Web Application Firewall (WAF)
It’s a Firewall that operates at the Application Layer (Layer 7 OSI) that’s designed to monitor, filter and block HTTP/HTTPS traffic to and from a Web Application.
This type of firewall can be deployed in two different methods:
- Proxy Mode: It directly receives all web server traffic before it reaches the server.
- Monitor Mode: It monitors the traffic passively and acts when needed.
Types of attacks Mitigated:
- SQL Injection
- Cross-site Scripting (XSS)
- Cross-site Request Forgery (CSRF)
- File Inclusion Attacks
- Security Misconfigurations
- DDoS Attacks
- Data Exfiltration
How this firewall Identifies Threats
It employs both heuristic (behaviour) analysis to detect unusual request patterns and signature-based detection to find known attack vectors.
Some advanced WAFs are also able to analyse responses from the web server to detect and mitigate attacks like data leakage, where sensitive information might inadvertently be sent in response to a malicious request.
WAFs utilize a set of customizable rules that define which traffic patterns are considered safe and which represent threats.
When a request is assigned as malicious or suspicious, the WAF can block it, allow it but log the event, ask for extra authentication like CAPTCHA. When a WAF is in place and a threat actor tries to attack a website he will see generic Error Pages that don’t specify that the WAF is in use or that the action was blocked due to security reasons, and they might see delayed responses that can cause timeouts for the attacker.
Host-Based Firewall
It’s a firewall that operates at the Network Layer 3 (Layer 3 OSI), Transport Layer 4 (Layer 4 OSI) and Application Layer 7 (Layer 7 OSI), it’s used to protect the host from network-based threats and can control network traffic monitoring all incoming and outgoing traffic to and from the host on which they are installed.
Types of attacks mitigated
- Unauthorized Access
- Worms and Malware (that use open network ports)
- Data Exfiltration
- DoS Attacks
- Log Tampering
How this firewall identifies threats
Host-Based Firewalls can identify threats using rules that define permitted and blocked traffic. Some host-based firewalls perform stateful inspection of traffic, which means they not only analyse individual packets but also understand and track the state of network connections, this capability allows them to discern legitimate packets for different types of connections, even if the packet headers are designed to deceive.
Some advanced host-based firewalls can control traffic based on applications by allowing or blocking traffic generated by specific applications, rather than just by IP addresses and ports, this is useful to control applications communications over the network.
When a host-based firewall detects bad traffic that hits their rules, the firewall can perform a silent drop or reject the packet. When the firewall performs a silent drop the attacker receives no response to their requests, so no feedback on the other hand when it performs Reject the attacker might receive error messages such as “Connection refused” or “Host unreachable”, which will inform the attacker that the host is active and indicates that a security mechanism is in place, potentially deterring further attempts.
In some cases, it’s possible that overly aggressive firewall rules might block legitimate traffic, leading to service disruptions or connectivity issues for valid users. This is called a False-Positive.
Network-Based Firewall
This type of firewall protect network traffic across the network rather than a single host, it can manage and control all traffic that passes through it. Network-Based Firewalls operates at Network Layer 3 (Layer 3 OSI), Transport Layer 4 (Layer 4 OSI) and Application Layer 7 (Layer 7 OSI) it can allow or deny traffic based on IP addresses, ports, and protocols.
Types of attacks mitigated
- Unauthorized access
- Network-Based Attacks (e.g. IP Spoofing)
- DoS and DDoS
- Port Scans
- Protocol-based Attacks (e.g. SYN floods in TCP)
- Data Leakage
How this firewall identifies threats
At the most basic level, network-based firewalls perform packet filtering, examining the header of each packet based on a set of established criteria/rules such as source IP address, destination IP address, port number, and protocol type.
More advanced network-based firewalls, which not only looks at individual packets but also understands and tracks the state of active connections, allowing the firewall to recognize packets that are part of an established session, providing more effective control over traffic.
Some network-based firewalls can inspect the data being transmitted, allowing them to understand the application protocol (HTTP, FTP, DNS) being used, this allows the firewall to distinguish between safe application-level operations and potentially malicious activities that abuse protocols.
When a network-based firewall detects bad traffic, it can perform Packet Dropping or rejecting. When a firewall performs a Packet Drop (Silent Drop) the attacker doesn’t receive feedback, this is often intended to leave the attacker in the dark on the other hand it can perform active Rejecting sending a TCP RST or ICMP Destination Unreachable message the attacker will receive these and understand that the connection or request is being actively blocked, sometimes giving the presence and configuration of the firewall. Sometimes the attacker receives timeouts where their requests or connections receive no response at all, leading to confusion, and potentially deterring further attempts.
Next-generation firewall (NGFW)
This type of firewall integrate traditional firewall technology with additional functionalities such as Intrusion Prevention, Deep Packet Inspection, and Application Awareness. They combine the functionalities of a standard firewall with Quality of Service (QoS), which includes the ability to manage and prioritize network traffic, manage bandwidth, and enhance performance and efficiency.
Types of attacks mitigated
- Application Layer Attacks
- SQL Injections
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Malware and Ransomware
- Network Exploits
- Data Exfiltration
How this firewall identifies threats
Unlike traditional firewalls that only inspect packet headers, NGFWs perform deep packet inspection by examining the data within the packet itself, this enables the firewall to detect if a packet is malicious or if it’s legitimate. These firewalls can identify and control applications regardless of the port or protocol being used. The IPS (Intrusion Prevention System) capabilities include signature-based detection for known threats, as well as anomaly-based detection for unknown.
Often, NGFWs integrate external threat intelligence service to receive updates about the latest threats, helping dynamically adjusting firewall rules to block new and emerging threats.
These also provide detailed visibility into network traffic, users, devices, and potential threats.
NGFWs can decrypt and inspect encrypted traffic (HTTPS) to check for hidden threats before re-encrypting it and sending to its destination.
When a NGFW detect malicious behaviour it can perform a Silent Drop, Explicit Rejection or Deceptive Responses. When a firewall performs a Silent Drop the attacker does not receive any feedback or acknowledgment, when it’s set to perform Explicit Rejection it sends rejection messages to the attacker like TCP RST packets or ICMP messages and finally when performing Deceptive Responses they might respond with fake banners or simulate open ports and services that do not actually exist on the host.
