Why are web application firewalls needed

What actually is a web application firewall?

"How do you protect your web-based applications?" "Well, we have a firewall!" Why a web application firewall plays an important role alongside classic firewalls.
  • Which hazards is a web-based application suspended today?
  • Which Challenges are to be considered?
  • Which typical protective measures is there?
  • What is the Difference to classic firewalls?
  • Why can a web application firewall help effectively?
  • When do I need a web application firewall deploy?

Threats to web-based applications

Nowadays, products such as vehicles, refrigerators and other products are only fully assembled by the manufacturer. Your individual parts are manufactured by different suppliers and are often delivered just-in-time to the production chain. To make this possible, be Systems networked with one another via the Internet using web services. This means that the processes can run across companies.

Other companies use the Internet to simplify their ordering processes or Provide product information for customers and suppliers. You expose portals from your network directly to the Internet.

The growth in the trade of products on the Internet is enormous. Both non-food and, increasingly, food are traded, ordered and shipped over the Internet. It will Shop systems with integrated payment transactions and attached logistics operated.

All of the scenarios mentioned are popular targets for hackers for a variety of motivations. Be it data theft, sabotage or espionage. Cybercrime is a lucrative business, with which a lot of money can be made.

Since important, business-relevant and sensitive information is exchanged, it must be protected from attacks. This is on three essential characteristics to pay attention to:

  • confidentiality
  • integrity
  • security

In order to map the mentioned application scenarios, usually come web-based applications with underlying databases for use.


Attacks on such applications are common these days much more precisely than a few years ago. Why? The attacker may want to paralyze your system (sabotage), or he may want to access the data (espionage and data theft). Or he wants to abuse the system in order to inject code (for example via drive-by download) into the application's user and thus initiate further attacks. Such forms of attack and their motivation should only be mentioned here by way of example.

What is exciting is that the targeted attacks nowadays in most cases directly to weak points in the application aim. And this is exactly what you should protect the application from.

Cyber ​​security challenges

The greatest challenge for web-based applications is the dynamic in which requirements and thus applications change today. The release cycles of software today are often so short that extensive audits or penetration tests for web-based applications are much more common would have to take place.

However, since time-to-market and innovation as well as user-friendliness are in the foreground, additional measures must close the resulting security gaps.

A customer's development department once said: “We'll program the application! Colleagues from the network team should take care of security. "

And that is exactly where the crux lies: If appropriate security measures are taken during development, this massively increases the security of the application.

Protective measures for web-based applications

So what can be done to increase protection? The following is a list of measures to be taken for Increasing the security of web-based applications contribute:

  • Creation of Programming and Coding Guidelinesto create security in the architecture and code
  • Carry out regular code reviews as well as a review of the architecture
  • Use of code obfuscation for obfuscation and / or encryption of the program code
  • Introduction of Database encryption for sensitive data (especially for personal data)
  • Use of vulnerability management (Vulnerability Management) for the rapid and automated finding of new known vulnerabilities on hardware, operating system, network, server and application level
  • Securing authentication and authorization in a separate protected area (Identity and Access Management, IAM for short)
  • Securing the connection through strong encryption algorithms (Above all switch off weak algorithms in SSL)
  • Division of the systems into Segments separated by firewalls (several DMZ)

And of course that Introduction of a web application firewall (WAF). How this is differentiated and what makes it special is explained below.

Differentiation between the web application firewall and other firewalls

If you take the currently most common and most successful types of attack - the so-called TOP10 of the OWASP (www.owasp.org), you can quickly see that the Attacks are aimed primarily at layer 7, so on the applications.

A classic firewall works on the network level (usually layers 2 to 6) and can provide good basic security there in the TCP / IP protocols. A WAF, on the other hand, is on the move at the application level (layer 7) and “knows” the application. A WAF can make decisions about whether an http request is benign or malicious for the application and thus constitutes an attack. you knows about typical attack patterns like SQL injection, Cross-site scripting or buffer overflows and can react accordingly.

The following diagram makes it easy to see where the Differences between classic firewalls and web application firewalls in relation to defense against attacks are:

Modern firewalls of the next generation (firewall NG) offer additional added value for web-based applications through application detection on layer 7 - but this applies rather for the detection of standard applications than to defend against attacks that unintentionally transfer data from the application in a targeted manner. Even an intrusion detection (IDS) and prevention system (IPS) is usually used not detect a specialized attack such as a disguised XSS attack and can fend off (see diagram).

Why can a web application firewall help effectively?

The web application firewall is Dedicated as protection for web-based applicationsthat are usually exposed to the Internet, i.e. are used by other users (from the Internet) in your network. she is no protection for clients from your networkwho use applications provided by others on the Internet. It ensures that your web-based application is protected against attacks at the application level (layer 7).

The web application firewall focuses on the following properties:

  • Control of access at the application and infrastructure level
  • Filtering of unwanted access on web applications (also HTTPS)
  • Formation of a Protection layer between the Internet and web applications
  • Safeguarding operations from failures

A "good" web application firewall

  • "Knows" them too protective web application
  • leads in-depth studies of data traffic on layer 7
  • is able to, Differentiate between http requests for "good" and "bad"
  • offers effective protection against typical attacks like the OWASP Top 10

Today's web application firewalls have a number of technical ones Functions that go far beyond the mere protection of web-based applications. For example, to manage identities and their authorizations, there are modern solutions that provide additional modules.

Which of these functions have which effect and what is important when choosing a WAF, will be presented in the next article in this series.

When do I have to use a web application firewall?

The advantages of securing web-based applications with a web application firewall become mandatory requirement when dealing with electronic payments comes into contact.

The PCI Security Standards Council (https://de.pcisecuritystandards.org/) is a international, open forum for safety standards to protect payment and account data. The organization was founded by credit card companies, the motivation of which is self-explanatory.

In their standard PCI DSS (current version 3.2), the Requirement under point 6.6 required:

The continuous consideration of new threats and security risks in public web applications as well as protection of these applications from known attacks on one of the following methods:
  • Checking public web applications through manual or automated tools or methods to assess application security at least annually and after changes
  • Installation of a automatic technical solution for the detection and prevention of web-based attacks (e.g. a web application firewall) for public web applications to continuously check the data traffic

Here you have the choice of fulfilling the requirement through regular penetration tests. However, since this is also required after every change, the effort and the costs behind it are often high. Automated vulnerability management tools are important and well and should also be used. you however, they do not replace the active protection of a web application firewall.

The recommendation is therefore:

  1. Introduction of a Web application firewall for proactive protection
  2. Regular penetration tests with manual check (at least once a year)
  3. Use of automated tools to identify newly discovered vulnerabilities (Vulnerability Management)

Also take a look at our other articles from the "What is actually ..." series!