For many of us 2020 was among the most impactful years of our lives. A year ago, I wouldn’t have believed that I would still be working from home today. But here we are.

Now, one year later, we see that many companies decided to allow their employees to work remotely regardless of the Covid-19 situation. One often mentioned reason for this is that companies identified potential cost savings on facilities and infrastructure management, which is correct but not entirely true. The truth is that we were unknowingly a part of a global experiment in the last year. Companies didn’t learn in 2020 that they can save costs by letting their workforce work remotely. They validated that the work efficiency can stay the same while saving those costs.

Studies from Forbes, Stanford and Harvard independently came to similar conclusions although also mentioning concerns of longtime efficiency and the mental health of completely isolated individuals. Even so, remote work environments will likely remain popular, and this can lead to challenges for the IT security staff.

Personally, I will remember 2020 as the year where we not only validated the tools, the services, the platforms, the technologies, but also the vision of our digital transformation efforts.

Web application development has been at the core of business’ digital transformation for a long time now. The Covid-19 restrictions forced companies to offer more services remotely and researchers (like those at ITPro and Thesafetymag) found, that in 2020 the attacks on web applications increased by up to 800%.

When it comes to securing those remote services and web applications, one important component is a Web Application Firewall (WAF).

In the next, more technical part, I will go deeper into some of the security controls for web applications and explain the differences and architectural purposes of a Next Generation Firewall (NGFW) and a WAF before showcasing a product from VMware in the last section.

Differences between NGFW and WAF

A NGFW is called the Next Generation Firewall because it goes beyond the traditional traffic filtering and offers increased security controls with capabilities like deep-packet filtering, application recognition, sandboxing and intrusion prevention system (IPS). However, a NGFW is not a replacement or in direct competition to a WAF.

A WAF is designed to protect the application (Layer 7 of the OSI model) and furthermore is focused on the top-10 OWASP attacks (owasp.org), while a NGFW’s focus is to protect the network. So far, so good, although you could ask yourself: “Why would we need two different solutions?” or more specifically: “Why do we not simply combine all the features in one firewall”?
Short answer: Technically, it would work but it’s likely going to perform poorly.
Long answer: The traditional L3/L4 rules (filtering on IP, source, destination, and port) of a firewall are extremely efficient but combining those rules with WAF policies that are tightly designed to protect an application would lead to a performance hit on the entire traffic.

Additionally to WAFs and NGFWs, web applications can be secured by:

  • Doing application security testing (SASTDAST and IAST)
  • Runtime application self-protection (RASP)
  • Implementing MFA (Multi factor authentication)
  • Implementing a ZTA (Zero trust architecture)

Depending on the type of application, the business case and exposure to the internet a WAF might not always be needed.

The graphic below shows different security controls and how they complement each other to form a security in depth architecture for web applications:

Securing Applications with VMware AVI

AVI Networks was acquired by VMware in 2019 and is a load balancer solution with WAF capabilities. AVI offers a fully virtualized solution with very strong automation features. AVI WAF can be provisioned wherever web applications are running (AWS, Azure, GCP or on-prem).

The Swisscom Outpost validated the latest versions of AVI load balancer and WAF. Some feature tests included:

  • Redundancy, active/active, active/passive deployment
  • Auto scale in/out
  • Certificate handling (server-side and client-side can be checked)
  • Traffic logging for debugging
  • Functional capabilities of WAF
  • Health monitoring (app health)
  • Configurations over GUI, CLI or API
  • Zero-downtime upgrades
  • Blocking OWASP top-10 attacks

AVI has a broad feature set to secure applications and supports API management for automated deployments.

The screenshots below show the detailed log information that AVI provides. It shows how AVI blocked an SQL injection attack. The log details can also be very useful to further debug application issues as it shows the latency between each step from the client to the service and the reason a request was successful or not.

Based on our Proof-of-concept, AVI proved to be a fantastic solution to deploy a WAF on any cloud environment. One of the biggest selling points in my opinion is the flexibility between fast and easy deployment without having to understand a lot about WAFs, and the custom modifications more sophisticated security teams can do with the AVI WAF profiles.

Conclusion

Web applications will continue to be one of the main reasons for data breaches and DevOps teams will continue to develop and deploy in a fast manner. With that, the security teams are challenged to find the best suited security controls, architecture, and practices to build up a defense in depth strategy for web applications.

Don’t forget to secure your home office as well since many attacks on web applications directly target a user of an application:

  • Use VPN if possible
  • Secure/harden the network and devices at home
  • Update browser, operation system and firmware regularly

Please do not hesitate to reach out if you have any questions.
Beni Eugster, Cloud Operation Engineer @ Swisscom Outpost, Palo Alto, California, US, beni.eugster@swisscom.com

May 24, 2021