While conventional firewalls provide access control and block unauthorized network level requests, a new generation of this type of device operates at Level 7, specifically protecting communications from both Web applications and all resources. they associated.
Application firewalls protect against attacks via HTTP and browsers aimed at manipulating the behavior of applications for malicious purposes. This category includes data attacks, which use special characters or wildcards to change the data; logical content attacks, which happen to command strings or logical declarations; and attacks directed to accounts, files or hosts.
Application firewalls follow two different approaches: a positive security model, which reinforces positive behaviour, and a negative security model, which blocks recognized attacks. The positive model learns the logic of the application and consequently creates a security policy for validating known requests as users interact with that application. This approach follows the following functional scheme:
- The initial policy contains a list of valid start pages. The user’s initial request must be paired with the home pages before creating a session policy.
- The application firewall examines the page download request, including page links, menus and form fields, and then builds a policy of all requests allowed during the user’s session.
- The user’s requests are verified as valid before they are passed to the server. Requests not recognized by the policy are blocked and invalidated.
- The session policy is destroyed when the user session ends. A new one is created for each session.
The negative model blocks detected attacks based on a database of known attack signatures. The approach is as follows:
- The policy is created with a set of known attack signatures.
- There is no page analysis towards the user to update the policy.
- The recognized attacks are blocked, and the unknown requests (good or bad) to be validated and passed to the server for processing.
- All users share the same policy.
Application firewalls are installed between the firewall and the application server, and they operate in Level 7 of the OSI model, controlling all session information that moves both to the server and to the user. Working in real time, they make requests to the client be channelled through the firewall, and in the case of following a positive model, they proceed to its analysis to create the policy accordingly. This requires that the application firewall be installed in front of the cache server to ensure the validation of the request.
The client’s requests are also channelled through the firewall, allowing only the valid ones, preventing the rest from reaching the server.
This type of firewall comprises incoming and outgoing session requests, offers online integration with existing applications and is compatible with Web application technologies.
Application firewalls “listen” to TCP ports 80 and 443, and accept incoming HTTP / Secure HTTP requests from the client, analyze them, associate them with a session or create one if that is what has been requested, and then matches the requests to the policy of that session.
If the request is validated (that is, the link), it is passed to the Web server; otherwise, it is rejected. The response of the Web server arrives at the application firewall, it is associated with the same session to which the request belongs, it is analyzed and the update of the policy is associated with the session. If this is the response of the first request, a cryptographic session cookie is added to the response to identify the client’s session in future communications.
Read more at https://www.ptsecurity.com/ww-en/products/af/
How it works
Application firewalls block an attack via HTTP or browser by matching incoming requests with known attack signatures or policies.
1- The end user opens an HTTP session and begins to make the request for Web applications.
2- The application firewall examines the request and contrasts it with the database of known attack signatures.
3- The recognized attacks are blocked by the firewall.
4- Valid requests are passed to the application server to be processed.