What is a Web Application Firewall (WAF)

Bot Shield Hero

WAFは、トラフィックをフィルタリングし、お客様のWebサーバへは信頼できるリクエストのみを許可することで、さまざまなタイプの攻撃からWebアプリケーションを保護するネットワークセキュリティシステムです。

一方でファイアウォールは、ネットワークに出入りするトラフィックを監視・制御するシステムです。これは、ネットワークとオープンインターネットの間のバリアとして機能しています。

A web application firewall is a specific type of firewall that focuses on the traffic going to and leaving web apps. Standard firewalls act as the first level of security but today’s websites and web services need more security. This is where WAFs provide specialized capabilities and thwart attacks specifically aimed at the applications themselves.

Looking for a WAF Solution? Check out CDNetwork’s アプリケーション・シールド/WAF.

WAFの仕組みは?

A WAF works by filtering, monitoring, and blocking suspicious HTTP/s traffic between a web application and the internet.

汎用型のファイアウォールの設置は、現在もサイバーセキュリティの基本となっています。このファイアウォールは、ネットワークの周囲に配置され、オープンシステム相互接続(OSI)モデルとしてL3/4で動作します。 その役割は、IP および TCP/UDP プロトコル上のパケットを検査し、IP アドレス、プロトコルタイプ、ポート番号に基づいてトラフィックをフィルタリングすることに限定されています。

A WAF on the other hand operates at Layer 7 (L7) of the OSI model and can understand web application protocols. They are essential to analyze the traffic going to and from a web application and to prevent attacks that might otherwise go undetected through a traditional network firewall and can be used as part of a positive or negative security model.

When deploying a WAF, it acts as a reverse-proxy shield between an application and the internet. A proxy server is an intermediary that protects a client machine. Reverse-proxies on the other hand ensures that the clients pass through it before reaching a server. Crucially, a WAF can be used to protect multiple applications that it is placed in front of.

A WAF uses a set of rules called policies to filter out malicious traffic from taking advantage of application vulnerabilities including the OWASP Top 10. These security policies are often based on known web attack signatures, including scanpoints like HTTP Headers, HTTP Request Body and HTTP Response Body. The set of rules can also be specified to detect patterns in URL or file extension, to restrict URI, header and body length, to detect SQL/XSS injection, zero-day exploits and even bots based on their signature detection and behavior

WAFを利用する主なメリットは、これらのポリシーを迅速かつ簡単に変更して実装できることです。WAFプロバイダの中には 負荷分散, SSL offloading, and intelligent automation of these policy modifications using machine learning to optimize your cloud security. This makes it easy to adapt and respond to varying attack vectors and for Distributed Denial of Service (DDoS) protection.

WAF は、すべてのサイバー攻撃から保護することはできませんが、Webアプリケーションのセキュリティを強化し、これを狙ったあらゆる攻撃から保護することができます。

Cross-Site Forgery

These are attacks that force authenticated users of a web application to take actions that compromise the security of the app. Usually, an attacker tricks the user to click on a link by sending them a link via email. Once the user authentication and logins are completed, the user can be forced to perform requests such as transferring funds or changing their profile details and email addresses. If the attack is aimed at an admin account and becomes successful, it could compromise the entire web application.

Cross-Site Scripting

Cross-site scripting attacks are those where an attacker injects malware into a client’s browser to steal data including session cookies or edit the content to show false information. This usually happens when a dynamic website that contains scripts in JavaScript, PHP, and .NET is injected with malicious code. When a user loads the web page, the attacker’s malicious scripts are executed. For example, the user’s cookie may be sent to the attacker who can use it for impersonation.

SQL Injection

攻撃者がコンタクトフォームなどのユーザが入力するデータフィールドを持つWebサイトやWebアプリケーションに、悪意のあるSQLコマンドを挿入する攻撃です。挿入されたコードは、データベースに不正アクセスしてデータベースに含まれる個人情報を盗み出したり、変更したりするコマンドを実行します。

Need DDoS Protection and high-performance security solutions? CDNetwork’s フラッド・シールド/DDoS防御 is perfect for DDoS attacks mitigation.

What Are The Different Types of WAFs?

A WAF protects web applications by utilizing threat intelligence and blocking attacks that satisfy certain pre-set criteria while allowing approved traffic. They help protect against cross-site forgery, cross-site scripting, SQL injection, and file inclusion where attackers try to gain unauthorized access to an application to steal sensitive data or compromise the application itself.

WAFは、それらの実装方法に基づいて、3つのタイプに分かれます。

Network-Based WAF

This is usually a hardware-based WAF and is installed locally. This means that it is placed close to the server and is, therefore, easier to access. As is the case with hardware-based deployments, they help minimize latency but can be expensive to store and maintain.

Host-Based WAF

ホスト型のこのWAFは、Webアプリケーションのソフトウェアに完全に組み込まれています。これは、アプリケーションサーバ内のモジュールとして存在します。このタイプのWAFは、ネットワーク型のWAFよりも低コストで、カスタマイズが容易です。デメリットとして、ローカルのサーバリソースを消費するため、Webアプリケーションのパフォーマンスが悪くなることがあります。また、実装やメンテナンスが複雑になることもあります。

クラウド型WAF

A Cloud-based WAF is more affordable and requires fewer on-premises resources to manage. They are easier to implement and often delivered as SaaS by a vendor. offering a turnkey installation as simple as changing the DNS to redirect web traffic. Because of the cloud service model, they also have minimal upfront cost and can be continuously updated to keep up with the latest attacks in the threat landscape. CDNetworks offers a cloud-based WAF that is integrated with our global data centers and content delivery network (CDN) and prevents web application-layer attacks in real-time.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

More To Explore

Play Video