Finding a managed web application firewall that works with your stack and website is a task that requires a lot of research. There are two important technical approaches of which you should be aware before you start.
There are different types of firewalls and in the article, we want to explain the differences and explain what a managed web application firewall really is, how it helps to protect your websites and save time and money.
But first, lets go over different types of firewalls – cloud-based and endpoint firewalls.
What is a cloud-based firewall?
One of the easiest ways to understand a cloud-based web application firewall (WAF) is to think of it as a ‘reverse proxy’. A proxy server acts as a go-between you and the webserver you’re trying to access. A reverse proxy does the same for a web server.
A cloud-based WAF analyzes all HTTP traffic that goes to a web server, and it filters out any traffic it thinks is malicious. When a visitor tries to access your website, the connection is first made with the firewall’s servers.
It is analysed there and if the visitor passes as legitimate, the traffic is redirected to your website’s server. A good example of a cloud-based firewall is Cloudflare.
A cloud-based firewall has its advantages:
- Your website is protected from DDoS attacks.
- Since a cloud-based WAF analyzes traffic on its own server, it saves your server resources and users will not feel the impact of a failed attack.
What is a DDoS attack? A distributed denial-of-service attack is an attempt to flood your website’s server with so much (false) traffic that it crashes. A cloud-based firewall should detect a DDoS attack and will not forward it to your website.
Like all security measures, cloud-based firewalls are not foolproof. Since it doesn’t run within your website, it has no insight into how your site is built. The checks a cloud-based WAF does on web traffic are based on the most common use cases.
For example, it will not have the rules to identify an attack that is aimed at a specific plugin vulnerability. Or it cannot know which user has what permissions on your website. In addition, when a cloud-based firewall is down, so is your site since no traffic is being redirected.
What is an endpoint web application firewall?
An Endpoint WAF runs within an application. It has access to all the software — plugins, themes — you’ve installed. It can differentiate users based on permissions you’ve given, and if their identities have been authenticated. Most next-gen firewalls available today have endpoint capabilities.
An endpoint WAF offers a different set of advantages:
- These tend to have fewer false positives, meaning it’s less likely to identify real traffic as an attack.
- Endpoint WAFs know the software you’ve installed and so are more prepared to block targeted attacks.
- Your website will not be affected if an endpoint WAF’s server is down. While it won’t update new rules, it will continue to function within your website.
An endpoint WAF is also not without disadvantages. Since it’s installed within your website, it uses the same resources as your website. This could be a problem if your traffic grows and your server is not prepared for it. And endpoint WAF usually doesn’t have DDoS protection.
Cloud-cased WAF vs an endpoint WAF?
Web security is about layers. So the answer is that a combination of the two would always be better than having just either one. This is especially true if you’re looking to grow a business or your website is an important business asset of yours.
A cloud-based WAF can help reduce bot traffic and prevent DDoS attacks, while an endpoint WAF is better at identifying and stopping more complicated hacking attempts.
We always recommend a combination of Cloudflare free (cloud-based WAF) and Patchstack (endpoint WAF).
What is a managed web application firewall?
A managed web application firewall is basically a firewall that is managed and updated by someone else. You don’t have to do research and update the firewall according to new vulnerabilities. The research and updated are made by the company responsible.
A user-friendly managed WAF can do a number of things to ensure your website is protected. Here are some benefits:
- A managed WAF keeps up with the latest software releases and bug fixes. Vulnerabilities in WordPress plugins and themes are the number one reason why websites get hacked. For example, Patchstack’s managed web application firewall receives daily updates to prevent plugin and theme vulnerabilities.
- A managed service is streamlined to your needs. Apart from being protected from OWASP’s top 10 vulnerabilities, you can also write your own rules. If you notice something suspicious about your website’s traffic, you can try to correct it with custom rules.
- Round-the-clock monitoring means you will be alerted any time there’s something critical for you to look into. With Patchstack, for example, you can get alerts on Slack or email.
- Regular security scans and reports will give you a better understanding of web security. Even if you start as an amateur web designer, you can gain actionable insights into cybersecurity.
- To a certain extent, you can avoid having to hire a cybersecurity expert to look into your website. Not all businesses operate at the scale that allows for such an expense.
Why do you need a managed web application firewall?
There’s a lot of work needed to keep your website safe. You can’t just install a web application firewall and forget about it. It’s necessary to have round-the-clock monitoring and management.
Why? Well, hackers always find new and improved ways to target websites, often through content management systems like WordPress and its plugins.
What’s more troubling is that hackers are targeting small businesses just as much as larger companies. Nearly half (47%) of the small firms they surveyed had suffered a cyberattack in 2019. They say the survey reflects industry data, that there has been a sharp rise in the ransom demands.
You need both Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) capabilities in your WAF. An IDS will analyze traffic and will alert you when it detects an attempted cyberattack. An IPS will also analyze traffic coming to your server but it also has the right to stop data from being or delivered if it detects an attack.
Of course, inadequate maintenance or configuration of a web application firewall can result in anything from spam content on your website to network access that results in data theft.
Top 10 web application security risks
If you’re looking to learn about web application firewalls and website security and don’t know what to look for, the Open Web Application Security Project (OWASP) is a good place to start your research. OWASP is an online community that has become a trusted source of content on application security.
They’re trying to do this through open-source projects, and the OWASP “Top 10” has become a standard guide to know what your web application security needs to protect you from. And it’s updated regularly.
The OWASP top 10 include the vulnerability types that are seen on the web the most.
Here’s the current list, to give you an idea of what vulnerabilities make the “Top 10”:
- Injection: It’s a flaw that comes from how you accept user input. If the user inputs code (or part of code), like HTML or SQL, and your webserver runs it without realizing its code, you can give the user unintended access to your website.
- Broken authentication: Your website and the software (plugins, themes) it uses need to authenticate the access each user gets. If this is not implemented properly, a hacker can use broken authentication to get access while pretending to be a genuine user.
- Sensitive data exposure: This is pretty straightforward, and is a development flaw. Web applications and APIs sometimes fail to protect sensitive data, such as financial information. If hackers know of a popular application, like a WordPress plugin, that is vulnerable, they could steal or modify weakly protected data. This can lead to credit card fraud or identity theft.
- XML External Entities (XXE): This is a form of injection, but using XML. A hacker adds or modifies the XML so that it interferes with how an application processes it. It’s about access again, allowing the attacker to see files on the application server. It can also be used to interact with back-end systems that the application can access.
- Broken access control: Even authenticated users have restricted access. However, if access control is broken and not enforced properly, hackers can use such flaws to do damage. They can gain unauthorized rights, or mess around with data like stealing details of user accounts, modifying user data, or changing access rights.
- Security misconfiguration: OWASP says this is the most common issue. Applications come with default configurations, which could be insecure. Or misconfigured detailed error messages give attackers the information needed to compromise your website. Your web application firewall can run scans and audits periodically to detect misconfigurations or missing security patches.
- Cross-Site Scripting XSS: XSS is different from injections because it targets your users and not your website’s applications. A vulnerability in a web application allows hackers to run scripts on the victim’s browser, and the user is now at risk of being redirected to malicious sites and having their data stolen.
- Insecure deserialization: Once again, it’s about giving hackers a way to run malicious code on your website by editing data run by your web server. You can use a WAF that can detect such attempts to gain back-door access.
- Using components with known vulnerabilities: All the components of a web application, such as libraries, have the same privileges as the application itself. So even if one component of the application has a vulnerability, it can lead to devastating attacks. Always uninstall plugins, themes, and other applications that are known to have vulnerabilities or are not being actively developed anymore.
- Insufficient logging and monitoring: OWASP reports that the time to detect a security breach is over 200 days, and is often found by external researchers. But if you’re diligent in logging and monitoring activity on your website, you might be able to notice an attack before it becomes a problem. A managed WAF often provides regular and automated security reports. You should take the time to go through it.
Is a web application firewall all you need?
A WAF or a combination of WAFs only does a lot, but there are other parts that are important as well. Even the best security systems will not be useful if you do not follow best practices.
These are things anyone can keep in mind, even if you’re not a security expert:
- Weak password use is a big problem: Passwords, like for every digital service, is the first line of defense for your WordPress website. A weak password can give someone admin privileges. It might seem silly, but far too many people use weak passwords. Read how to make sure your passwords are safe here.
- Two-factor authentication: Try a plugin to set up WordPress two-factor authentication. It adds a second layer of security, usually a text (SMS) message, a phone call, or a one-time password (OTP).
- Keep a WordPress activity log: It’s a simple but useful practice. An activity log will have all major changes on your website. Take a quick look at it every time you log in. With activity logs, you can see how many attempts of failed logins you have on your site and where they are coming from. It comes especially handy when you have a website that has more than one admin so you can easily monitor their activity. The activity log is one part of the multiple monitoring options that Patchstack offers.
- Backup your website: Backups allow you to restore your site in case something happens.
If you want your websites to be secured, find a managed web application firewall for your website. Patchstack is known for its managed WAF, with a number of features that make it ideal irrespective of your technical skills.
Other important links:
Patchstack vulnerability database
WordPress vulnerability news