Application Monitoring with a Web Application Firewall (WAF) for Network Security

 Nearly every business today uses some Software-as-a-Service (SaaS) application. From streamlined productivity to team communication, web applications drive business revenue outcomes. Simultaneously, these applications expand your company’s attack surface since every connection creates new access points that threat actors can use to compromise systems and networks. By using a web application firewall (WAF) for monitoring network traffic, you can protect against attacks at the application layer for enhanced security. 

 

What is a web application firewall (WAF)?

A web application firewall (WAF) filters, monitors, and blocks malicious traffic by applying rules to web traffic for HTTP/HTTPS communications. A WAF provides visibility into encrypted and unencrypted traffic transmitted between the application and public internet, augmenting the monitoring that the traditional firewall does. 

 

The WAF’s policies are rules that can detect known malicious request activity and blog outgoing traffic by analyzing user, session, and application activity. A WAF’s primary function is to monitor:

  • Inbound traffic: inspecting incoming requests for abnormal activity, suspicious payloads, and vulnerabilities
  • Outbound traffic: intercepting, masking, or blocking sensitive data to prevent accidental or malicious leakage

 

Historically, a WAF took one of two approaches to protecting applications:

  • Blocklist: Identifying and blocking known malicious activity
  • Allowlist: Providing traffic that matches known, safe patterns or behaviors

 

Since both offer benefits, many WAFs now take a hybrid blocklist-allowlist approach.

 

WAF service components

The components of a WAF can include any of the following:

  • Web application firewall policy: configurations that include origin management, protection rules, and bot detection
  • Origin: Origin host server used to configure rules or features
  • Protection rules: criteria for allowing, blocking, and logging network requests
  • Bot management: features for detecting, blocking, or allowing bot traffic, like IP rate limiting, CAPTCHA, device fingerprinting

 

WAF features

Some features to look for when choosing a WAF may include any of the following:

  • Dynamic traffic routing: algorithms that leverage the domain name system (DNS) to reduce latency
  • Availability: settings allowing high availability to reduce risks arising from problems with the origin server
  • Policy management: configurations and features that enable a flexible deployment focused on the organization’s needs
  • Monitoring and reporting: reporting used for compliance and analysis

 

What does a WAF protect against?

While traditional firewalls monitor all network traffic, WAFs provide more detailed visibility into attacks targeting your SaaS ecosystem. 

 

Application layer (L7) Denial of Service (DoS) attacks

In an L7 DoS attack, threat actors target the application layer protocols, like HTTP and DNS, seeking to disrupt services or hijack application protocols. Typical attack techniques include:

  • Request floods
  • Application vulnerability exploitation
  • Application-specific attacks, like XML-RPC floods

 

WAFs mitigate risks by managing and filtering traffic through an IP reputation database, giving organizations a way to test whether the requests are legitimate or coming from bots. 

 

Cross-Site Scripting (XSS) attacks

During an XSS attack, malicious actors exploit a vulnerability in a web application to insert malicious code that executes in a user’s browser. Although usually associated with JavaScript, the vulnerabilities that lead to an XSS attack can exist in any programming language, including:

  • ActiveX
  • Flash
  • Java
  • VBScript
  • HTML

 

A WAF can mitigate an XSS attack risk by scanning requests to identify keywords, special characters, or external links in:

  • HTML script tags
  • Event processors
  • Script protocols
  • Styles

 

Structured Query Language (SQL) Injection

In a SQL injection attack, threat actors insert malicious commands into database query strings. When the query executes, attackers can steal, modify, or tamper with the SQL database’s content, including activities like:

  • Gaining access to sensitive information
  • Adding users
  • Exporting files
  • Escalating privileges

A WAF mitigates risk by scanning incoming requests for keywords, special characters, operators, and comment symbols. 

 

Enumeration attacks

In an enumeration attack, threat actors send requests, usually though the login and password reset pages, to the application’s web server database hoping to get responses that include sensitive information like:

  • Usernames
  • Passwords
  • Hostnames
  • Simple Network Management Protocol (SNMP) data
  • DNS details

Since a WAF filters incoming HTTP/HTTPS traffic, it can detect abnormal requests indicating a potential enumeration attack. 

 

Correlating WAF and API security data for holistic network and application security 

As you connect more applications to and within your environment, your network security becomes increasingly intertwined with your application security. To protect both, you need a holistic approach to monitoring both that provides insight into external public internet connections and internal application-to-application communications.

 

While using a WAF is critical to your organization’s security, it focuses on monitoring inbound and outbound HTTP/HTTPS requests, meaning that it focuses on communication with the public internet. However, applications use application programming interfaces (APIs) to share data with each other, and malicious actors increasingly target APIs as an attack vector

 

For comprehensive application security, organizations should aggregate and correlate their WAF and API gateway log data with data generated by an API security tool.

 

Discovery

As your organization adds more applications to its environment, you can easily lose track of external internet and internal application connections. While your WAF enables you to discover malicious traffic by monitoring your inbound and outbound application network traffic, your API security tool enables you to discover all API across:

  • Multiple technology platforms, like legacy, Kubernetes, and virtual machines (VMs)
  • Distributed infrastructures, like on-premises data centers or multiple public clouds

With this visibility you can uncover risky APIs like:

  • Zombie APIs: exposed APIs or abandoned, outdated, or forgotten API endpoints
  • Shadow APIs: exposed APIs or API endpoints who creation and deployment were done without official governance 

 

With your WAF, you’re monitoring the network security associated with your network security and identifying potentially intrusive activity. Meanwhile, by correlating this data with your API security tool, you gain visibility into risky network access points. 

 

Detection

Combining WAF and API security monitoring enables you to create high fidelity detection rules that reduce false alerts and enables you to enhance key cybersecurity KPIs, like mean time to detect (MTTD) and mean time to investigate (MTTI). 

 

For example, with your WAF you may create a detection rule that blocks requests forming from a specific IP address to mitigate risks arising from malicious actors attempting to gain access to or insert malicious code in applications. With your API security tool, you can create detections for the same IP address if it makes calls to the API gateway or applications. By correlating this data, you can create high fidelity alerts that provide greater visibility into your network and application security postures. 

 

Graylog API Security: Holistic Application and Network Monitoring

With Graylog API Security, you aggregate and correlate all application, API, and network monitoring in a single location for enhanced visibility into activities in your environment. Our API security solution maps to the OWASP Top 10, enabling you to create high fidelity alerts on threats with complete data security patterns and behaviors. 

 

With Graylog Security and Graylog API Security, you gain the security platform functionality you need without the time-consuming complexity and costs associated with a traditional security incident and event management (SIEM) tool. Further, Graylog enables security, IT operations, and development teams to collaborate more efficiently and effectively, giving them a way to address both security issues and bugs by using a single source of data. 

 

To see how Graylog can enable your technology teams, contact us today. 

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.