than that, stay cyber-safe out there folks!