Web Application Firewall (WAF) is a new feature from AWS which sits in front of your public website and protects it from malicious traffic. It works like a reverse proxy which inspects incoming HTTP requests looking for patterns that indicate suspicious activity. Good requests are passed onto your web application to handle, and bad requests are blocked. It’s a tool which can potentially add a layer of security to an existing application without changing the app.
WAF’s behavior is configurable with policies for identifying and managing suspect traffic. Amazon has published a whitepaper [PDF] explaining how WAF can be used to mitigate the OWASP Top 10, the most prevalent security flaws in web applications. Many of the recommendations use string matching to check the body or headers of incoming requests, for input which is required – like security tokens, or restricted – like SQL keywords. Others suggest combining WAF with Lambda or CloudFront for richer threat detection.
WAF is a generic tool and it has a much greater chance of success with some categories of attack than others. Injection attacks are relatively straightforward to mitigate just by analyzing the request, without knowing the application context. You can configure WAF to block suspicious activity by checking for SQL keywords in request query strings. Attacks which rely on subverting security inside the application context are harder to mitigate. If your app uses unique cross-site request forgery (CSRF) tokens, you can’t configure WAF to reject requests that replay a used token, you would need to build a custom integration between WAF and your application.
InfoQ spoke with Mark Nunnikhoven to ask whether generic tools like WAF can be used to successfully bolt security onto an insecure app. Mark is Vice President of Cloud Research at Trend Micro, and an AWS Community Hero.
InfoQ: Do you think any of the recent high-profile breaches could have been prevented with a tool like WAF?