everythingpossible - Fotolia


How cloud WAF implementations can improve application security

Having to secure applications that are not locally hosted is possible with a cloud WAF. Expert Matt Pascucci explains how they work, and what enterprises need to understand.

Web application vulnerabilities and exploits are a constant risk to those running applications in their environment....

This becomes even more of a risk to organizations that have applications publicly accessible on the internet. It's familiar knowledge that web application firewalls (WAFs) are needed to mitigate many of these threats, but historically this meant hosting expensive hardware on-premises to defend public applications from malicious use.

Why cloud WAFs?

In today's modern networks, there are acquisitions occurring that can leave certain applications unprotected -- due to the applications not being on the same premises as the physical WAF -- applications or sites being hosted off-site or companies moving their operations to the cloud. The concern from an application protection perspective is that these apps are not within the boundaries of the physical WAF's protection. If an enterprise has a site hosted somewhere in the cloud or by an acquired company, these applications are still the enterprise's responsibility to protect, and it's not possible with a physical WAF architecture. Cloud web application firewall is of assistance when enterprises have assets under their responsibility, but out of their physical jurisdiction. Many times it's not financially feasible, nor is it even technologically possible, to have the same physical hardware installed in all these locations. A cloud WAF enables an organization to defend its applications across a broad spectrum of hosting locations and protects it from the majority of application layer attacks with similar policies.

Implementing a cloud web application firewall ultimately means having a third party be responsible for filtering an organization's web application traffic before it's delivered to its origin servers. The applications running on these servers are the responsibility of the organization to protect, but the cloud WAF vendor is performing the filtering before the traffic arrives to the application. In all cases, the applications or websites being protected by the cloud WAF have their public DNS records directed toward an address owned by the cloud WAF provider. This allows all traffic to be diverted to the cloud WAF provider, filtered and sent directly to the origin servers. This allows for any public site to be filtered quickly and with the same or a similar policy as other applications under protection of the cloud WAF. This won't leave a gap in protection and a site can be quickly activated with a simple DNS change. This decentralization of protection with cloud WAF allows for complete coverage of public applications.

Benefits of cloud WAF

A cloud WAF enables an organization to defend its applications across a broad spectrum of hosting locations and protects it from the majority of application layer attacks with similar policies.

Certain cloud WAF providers aim for a more "black box" approach of application filtering and don't give users the ability to have as detailed an understanding of the signatures that are currently filtering their application with on-premises software. It allows for basic OWASP Top 10 filtering, plus additional vendor rule sets the provider has combined and created, country blocking, rate control, threat intelligence the provider gathers from other malicious traffic on their network and the ability to have custom rules created and applied. The benefit of having all of these policies and custom changes in the cloud is that they can be easily applied to other sites with a DNS change, giving users flexibility and agility. If an organization is running heavily customized code on its current on-premises WAF or it relies on speed with pushing changes to the WAF, a cloud WAF install could have some challenges. A custom change being pushed to a cloud WAF needs to be vetted by the vendor before it can be propagated to their service. This is because vendors don't want a misconfigured change to be pushed to their service and cause performance issues for other clients.

Since cloud web application firewalls aren't on their local premises, enterprises will have to determine how they'll receive the logs from the cloud provider into their current logging infrastructure for additional correlation. The logs in a WAF are very valuable to SIEMs and even more important if an enterprise is under compliance. Many times these logs will need to be held for a certain retention period for both to work. Most providers allow either SFTP or API software that transfers logs to a site for retention and correlation as needed. The ability to log is important, but the capability to have reporting and alerting set up on corporate traffic is also imperative. Speak with all available cloud WAF providers and get a familiarity with their reporting/alerting capabilities and if they'll meet expectations.

Implementation steps

During implementation of a cloud WAF, an enterprise should have a firm understanding of how to integrate a new application, create new WAF policies and determine how to whitelist a signature in the event of false positives. This will include researching how SSL certificates are imported into the cloud provider's software and how filtering will occur within the cloud WAF. Most solutions have been vetted for compliance, but it's still a risk having certificates in the cloud hosted by a third party. The cloud providers will also give users an IP listing of all systems on their network that will forward the proxy requests from the WAF back to the origin address. Here, an enterprise can limit what source addresses can send data to its public-facing application, with firewall rules configured on its perimeter. Also, an enterprise should determine if a staging area in its cloud WAF is needed and speak with the vendors on how they accomplish this requirement.

Lastly, billing by cloud WAF providers can be dependent on traffic, the number of SSL protected sites and the number of policies the enterprise is looking to have configured. This might be a large expense upfront, but it's cheaper in the long run to have physical WAFs installed at each location, if at all. These solutions are all billed annually and are billed as an operating expense. Many of these providers offer CDN services and protection against distributed denial of service and domain name system attacks, which could benefit cloud WAF implementations.

Next Steps

Decide if a WAF deployment is right for your business

Discover Amazon WAF features for the cloud

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security