What is a Web Application Firewall (WAF)?
ฝัง
- เผยแพร่เมื่อ 8 เม.ย. 2018
- Traditional network firewalls (Layer 3-4) do a great job preventing outsiders from accessing internal networks. But, these firewalls offer little to no support in the protection of application layer traffic. Today, threat vectors are being introduced at all layers of the network. For example, the Slowloris and HTTP Flood attacks are Layer 7 attacks...a traditional network firewall would never stop these attacks. But, nonetheless, your application would still go down if/when it gets hit by one of these. It's important to defend your network with more than just a traditional Layer 3-4 firewall. That's where a Web Application Firewall (WAF) comes in. In this video, John outlines what a WAF is and why your web application needs one.
community.f5.com/articles/lig... - วิทยาศาสตร์และเทคโนโลยี
![เกิดใหม่ทั้งทีก็เป็นสไลม์ไปซะแล้ว ซีซั่น 3 - ตอนที่ 59 [ซับไทย]](http://i.ytimg.com/vi/GmW4a8prWUQ/mqdefault.jpg)
I would also add that the reason to have WAFs is it's faster to adjust firewalls than rewrite an application. If your application has a security flaw, adjusting the firewall to "cover" that "weak spot" so to speak is much easier than fundamentally changing the architecture of your app. As humans we strive for perfection, that's why we have secure code standards and such. But the chase for perfection is without end and the app ultimately needs to be deployed, to perform its function, so it's much more productive to design safe apps to the best of your abilities while being efficient and use WAFs as a frontline defense.
Love this comment.
I like this. Being non-tech, i was grappling with the concept. The visual presentation here and the back-to-basics kind of instruction are exactly what i need. THANK YOU👍
glad you enjoyed it!
AGREED!!!
can we just take a moment to appreciate the crazy vizual. You're writing on a glass board (or so it appears) while looking at the cam and it's legibal as we see it in the direct your write which should be mirror reflected. It should look backwards... Great job Cam crew, good job John.
Thanks for the comment and here's the Behind the Scenes for our Lightboards: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
@@devcentral 👌 Awesome!... I thought John was in boxers for a second... 😆🤣
Great explanation!!! Thank you for your effort.
Great presenter. very simply to follow and easy to listen to.
Glad you lied it and thanks for the comment!
Very well explained... thank you!
I concur with Trevor you present very well and helps "owning the content"✨👍
Sometimes network forensics and security can seem like Romulan..
glad you enjoyed it!
Well explained, thank you!
glad you enjoyed it!
Lovely... Thankyou very much.. Due to your excellent presentation will start my journey to security from today
I'm glad you enjoyed the video!
Amazing explanation!Thanks.
glad you enjoyed it!
This is so amazing! What a great resource :)
glad you enjoy the videos!
Great explanation! Thank you
Quick question, in general, can WAFs protect against LDAP injections as well?
Hi and thanks for the comment!. The primary defense against LDAP injection is proper input validation and a (competent) WAF should be able to do that.
I would have liked to see a couple of details about how it works out. Show code/details on how a specific attack is blocked.
I see the WAF as being valuable to quickly block off things that are learned until the application can be changed. That seems to go against what I see in the field though, since those who use a WAF often lack the commitment to go fix the core problem in the app later. That is surprising on the one hand, but not when leadership tendencies are considered.
very simple and to the point video
Glad you enjoyed it!
"ack el" that's the first time I have heard ACL pronounced like that :D
Good content and clear explanation, liked and subscribed, keep them bringing
glad you enjoyed it!
I am happy about finding this awesome tutorial, thanks a lot
Glad you enjoyed it!
El tema es que los firewalls tradicionales ya no se utilizan y fueron reemplazados por los NGFW que trabajan en la capa de aplicaciones... ¿como compararías un WAF vs NGFW?.. Saludos!
Great video !!!! Clear explain thank you
I'm glad you enjoyed it!
Awesome explanation! Keep up the great work.
glad you enjoyed it!
You are a great speaker man.
Appreciate the comment!
This is good, but you compared a legacy firewall to a WAF, but what about a Next-gen firewall?
Next-Gen firewall does Layer 7/Deep packet inspection, so why would I need a WAF if I had a Next-Gen for example? What does the WAF inspect that the Next-Gen doesn't, especially when both can inspect HTTPs? Thank you!
signatures and constraint. Some NGFW have embeded WAF software, but the differences between that WAF and "the real WAF" is the real WAF can do SSL-offload, and it have much deeper settings on signature (i think that focus on 10 OWASP)
thank you !! you're a great teacher :)
Thanks Trevor...glad you enjoyed the video!
Great Video, easy to understand. Question, if you only have Web Apps in the cloud, no infrastructure, would deploying a Firewall in front of the WAF be of any use or would this add complexity and new costs?
Well, a WAF generally focuses on http(s) (80/443) traffic so there ight be instances where you'd want a Network Firewall (layer 3 - tcp/udp) to protect that traffic. Some WAFs have network security features and much depends on your infrastructure and where the WAF resides within the network. I know that's not a definitive answer but like with many infrastructure questions, it depends. :-)
Really good explanation. Thanks a lot
glad you enjoyed it!
man just started writing mirror alphabets.... he's in different league 🔥
this is how we do the Lightboard Lessons: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
@@psilvas damn!!
it would be nice if there were subtitles!
agree with u!!!
We'll see what we can do about that and appreciate the comment.
😂😂😂😂😂😂 0:31
😂😂😂😂😂😂 0:36
😂😂😂😂😂😂 0:45 😅
How is he writing backwards? It's hard to stay focused because it's too cool
Thanks for the note! You can see how we do these here: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
Lol, ya there's some video showing how its all done, but don't watch it cause it's so awesome without! lol ;)
i agree, i'm in awe....
I was about to figure it myself then I saw the t-shirt chest label, fooled myself and said "nah, he must be really writing backwards". So, that's backwards, too? If so, nice touch!
It's even cooler that they printed a flipped logo on his polo shirt.
Backward writing understood but did you design the tshirt with mirror images as well?
Hi. We had shirts made with the logos reversed. :-)
Thank you very much for this video.
...and, thank you for the comment! Glad you enjoyed the video!
Love your videos guys! Would basic WAF theory like this still be relevant in 2022? I know a lot of knowledge in IT Security changes day by day!
We think so but WAFs are moving more toward WAAP - Web Application & API Protection. So, still protecting websites plus, API calls. Hope that helps!
Oh WAAP sounds interesting! Look forward to your lightboard lesson on that one day!
Great explanation !
Glad you liked it! And, thanks for the comment!
Super video.Thank you.
glad you enjoyed it!
How would you integrate a waf with a typical n/w firewall??
What would be the typical packet flow in that case between the clients and the web app servers?
Here's a good lightboard lesson on the "life of a packet" through the BIG-IP. it doesn't explicitly cover everything you asked, but it can provide additional perspective. and, the answer from Blood Sausage is a good one as well!!
th-cam.com/video/qCLEw5xIZ7s/w-d-xo.html
Tamir Zuhair
Isn't this supposed to be handled in the l7 reverse proxy ?
Hi John. Great video. What about the behavior of a WAF with HTTPS? Does it work properly without SSL inspection or does it need an open traffic? Tnks.
Generally it does need to terminate and decrypt the traffic to inspect the data. However, if an organization want to send encrypted traffic direct to the server, a WAF can pass that through if configured to do so. Does that answer your question?
@@devcentral yes, it does. The F5 WAF has built-in stuff to decrypt the traffic before evaluating the data or it requires a separate tool like F5 SSLO?
@@wramarante The WAF can decrypt. SSL Orchestrator can too depending on your infrastructure.
Awesome explanation
glad you enjoyed it!
Hi
thats great, but how can we know over the network before log activity, whether the user is going to to do un-authorize or authorize activity in the web application
Hi Fawad, thanks for the question. When a user requests a web application, you don't immediately know if they are trying to do something good or bad. This is where the Web Application Firewall comes in and inspects each request and ensures it is a safe request (based on all the signatures of the WAF and the protection capabilities it has), and then only allows the request through if it passes the security checks of the WAF. If the WAF finds something unsafe in the request, then it blocks the request from accessing your web application. It does this for every single request, so even if a user gets logs in properly and then (once they are in) starts to do some bad stuff, the WAF will block as soon as the bad stuff starts happening. I hope this helps...thanks!
F5 DevCentral thank you great insight
Do you have plans to produce a Lightboard for 'Advanced WAF' in the near future?
yes we do! stay tuned...it's coming out in the next couple of weeks
Here's the Advanced WAF Lightboard: th-cam.com/video/HBbDKBV4QW0/w-d-xo.html
Hi, i got two small questions: First how is a WAF setup? Is there a physical instance ahead of the web apps within my network?
seconly how does the detection work, is it able to work with complex machine learning models or is the detection of for example XSS signature based?
Other than that great video, thanks :)
WAF can be set up in many different configurations. Most common, historically, is to have an appliance in front of applications. The WAF can be a proxy, itself, or scaled horizontally in front of the app being defended. With modern attacks, most customers are shifting to a multi-layered WAF approach, with Distributed Cloud WAAP taking out signature based attacks before a packet even reaches the data center. Inside the data center, AWAF profiles the applications on a per-uri basis, right down to which unicode characters are allowed! It understands what the expected request and response time are for every element on every uri in your app. Some customers also employ NGINX+ w/ Application Protection to proxy in small environments or even to profile East-West inside an application environment that exists underneath the traditional load balancer / WAF or cloud WAF that is northbound in flow.
Great question! Thanks for watching!
awesome explanation!!!
Glad you enjoyed it!
I hope I will get judgement about this..tnk u very much..
Gud work
Are there hardware WAF’s you can buy of is this something you have to download or program in?
F5's WAF is available in many difference packages, you can reference here: www.f5.com/products/security/advanced-waf.
Highness of your writing skills.....lefty smoothly write
writing backwards?
camera is facing a mirror
Just want to know is this support for web site security , block sql injection and other attacks
Yes, a WAF (if properly configured) can mitigate those types of attacks.
@@devcentral can you suggest any service for hostgater cpannel
Great...thanks a lot..😊😊
glad you enjoyed it!
When he's talking about layers 3 and 4, is he referencing the OSI model?
Yes he is. thanks for the comment!!
@@devcentral Thanks for the quick reply!
Well Explained
My certificate is been used by one company and made server so how could u help me regarding this
Great explanation, but the WAF features you mentioned can also be handled by an NGFW (upto layer 7) as opposed traditional network firewalls (layer3-4). I was hoping you throw a light on the real difference between an NGFW and a WAF.
As I understand NGFW is a package comprising of WAF and IPS/IDS capabilities on a traditional firewall. It is a cost effective solution for SME. At the same time they are prone to single point of failure, having all those features in a single box. For large enterprises, they use separate devices to protect their infrastructure, insuring different layers fo security,
thank you
Glad you enjoyed the video!
What are you using for writing like this?
You can see how we do this: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
Are you left handed??
Do you write in lateral inverted style??
Is your T-shirt having an inverted text ??
We made a video to explain it all :) th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
Ahh!! The Tshirt has inverted text
can WAF inspect Encrypted/HTTPS traffic too ?
it can, as long as the SSL terminates on the WAF and is decrypted, it can inspect that traffic.
thanks
We appreciate the comment!
I like his reversed logo shirt
he is writing with his right hand actually
inverted writing technique?
Behind the Scenes: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
Qgm group LLC,is made server using my ISO, finger print,headscan, so what security is given by the government, or security Buro
Great video - but I have a question. Is he writing backwards? Or is the video just reversed? It's magic!
Thanks for the comment! One we get often. ;-) Here's how we produce these: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
@@devcentral thanks! I guessed right! Its really effective!
You comparing WAF VS very old firewall !
You should compared with NG firewalls.
Thanks for the comment! It's true that firewalls have come a long way in recent days/years. This video is showing the difference between a WAF and some of the older network firewalls. It's important to have the security functionality discussed in the video, so if a newer firewall can get it done, that's great!
não entendi nada
Dude is Davinci writing with left hand backwards
thanks for the comment and this is how we produce these: th-cam.com/video/U7E_L4wCPTc/w-d-xo.html
i want this chinese vision
firewall takes care only layer3-4, that is in stone age.
FLE HOUSE HAS FOUND ITS NEW HOST.
you are SO cute.
i bet you'd like to flood some of his ports with http requests but i am sure he's employing an intrusion prevention system
Shirt blends it with background and arms appear independent of body. Makes hard to focus.
Yang milih allah like 800 ya yang milih dajal abaikan saja
This video is filled with filler, and technical jargon. I bet 90% of viewers still don't understand what a WAF does.
Great explanation ! Thank you ...
glad you enjoyed it!