And the Walls Came Tumbling Down. Web Application Firewalls.
At this point in the Internet’s evolution, we all have firewalls. Some are stand-alone, quite complex, and expensive. Others are built into inexpensive retail routers. These firewalls all do one thing in common: Stateful Packet Inspection (SPI). This is the inspection of each packet of information by the firewall where it is looking for malformed packets. Malformed packets are to networking as cancer is to normal cells. Malignant.
When malformed packets are found, they are blocked if the SPI Firewall is configured correctly.
Assuming we have a website behind a correctly configured SPI Firewall, how does ransomware and other malware get into a website, and from there, infect the site, networks connected to it, and even infect website visitors, who, in turn, inadvertently infect their own networks?
An SPI Firewall does not read or analyze the CONTENTS of the packets. So a hacker can, using a web browser – Chrome is a favorite, with Firefox a close second – upload code to a website, and if the website security is poor, execute it. The uploaded code (program) can then take over the website, and do the evil wishes of its new master. These deeds can range from ad fraud (Clickjacking) to Cryptomining to downloading malware on unsuspecting visitors (Watering Hole Attacks). Web browsing is actually a two-way street, with information returned to the web server while you see the web page.
The SPI Firewall has come tumbling down.
However, all is not lost. There is another tool to bolster the defenses of web sites, and keep out hackers - Web Application Firewalls (WAFs). A Web Application Firewall looks at the uploaded contents of the packets – the message – and decides whether to permit it to go through to the web server, or block it. Web Application Firewalls have rules, and permit a high level of customization. So a hacking attempt such as a cross-scripting attack, one of hackers’ all time favorites for attempting to hijack websites, is blocked before any code can be executed, and immense amounts of harm, done.
The Web Application Firewall interacts with the Web Server software, and carefully screens all uploads. For example, Apache, the most common web server software, or Microsoft’s Internet Information Service (IIS). The WAF carefully screens what is allowed in to interact with the web server software, and blocks all else, thereby frustrating hacking attempts.
Web sites are the foundation of the 21st Century’s economy, knowledge base, and socialization. So protecting websites from being hacked means protecting the foundations of our modern civilization. There is no going back to pre-World Wide Web!
At Quantalytics, we utilize an open source software package, ModSecurity (“ModSec”), as our Web Application Firewall. There are other packages. However, ModSecurity is extremely robust and mature, as it was one of the very first Web Application Firewalls to be developed. It has evolved nicely to work with today’s more complex web hosting environments.
However, the key to helping secure web sites from hacking is not using this software package in particular. The key is to deploy a Web Application Firewall as part of the basic web site infrastructure. At Quantalytics, we have observed that the vast majority of sites are not protected with a WAF, including the most vulnerable, e-commerce sites as well as web sites by various government entities, and especially, smaller ones like counties and towns. Frequently these web sites have a connection back to their office LANs, thereby giving a hacker a back door from which to, among other things, launch ransomware attacks.
So rather than suffer the fate of Jericho when the trumpets were blown, and the walls came tumbling down, deploying a Web Application Firewall to protect websites will keep those walls up, and invaders, out.
Arthur Carp | Quantalytics, Inc. | acarp@quantalytics.com | @quantalytics