A web application firewall (WAF) sits between web applications and the internet. It monitors inbound traffic and filters malicious requests before they reach the potentially vulnerable application. This article explores WAFs, how they work, the most popular and effective examples, and why you should consider using a WAF to protect your site or app from cybercriminals.

Does Your Web App Need a WAF?

Sooner or later, every website, app, and API is targeted by malicious bots or their cybercriminal operators. If it’s online, it’ll be attacked. Vulnerabilities will be exploited, data will be stolen, web pages will be defaced, and malware will be injected. A web application firewall (WAF) works alongside other security measures to defeat bad actors and keep sites and apps safe. 

If you don’t use a WAF, you rely on the web app to repel attacks. That may work in the short term, but a WAF provides an additional layer of defense that can be dynamically updated to protect against emerging threats. WAFs are an effective and valuable defense against the most common attacks against web apps and APIs.

How Does a Web Application Firewall Work?

A WAF is a reverse proxy. It intercepts inbound HTTP requests and inspects them for patterns that indicate an attack. If an attack is detected, the request is dropped before it reaches the web app. Legitimate requests are passed through the WAF to the app, which responds as usual. 

You can think of a WAF as a filter. It absorbs all incoming web traffic and removes any that could be harmful, providing the app with a stream of pre-vetted, legitimate requests. 

One of the main advantages of a WAF is that it can be updated quickly in response to new threats. Consider what happens when a challenging zero-day vulnerability is discovered in a web app. It might not be possible to release a patch immediately, and even if it were, there is a delay between patch release and updating, especially for apps with many instances. 

WAF users can, however, quickly add new rules to filter inbound requests that could exploit the unpatched vulnerability. This ability allows businesses to keep web app users and their data safe with greater efficiency and flexibility. 

Does a WAF Replace a Network Layer Firewall?

WAFs complement network firewalls and provide additional protection but do not replace traditional network layer firewalls. A web application firewall works at the application layer, Layer 7 in the OSI model. It intercepts HTTP data but cannot monitor and filter data protocols used at lower levels. 

In contrast, firewalls such as iptables typically operate at the network and session layers (Layers 3 and 4). They work with low-level protocols such as TCP and UDP, but not higher-level protocols such as HTTP. 

Some modern firewalls cover a broader range. For example, AWS Network Firewall can monitor and control Layer 3–7 network traffic, combining the functionality of a network layer firewall and a WAF. However, users should verify the specific capabilities of each firewall before relying on it to protect their web applications. 

Threats Web Application Firewalls Prevent

Web application firewalls protect against many different types of attacks commonly used against web apps. These include attacks that traditional network firewalls cannot intercept, including:

  • Cross-site scripting (XSS): malicious code injection into web pages.
  • Cross-site forgery: an attack that forces an authenticated user to carry out unwanted actions.
  • SQL injection: the injection of SQL code, which is then executed by the site’s database.
  • Cookie poisoning: session hijacking using forged or intercepted cookies.

Many WAFs also provide some protection against distributed denial of service (DDoS) attacks. Because all traffic goes through the WAF first, it can be rate-limited and malicious floods of traffic can be filtered. However, a WAF is unlikely to protect a web app against a large-scale volumetric attack as effectively as a dedicated DDoS mitigation service. 

Additionally, some WAFs can be used to implement protections usually carried out at the network layer. Many WAFs allow users to upload lists of IP addresses to block. They can also be used to block traffic sources that are considered likely to cause issues. For example, AWS WAF curates a managed set of rules for blocking traffic from TOR and VPNs, and other WAFs offer similar functionality. 

What Are the Types of Web Application Firewall?

All web application firewalls serve the same fundamental role, but there are alternative hosting and operational models. These can be divided into three broad categories:

  • Network-based WAFs are usually hosted on dedicated hardware in data centers close to the application they protect. Network-based WAFs are often used to protect large, high-traffic applications where low-latency connectivity is a priority. They are the most expensive WAF type and the most complex to manage and maintain.
  • Host-based WAFs are integrated into the software they protect and may be hosted on the same hardware. For example, many WordPress plugins integrate a host-based web application firewall with the CMS. This approach has the benefit of flexibility and ease of use, but it can result in reduced performance if the host lacks the resources to run the WAF and the app at peak load times.
  • Cloud WAFs are managed services hosted on cloud platforms. They are the easiest to use and manage. The cloud provider manages the software and underlying hardware. They are also responsible for deploying rules and policies for filtering threats, including updates for emerging threats. Cloud WAFs provide a reasonable level of customization, performance, and uptime, but they may not be the best option for businesses that need more control over their firewall.

WAFs may also be categorized by whether they operate on a blocklist or allowlist model. A blocklist selectively disallows connections that match an undesirable pattern, whereas an allowlist permits connections that conform to a desirable pattern. 

There are advantages to both approaches. Blocklists allow security professionals to target known malicious connections. In contrast, allowlists can block all connections that do not match a desirable profile. Allowlists are effective and require less maintenance, but they may not be suitable for applications intended to be accessible to as many users as possible.

Popular Web Application Firewalls

There are dozens of WAFs to choose from. Although they offer similar core functionality, they differ in focus and features. To conclude this article, we’ll look at four widely used WAFs.

ModSecurity

ModSecurity, or ModSec, is an open-source WAF initially developed as a module for the Apache web server. It subsequently evolved into a cross-platform WAF for Apache, Nginx, and Microsoft Internet Information Services (IIS). 

ModSecurity secures web apps using a set of rules to determine which connections to accept and which to block. These can be custom-made by the user, but there are many pre-made rule sets. One of the most widely used is the OWASP ModSecurity Core Rule Set, which detects the ten most widespread attacks, including SQL injection, cross-site scripting, and local file inclusion. 

AWS WAF

AWS WAF is a managed cloud WAF provided by Amazon Web Services. It is easy to configure and deploy, and users pay only for the cloud compute resources they consume. Users can create their own firewall rules, but AWS also provides Managed Rules, pre-configured rule sets that cover a specific range of threats. Basic managed rules sets are free, and more specialized sets are made available on the AWS Marketplace, including an OWASP Top Ten set. 

In addition to standard WAF features, AWS WAF also provides bot control functionality, which allows users to monitor bot traffic and block or rate limit traffic from bots that use excessive traffic. 

Watch Introduction to AWS WAF and Shield and Protecting API Gateways with WAF Rules to learn more about AWS WAF. 

Azure Web Application Firewall

Azure Web Application Firewall is a cloud WAF offered by Microsoft’s Azure cloud platform. It provides much the same functionality as AWS WAF, including managed rulesets that protect against the OWASP Top Ten and other common threats. 

Cloudflare WAF

Cloudflare WAF is part of Cloudflare’s range of CDN and security services. It is a cloud WAF integrated with Cloudflare’s global network, providing managed and custom rules, protections based on machine learning, and rapid deployment of rules to protect from emerging zero-day vulnerability threats. 

Web Application Security and Compliance with KirkpatrickPrice

A web application firewall is one component of an effective security and compliance program. KirkpatrickPrice provides a range of services to help businesses secure their infrastructure and comply with regulatory frameworks and standards, including compliance audits, penetration testing, and remote access security testing.

Information security regulations and standards often require businesses to perform regular maintenance tasks to ensure compliance. For example, PCI DSS Requirement 6 says merchants must deploy critical patches within a month of release. Failure to complete these tasks on time risks non-compliance. 

Unfortunately, many security-related tasks are disruptive—updating a server operating system can take the server offline. Therefore, businesses prefer to carry out patching and other potentially disruptive activities during scheduled maintenance windows. These typically occur during low traffic periods or when redundant infrastructure is available.

AWS System Manager Maintenance Windows is a cloud service that helps businesses manage and automate maintenance windows. In this article, we’ll explore what AWS Systems Manager Maintenance Windows is and how you can use it to automate compliance tasks. 

What is AWS Systems Manager Maintenance Windows?

AWS Systems Manager Maintenance Windows is a capability of AWS Systems Manager, a cloud service that allows IT administrators to automate repetitive operations and management tasks.  We discussed Systems Manager in-depth in How to Get Started Using AWS Systems Manager, so in this article, we’ll focus exclusively on its Maintenance Windows capability. 

The Maintenance Windows service can schedule actions to be carried out at a specified time on a subset of your AWS infrastructure. It can automate actions on AWS services that include S3, EC2 nodes, Amazon DynoDB, and other services that can be used with AWS Resource Groups and Tag Editor.

Each maintenance window consists of:

  • A schedule that determines when to carry out tasks.
  • A maximum duration to limit the length of each maintenance window. 
  • Registered targets:  the cloud resources that actions will impact. 
  • Registered tasks: the actions the system will take within the scheduled period.

What Actions Does Maintenance Windows Support?

Maintenance Windows supports various task types that are part of other Systems Manager capabilities. These include:

  • Run Command for executing configuration commands and tasks on managed instances, including EC2 nodes and on-premises servers and VMs.
  • Workflows from AWS Systems Manager’s Automation capability. 
  • Serverless AWS Lambda functions.
  • AWS Step Function tasks. 

Together, these task types can schedule and automate a wide range of compliance activities, including application updating, OS patching, executing shell scripts, launching serverless functions that carry out further compliance tasks, altering node configurations, and much more. 

Setting Up an AWS Maintenance Window

AWS Maintenance Windows is a powerful automation tool with many different options. We can’t cover all of its features here, but to give you an idea of what’s involved in creating a maintenance window, let’s walk through a simple maintenance window set up that updates the SSM Agent installed on an EC2 instance.  

Assuming We assume you have already configured Systems Manager to work with your EC2 instance, as described in the Systems Manager documentation, the set up process would be as follows:. 

  1. Navigate to AWS Systems Manager and select Maintenance Windows from the sidebar menu.
  2. Click “Create Maintenance Window.” Provide a name and set up a schedule.  Maintenance Window provides an intuitive graphical schedule builder, but you can also use rate expressions and the crontab format. 
  3. Once the maintenance window is scheduled, select it from the list. You’ll be presented with a tabbed interface where you can register tasks and designate targets. 
  4. On the Tasks tab, select Register tasks and choose Register Run Command task from the dropdown menu. 
  5. Select AWS-UpdateSSMAgent from the Command Document section and choose your instance in the Targets section. 
  6. Click Register Run Command at the bottom of the page.

As you can see, setting up scheduled automations to take care of repetitive compliance tasks is straightforward. We’ve only scratched the surface of what you can do with Maintenance Windows, so be sure to check out the Guidebook for more information. 

State Manager vs. Maintenance Windows

AWS Systems Manager also has a capability called State Manager. There is some cross-over in the functionality of State Manager and Maintenance Windows. Both can be used to automate some tasks. However, State Manager may be a better choice for compliance tasks where the goal is to maintain managed node configurations in a consistent state and for compliance reporting. Before choosing a compliance automation service, read Choosing between State Manager and Maintenance Windows. 

Learn About AWS Compliance with KirkpatrickPrice

To learn more about AWS compliance, visit our cloud security and compliance resources, which provide expert guidance for cloud audits, regulatory compliance, and information security, or connect with an expert today.. 

Everyday system management tasks can be time consuming and get in the way of the efficiency of your business operations.   These tasks include  OS and software patching, script execution, and service maintenance windows.  Failure to complete these tasks can lead to non-compliance with information security regulations and standards. 

AWS Systems Manager is a cloud service that allows businesses to automate many everyday system management tasks.  Automating these tasks is a great way to ensure your organization is remaining secure and compliant without sacrificing extra time.   

Using AWS Systems Manager, businesses can:

  • Automate time-consuming compliance activities.
  • Improve control over and visibility of IT assets.
  • Reduce the cost of compliance.
  • Ensure that compliance tasks are completed on schedule.
  • Run tasks automatically in response to CloudWatch events and other triggers.

AWS Systems Manager can automate tasks on EC2, AWS’s native cloud server hosting platform, and servers hosted on other cloud platforms and on-premises data centers to save your organization time and help you achieve your compliance goals.  Let’s discuss what the AWS System Manager is, how it can help your organization,  and how you can start using it today.  

What Is the AWS Systems Manager?

AWS Systems Manager provides capabilities that can be configured to carry out actions on remote servers. Capabilities are divided into several categories, including:

  • Application management
  • Change management
  • Node management
  • Operations management

Each of these categories contains several capabilities. To focus on just one category,  node management capabilities include compliance, which can scan nodes for inconsistent configuration; patch manager, which automates security patching and updating;  and the “run command” capability, which allows users to automate the execution of scripts on managed nodes. 

How Does AWS Systems Manager Work?

AWS Systems Manager is primarily an agent-based service. It depends on a software agent—the AWS Systems Manager Agent (AWS SSM)—which runs on managed nodes, including EC2 systems manager nodes, Internet of Things devices,  and on-premises physical servers and virtual machines. 

The user configures  AWS Systems Manager capabilities via the web interface or AWS CLI. The service then interacts with the AWS SSM Agent installed on each node, which carries out the intended action, whether that is applying OS patches, verifying configurations, or any other capability. 

Once an action has been performed, AWS Systems Manager can send operations data to other configured AWS services for logging, monitoring, and alerting, including CloudWatch, S3, EventBridge, and Cloud Trail. 

As you can see, AWS Systems Manager can be a valuable compliance tool, allowing AWS users to schedule, automate, and enforce essential compliance tasks that might otherwise be missed. It gives businesses confidence that compliance actions are carried out in line with security and compliance policies, as well as helping them to identify potential compliance gaps and challenges.

Setting Up AWS Systems Manager for Your Cloud Environment

The set-up process for AWS Systems Manager differs depending on the capabilities you would like to use and the resources you would like to manage.  However, let’s take a high-level look at setting up AWS Systems Manager for EC2 instances.

  1. Create IAM users and groups for use with Systems Manager. Users and groups with the AmazonSSMFullAccess policy have complete access to Systems Manager capabilities, but you should configure users, groups, and roles to meet the specific needs of your organization. We strongly advise against using the AWS root user or users in the administrator’s group. 
  2. Create an IAM instance profile to permit AWS Systems Manager to perform actions on your EC2 instances. 
  3. Attach the IAM instance profile to the EC2 instances you would like to manage.
  4. Verify that AWS SSM is installed on your EC2 instance. If you are using Amazon Machine Images (AMIs), SSM Agent is likely installed by default. You may have to manually install AWS SSM for other instances or servers. 
  5. Create a VPC endpoint for AWS Systems Manager to use. This is an essential security step, as we explain in Using VPC Endpoints to Access Systems Manager. 

Be Sure Your AWS Environment is Secure

Automation is a great tool for increasing efficiency in your organization, but it is also wise to check these automation configurations regularly to ensure they are working like you intended. Let KirkpatrickPrice run a free scan of your AWS environment today so you can be sure it is secure and effective. 

 You can learn more about configuring and using AWS Systems Manager and SSM Agent from Amazon’s AWS Systems Manager documentation. For more information about using Systems Manager and other AWS services to improve your company’s security and compliance, visit our comprehensive cloud security resources.

Last year, tens of billions of records were breached and tens of thousands of businesses suffered ransomware attacks. Every company operating in this dangerous environment should have a cybersecurity plan for keeping company and customer data safe—especially data within the scope of information security regulations and standards.  

A cybersecurity plan outlines the policies and procedures a business considers essential to maintaining security and regulatory compliance. It is a written document that results from a comprehensive survey of the company’s risks and the actions it intends to take to mitigate them. 

For example, a business that relies on third-party software tools and libraries may be at risk from code vulnerabilities if they allow software to become outdated. One component of a cybersecurity and security compliance plan would outline how the business intends to mitigate that risk with patch management or update procedures. 

 In this article, we’ll detail the 5 most important questions you should ask when developing a cybersecurity and compliance plan so you can make sure your business is prepared to face today’s threats confidently.  

1. Which Data and Infrastructure Assets Does the Plan Cover?

A cybersecurity plan can only be effective if it accounts for all the business’s security risks. But a business can’t understand those risks unless it knows which data it stores, how sensitive it is, how it is stored and processed, and potential breach scenarios. 

Information gathering is often one of the most challenging steps of preparing for a cybersecurity plan. Many businesses do not have complete insight into data storage and processing, especially if it has previously been managed on an unplanned ad-hoc basis. IT professionals often find it helpful to follow a templated discovery procedure like the Data Protection Impact Assessment created by GDPR.

2. Do We Need a Professional Security Risk Assessment?

One of the first questions you should ask before creating a cybersecurity plan is: Do we have adequate internal security and compliance expertise? If the answer is no, you may want to consider hiring an expert third party to carry out a comprehensive information security  risk assessment. 

A professional risk assessor examines your IT environment and practices to identify potential risks. A risk assessment is typically conducted under the guidance of a recognized framework like the NIST Special Publication 800-30. It results in a report with the information you need to create an effective cybersecurity plan.  To receive guidance on the effectiveness of your business’ risk assessment, upload your risk assessment here  to receive a free analysis of your risk assessment by a KirkpatrickPrice risk expert. 

3. What Are the Relevant Information Security Laws, Regulations, and Standards?

Many businesses that handle sensitive data are required to comply with regulatory frameworks and may choose to comply with information security standards. These regulations and standards should shape their cybersecurity plans. 

Regulatory frameworks may include:

  • PCI DSS for businesses handling credit card data
  • HIPAA for businesses handling sensitive healthcare data
  • GDPR for businesses that operate in the EU
  • FERPA for educational information and records
  • FISMA for businesses interacting with government information and assets

Information security  standards may include:

  • SOC 1 and SOC 2
  • ISO 27001
  • Cloud security standards

Businesses should also consider a compliance audit to ensure they comply with relevant frameworks and standards. 

4. Who Is Responsible for Implementation, Monitoring and Incident Response?

Assigning security responsibilities is a crucial aspect of developing a cybersecurity plan. Security policies must be implemented as procedures and processes that are the responsibility of managers and employees. If no one is responsible, then a cybersecurity plan is a worthless piece of paper. 

For a plan to be implemented, it must have executive support from the company’s leadership. In larger companies, that often takes the form of a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). They ensure that plans and policies are turned into procedures and controls overseen by competent managers and employees throughout the business. 

5. Do Employees Have the Knowledge They Need to Comply?

A cybersecurity plan is a great starting point, but information security is more than policies and procedures. People play a critical role—over 85% of security incidents involve a human element. To successfully implement a security plan, you must ensure employees have the information and the security awareness training they need to do the right thing. 

Check out our recent article on building a positive security culture for your business to learn more about how you can set your employees up for cybersecurity success. 

KirkpatrickPrice Helps Businesses to Create and Audit Their Cybersecurity Plan

KirkpatrickPrice’s team of cybersecurity and risk experts can help your business to achieve its security and compliance goals. We offer a comprehensive range of security services that include:

Contact an information security specialist today to learn more about how we can help you. 

Amazon Web Services (AWS)  and its peers in the cloud market have transformed infrastructure hosting for companies of all sizes.  However, making the move to the cloud can be intimidating and overwhelming, and it may seem more work than it’s worth.  So why has AWS cloud hosting proven to be so successful?  

Having the first-mover advantage played a substantial role: Amazon entered the cloud infrastructure market before its competitors. AWS kicked off the cloud revolution two decades ago.  But being first wasn’t enough—the platform’s success stems from real-world AWS benefits that help businesses to build profitable products and services. 

The following years saw the introduction of EC2, S3, RDS, and a host of other storage and compute services. Today, AWS offers over 100 services in domains as diverse as database hosting, virtual networking, cloud security, and machine learning. AWS is by far the biggest cloud platform globally, with a 33% market share, compared to Microsoft Azure’s 21% and Google Cloud’s 10%. 

 We believe AWS cloud hosting could benefit your business in 5 distinct ways.   Let’s take a look at these beneficial reasons below: 

1. Reduced Infrastructure Cost with On-Demand Pricing

On-demand pricing is a significant benefit of AWS and other cloud services—you pay only for the resources you use. If you need a server, you can deploy one in minutes and only pay for the compute, storage, and network resources it consumes. AWS allows users to share the underlying hardware, reducing lead times and costs compared to bought or leased IT infrastructure.

2. Scalable Compute and Storage

In the pre-cloud era, businesses bought infrastructure to accommodate peak loads, which meant they paid for resources that were idle most of the time. In contrast, the cloud’s scalability allows businesses to scale up and down as demand changes. In a well-managed cloud environment, businesses make significant savings by not paying for idle infrastructure. 

3. Outsourced Infrastructure Management

Cloud platforms like AWS take care of the physical infrastructure and much of the virtual infrastructure. Cloud users are free to focus their IT resources where they generate the most value. Instead of monitoring and managing physical servers and their components, they can spin up virtual machines or take advantage of higher-level Platform-as-a-Service and Software-as-a-Service tools. Users don’t have to worry about the implementation details because they are outsourced to the cloud provider. 

4. A Diverse Array of Enterprise-Grade Services

The variety of enterprise-grade services AWS provides would be extremely costly for a business to build independently. For example, AWS makes it straightforward to build highly available cloud environments with redundant infrastructure distributed across availability zones, data centers, and even continents. These redundancy and availability features are baked into the platform, and they are available to all businesses, from sole traders to giant corporations. 

5. Best-in-Class AWS Security

AWS offers many services and tools to help businesses improve security and compliance. We’ve written extensively about AWS security services and best practices in previous articles, including:

In the early days of cloud computing, businesses worried moving to the cloud would increase security risks.  They thought giving up infrastructure and software control would lead to more security vulnerabilities. In fact, the opposite is the case. Most cloud security and compliance issues are the results of cloud user error and misconfiguration. 

AWS provides tools and services to help improve security, but it’s up to businesses to use them correctly. Another way of putting it is that businesses and AWS share responsibility for cloud security. The dividing line between the user’s responsibility and the platform’s responsibility is not always clear, and it can be challenging for businesses without cloud expertise to make the right decisions. 

KirkpatrickPrice is here to help make sure your transition to the cloud is smooth and secure. We provide a comprehensive array of cloud security services to empower businesses to make the most of AWS while maintaining excellent security and compliance, including:

To learn more about cloud security and compliance, check out our cloud security resources or contact a KirkpatrickPrice information security specialist.