What is WAF? WAF is expanded as Web Application Firewall. WAF is server side application that controls the input and output(filter the HTTP communication). It controls network traffic on any OSI Layer up to Application Layer. The main purpose of WAF is to provide better protection over the top Wep Application vulnerability such as XSS(Cross Site Scripting), SQL Injection,RFI. Daily lot of websites h*cked because of these vulnerability. Read Our Security News Section to know about the Security Risks in Interent. Standard firewall blocks Non-HTTP attacks(restriction of ports,access..). This WAF blocks HTTP attack.
The Most common Web Application Vulnerabilities:
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
The Wep Application Firewall(WAF) must meat the following features:
Protection Against Top Vulnerability(XSS,SQLi,..etc)
Very Few False Positives (i.e., should NEVER disallow an authorized request)
Strength of Default (Out of the Box) Defenses
Power and Ease of Learn Mode
Types of Vulnerabilities it can prevent.
Detects disclosure and unauthorized content in outbound reply messages, such as credit-card and Social Security numbers.
Both Positive and Negative Security model support.
Simplified and Intuitive User Interface.
Cluster mode support.
High Performance (milliseconds latency).
Complete Alerting, Forensics, Reporting capabilities.
Web Services\XML support.
Brute Force protection.
Ability to Active (block and log), Passive (log only) and bypass the web trafic.
Ability to keep individual users constrained to exactly what they have seen in the current session
Ability to be configured to prevent ANY specific problem (i.e., Emergency Patches)
Form Factor: Software vs. Hardware (Hardware generally preferred)Top 10 Open Source Web Application Firefwall(WAF):ModSecurity (Trustwave SpiderLabs) AQTRONIX WebKnight ESAPI WAF WebCastellum BinarySec [email protected] OpenWAF Ironbee Profense Smoothwall