Photo by Gaurav Sehara on Unsplash

Hardening Online Services

Fortress

A web application firewall (WAF) operates at the application layer and analyzes HTTP/HTTPS traffic there. Unlike traditional network firewalls, which primarily filter IP addresses, ports, and protocols at the TCP/IP level, WAFs understand the semantics of web server requests and can therefore detect and block application-specific attacks. A WAF typically acts as a reverse proxy, sitting between the requesting client and the web server running the application. Before being forwarded, incoming HTTP requests pass through several analysis phases:

• Request parsing: Breaks down the HTTP request into headers, parameters, body, and cookies.
• Rule set evaluation: Compares values against defined security rules, such as user agent, specific cookies, etc.
• Anomaly assessment: Evaluates suspicious patterns and scores requests for decision making.
• Decision: Forwards (allows) or rejects (blocks) the request, with the possibility of enforcing additional challenges (e.g., captchas) on the basis of the evaluation.
• Response filtering: Optionally analyzes outgoing responses depending on the WAF.

Various techniques are used to detect anomalies. They can be signature-based (like virus scanners) or anomaly based (from typical requests; think behavior, such as the frequency of individual queries).

If you are looking to harden your server, BunkerWeb [1] is a well-designed, comprehensive, and modern alternative open source WAF. Based on the NGINX high-performance proxy web server, it extends traditional ModSecurity integration to include additional security modules.

Typical Attacks

Today, attack patterns against web applications primarily home in on vulnerabilities in the web application itself rather than targeting the web server, the programming language, or the database management system. In