As an enabling technology for quick, easy and cost-effective dissemination of information, the Internet is an incredible tool for an IT person to have at their fingertips. We can connect a server to the Internet, load it with documents and images, databases and web pages, or carefully-written applications, and instantly make its contents available to the world. We can allow the world to send us information back. Forms, social media postings, bookings and payments, email messages, and more.
It’s hard to believe that in the early days of the Internet, computer magazines aimed at enterprise IT users would carry articles with titles such as “Does Your Company Really Need a Firewall?”. Amazingly, the answer was not necessarily a foregone conclusion.
Data travels over the Internet in chunks known as packets, typically around 500 bytes long, using a system or protocol called TCP/IP. To send more than 500 bytes you simply send multiple packets. And because each packet also contains details of the destination IP address and a sequence number, everything will get to the right place eventually.
TCP/IP uses the concept of ports, or port numbers, to differentiate different types of traffic. Think of it as a TV receiving sports on channel 9 and documentaries on channel 3. On the Internet, a web server communicates with a visitor’s browser using port 80. Email messages travel between senders, email servers and receivers via port 25. Windows Remote Desktop uses port 3389. In reality, all the data goes down the same cables, but the packets also contain the port number so that the receiving computer knows what to do with the data when it arrives.
A web browser sends a request on port 80 to the server that holds the page it wants. The server, which knows to listen for requests on port 80, receives the request and sends back the required page. All is in harmony. If the browser were to have requested the page via port 90, the web server would never see it.
A firewall, at the simplest level, is a system (hardware or software, or both) that logically sits between one or more computers and their connection to the Internet. It improves security by allowing you to specify rules about which packets are allowed in or out, based on the IP address they came from, their destination IP address, and the port number. Or any combination thereof.
Without a firewall, everyone in the world could access your servers on every possible port (of which there are 65,535). But a firewall ensures, for example, that someone can access your website but can’t use Remote Desktop to log into your web server, because port 80 is open and port 3389 is not.
There is hardly a business on the planet that doesn’t have a firewall nowadays. And for a while, the conventional firewall ruled the security roost and was the first — and often only — line of defense for most companies’ servers. To be fair, it worked pretty well. End users’ PCs were protected by antivirus software, and frequently by a firewall too. Before Windows included one as standard, software firewalls were available from third-party vendors, and many of the best-known examples were available for free.
Internet-facing servers, too, were placed behind firewalls to ensure that they were protected from hackers, whose starting point was (and largely still is) to probe IP addresses on the Internet at random, scanning every port in search of a program on the server that had inadvertently been allowed through the firewall.
But while simply blocking ports worked for a decade or so, it ultimately became insufficient. The Internet, and specifically the web, began to allow companies to operate online in ways that had never been done before. This required the rapid (sometimes too rapid) development of application software, running on servers, which were vulnerable to attacks more sophisticated than a hacker randomly scanning ports.
All software has bugs, as the saying goes. And web applications are no exception. With so many of us buying goods and services online nowadays, rather than merely reading information as we did in the early days of the web, the stakes have never been higher. Criminals are constantly trying to exploit those bugs using a variety of techniques based on common errors made by application programmers, or admins who don’t quite configure things as per the documentation.
In order to understand just what sort of errors application programmers typically make, one need look no further than the OWASP Top 10. OWASP is the Open Web Application Security Project, which aims to inform, educate and research about, well, security in web applications. And it helpfully publishes an annual top 10 list of vulnerabilities causing the most problems among web-based businesses around the world.
If you now find yourself wondering what type of programming error could allow hackers into a server in a way that a conventional firewall cannot stop, let’s look at one of the most common vulnerabilities. It’s known as a SQL injection attack and has been in the OWASP top 10 charts since they started.
To log into a website, you’ll typically see a form on-screen that asks for your username and your password. Behind the scenes, on the server, is a database containing information about every registered user on the site, including their username and password. If you attempt to log in with a username of “Donald” and a password of “smith”, those entries will be passed to the server, which will interrogate the database using a command which effectively says:
“Tell me how many entries in the database contain a username of Donald and a password of smith”.
A result of 1 means that Donald gets logged in. Zero means he doesn’t.
But if a hacker attempts to log into the site with a username of Donald and a password of “smith or 2+2=4”, then the username and password get passed to the application as before, and the database now gets asked how many entries have a username of Donald and a password of smith, or where 2+2=4. The result will be 1 and the hacker is now logged in. The score so far? Hacker: 1. System security: 0.
Techniques such as this, and many others, are used millions of times a day by hackers attempting to break into any web-facing application they can find. And there’s no port number that a conventional firewall can block which would stop them. While blocking access from the hacker’s IP address would work for a short while, the hackers simply move to operate from somewhere else. Or use a solution such as a VPN to hide their IP address. Or use a botnet (a collection of millions of compromised computers) to do the work.
Enter The WAF
To prevent such attacks, the Web Application Firewall was born. Companies which run in-house servers can buy and install one to help prevent literally thousands of attacks, such as the SQL Injection one mentioned, from affecting their system. Organizations that use cloud-based servers, such as those on Alibaba Cloud, have an easier time, as they simply need to purchase the WAF service and enable it. It’s just a few clicks on the account console, and a payment that starts at less than USD $300 a month. There’s nothing to install, no new server to commission, and it’s up and running in 15 minutes. And although it can be specifically configured, tuned and tweaked for specific circumstances, it provides a huge amount of protection straight out of the virtual box, automatically protecting from all the major OWASP threats and thousands more.
A WAF does more than simply scrutinizing port numbers and IP addresses. If a data packet is destined for a database, for example, and contains characters that resemble those used in SQL injection attacks, the WAF will spring into action. The application will never know that someone was trying to hack it. The system administrators, of course, will find out as soon as they make some time to review the logs and reports that the WAF keeps. And yes, it’s good practice to do so.
If a hacker is attempting to bring down a website via a distributed denial-of-service (DDoS) attack, then the huge network of powerful servers which run the WAF will detect it, and the traffic will never get near enough to the target system in order to slow it down.
While conventional firewalls were all the rage in the 1990s, and indeed are still essential, they are no longer sufficient to protect the business which operates online, regardless of whether server-based software was purchased from a vendor or developed in-house. A web application firewall adds another layer of protection, and of peace of mind. If WAF is available from your cloud services provider with just a few clicks and a simple monthly fee, surely there’s no reason not to enable it.