Skip to content

Page302

Web Application Firewall (WAF)

Not simply another type or generation of general-purpose network firewall, the Web Application Firewall (WAF) serves as an entirely separate and distinct control. Given the name, it should come as little surprise that the sole focus of the WAF is to improve an organization’s security posture with respect to web applications, most commonly the organization’s custom-developed web applications. The WAF will be deployed such that it can scrutinize application layer traffic to an organization-controlled web application. "Firewall" in the name makes clear that WAFs are typically intended for use as a preventive control. However, they can also provide substantial detective benefits even if configured not to actually block anything at all.

Organizations most commonly employ WAFs for public-facing applications, but they can also be used to bolster the security of internal-facing web applications. WAFs can be deployed in various ways including cloud-hosted, on-premises as a reverse proxy in front of web servers hosting the applications, or even as services running on web servers hosting the target application. These layer 7 controls must simply be deployed inline, so that the web application traffic flows through the WAF such that it can block overtly malicious traffic or alert on suspicious activity.

Sandboxing

Signature-based approaches to prevention of malicious content have a major inherent weakness; the signatures fundamentally depend on prior knowledge for their creation. If your organization were the first to encounter a novel exploit or technique, signature-based approaches will necessarily fall short. Sandboxing attempts to help fill this gap by focusing on identification of suspicious behaviors rather than primarily depending on signatures.

The general idea employed by sandboxing involves rendering or executing potentially malicious content and analyzing changes that occur on a well-understood, tightly controlled, sacrificial system that exists solely for this purpose. By measuring changes in behavior and state that occur on this virtual system, the sandboxing tool can determine whether it deems the tested file in question malicious, suspicious, or benign. Though neither perfect nor sufficient, sandboxing proves particularly useful with client-side exploitation associated with malicious content retrieved via web-based downloads or email.

The intent is for malware sandboxing to be deployed in an in-line manner that allows for preventing the delivery of content determined to be malicious or overly suspicious. However, particularly with web-based content, the latency introduced by the sandboxing tool’s behavior analysis might preclude it from being configured to prevent content delivery. Even in such cases, the sandboxing tool would allow for rapid detection of suspicious content, but would require automated or manual corrective actions to be taken in response to the alert.