If you’re planning on taking the Security+ exam, you should have a good understanding of firewalls that protect web servers. For example, can you answer this question?
Q. Which of the following operates on the HIGHEST layer of the OSI model, and is the most effective at blocking application attacks?
A. IDS
B. Router
C. WAF
D. Stateless firewall
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Web Application Firewall
A web application firewall (WAF) is a firewall specifically designed to protect a web application, which is commonly hosted on a web server. In other words, it’s placed between a server hosting a web application and a client. It can be a stand-alone appliance, or software added to another device.
As an example, an organization may host an e-commerce web site to generate revenue. The web server will be placed within a demilitarized zone (DMZ), but due to the data that the web server handles, it needs more protection. A successful buffer overflow attack may be able to take the web server down, allow an attacker to access data, or manipulate data.
Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide, “Identifying Advanced Attacks,” covers different types of attacks, including buffer overflow and cross-site scripting attacks. As an example, many buffer overflow attacks start with a series of no operation (NOOP) commands called a NOOP sled or a NOOP ramp. The WAF inspects the contents of traffic to the web server, can detect this malicious content, and blocks it. Similarly, it can detect malicious code in a cross-scripting attack.
Note that you wouldn’t use a WAF in place of a network-based firewall. Instead, it provides an added layer of protection for the web application in addition to the network-based firewall.
Remember this
Web application firewalls provide strong protection for web servers. They protect against several different types of attacks, with a focus on web application attacks such as cross-site scripting attacks.
Advanced Firewalls
Firewall capabilities have advanced significantly over the years and are frequently identified as separate generations. Each new generation includes the capabilities of the previous generation, but adds newer capabilities. The four generations most commonly mentioned are:
- First generation. Packet-filtering rules such as those in the previous section were the first generation of firewalls. First-generation firewalls are stateless. In other words, the firewall examines each packet individually and allows or blocks it based on the set of rules in the ACL.
- Second generation. Second-generation firewalls added in stateful inspection. In other words, the firewall keeps track of established sessions and inspects traffic based on its state within a session. It blocks traffic that isn’t part of an established session.
- Third generation. The third generation added application-level firewalls. An application-level firewall is aware of specific commands used in different applications or protocols. For example, a WAF is an application-level firewall that can inspect HTTP traffic and block malicious HTTP traffic.
- Next generation. Current network-based firewalls integrate multiple capabilities into a single firewall. As new threats emerge, vendors update the firewalls to adapt. Many firewalls integrated into unified threat management appliances (discussed later in this chapter) are next-generation firewalls.
Q. Which of the following operates on the HIGHEST layer of the OSI model, and is the most effective at blocking application attacks?
A. IDS
B. Router
C. WAF
D. Stateless firewall
Answer is C. A web application firewall (WAF) operates on multiple layers up to Layer 7 of the OSI reference model and blocks attacks against a web server.
An intrusion detection system (IDS) also operates on multiple layers up to Layer 7 of the OSI model; however, it is more effective at detecting attacks than blocking them.
A router operates on Layer 3 of the OSI model and it can perform packet filtering.
A stateless firewall only performs packet filtering and isn’t effective against Application layer attacks.
