Before diving into WAF security, it’s important to note the difference between web servers and application servers. A web server is internet facing on the front end, while an application server is where the code resides and is not internet facing. Between the web server and app server, all the HTTPs encrypted data is decrypted already. A WAF, or Web Application Firewall, inserted between the web server and application server can see all the decrypted data, and thus, help detect an attack.
What are the challenges of using WAF?
One major issue with WAF is that it it can track everything, including passwords and credit card numbers, which creates insider threats. However, there are free and open source plugins, like OWASP ModSecurity, that you can install to limit what information is visible even to your security engineers. Another thing you have to remember with WAF, like with other automated security tools, is WAF doesn’t recognized every single attacker’s exploitation scheme. If you solely rely on automated tools, you will be in trouble. Automated security tools implement the rules that are well known, but there are a lot of complicated cases they can’t detect. It’s not a solution that will solve everything, but, on the other hand, with security, you want to have all kinds of tools to protect yourself from different kinds of attacks.
How can you get started using WAF?
OWASP ModSecurity is free and provides very good features, including all different kinds of rules, so you can actually enable or disable individual rules based on the needs of your application security. You don’t need to just put it on and let it run.