Web Application Firewalls – CompTIA Security+ SY0-401: 1.1

Web Application Firewalls – CompTIA Security+ SY0-401: 1.1

A newer type of
security technology that we’ve seen over
the last few years is something called a
web application firewall. You’ll hear this
referred to as a WAF. A web application firewall is
looking at web conversations, and it’s trying to determine
based on that web conversation if the information
within your packets, within that conversation,
is legitimate. You’ll often see this used
to make sure that when people are inputting
information into a web form that that information
is correct. If you’re trying to put in a
serial number, or the date, or a ZIP code, this particular
web application firewall technology is looking
to see, is that really is zip code you’re
adding in there? Is that really a serial number? The reason that’s
important is that if you try to put unexpected
information into one of these fields and you’re able
to manipulate the application, you can often find exploits
that might give you direct access to the database
that’s contained behind it, or direct access
to the web server on which this particular
application is running. So by having this additional
check of that input data, you’re hopefully protecting
against things like database injections and things
like buffer overflows. And those are very bad
things, because often that does allow somebody some
very detailed access to some very sensitive data. You want to try to avoid that. Because of these web
application firewalls’ ability to look and validate
this input, it can prevent things
like sequel injections. The very crafty hackers
will go into a field that is supposed to be for a ZIP
code and they’ll, instead, add special characters
and their own sequel commands to try to gain
access to the raw data in the database. Now the only way they
be able to do that is if the application
wasn’t written well, and it’s allowing some
of these types of input. But even if the application
isn’t written well, having this web
application firewall gives you another
line of defense. You may not be able to check all
the different ways to validate data inside of your application,
but your web application firewall certainly can. And it can check and
make sure that somebody’s a trying to do a SQL injection
right there at your ZIP code field and it will prevent
that data from blowing through and on to your database. You see this a lot in things
called the payment card industry data security
standard, the PCI DSS. If you do a Google
search for that, you’ll see a lot of
information about that because you don’t want people
have access to credit cards, and so the payment
card industry came up with a series of
standards that people have to follow if
you store credit card information on your servers. One aspect of the
PCI DSS standard is that you have to have
web application firewalls, because if somebody is
going to that ZIP code field and they are typing in something
that would give them access to the sequel database, then
they would also have access to, potentially, credit
card numbers that might be in that database. So you can start
to see why having something at the
application level, to be able to validate
input into those web fields, becomes critically
important, especially when sensitive data is involved.

Danny Hutson

3 thoughts on “Web Application Firewalls – CompTIA Security+ SY0-401: 1.1

  1. I didn't understand – is it about the usual field validation or is it about some content-aware firewalls that filters out things like SQL code bits from HTTP/HTTPs?

  2. Professor Messer, is there any specific WAF that you can recommend? I'm currently working on a project to implement a couple of these. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *