Protect your web servers and databases from malicious online attacks by investing in a web application firewall (WAF). A network firewall’s open port allows Internet traffic to access your websites, but it can also open up servers to potential application attacks (database commands to delete or extract data are sent through a web application to the backend database) and other malicious attacks.
A WAF can protect your servers more than a traditional IPS/IDS (Intrustion Protection/Detection System) can by detecting and preventing SQL injections.
How does it work?
A WAF is a physical device that sits behind your virtual or dedicated firewall and scans incoming traffic to web servers for any malicious attacks that may affect the web application server. A WAF uses dynamic profiling to learn what kind of traffic and users are normal, and what could potentially be malicious traffic.
Why use it?
If you are a merchant that needs to meet PCI DSS compliance (Payment Card Industry Data Security Standards) because you collect, store or process credit cardholder data, then you need to install a WAF in front of all public-facing web applications (requirement 6.6):
For public-facing web applications, ensure that either one of the following methods are in place as follows:
Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:
- At least annually
- After any changes
- By an organization that specializes in application security
- That all vulnerabilities are corrected
- That the application is re-evaluated after the corrections
Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks. - PCI DSS Requirements and Security Assessment Procedures, Version 2.0
While code review is an alternative option to satisfy the same requirement, it can often be costly, complex and more difficult to manage than a WAF.
For healthcare organizations that collect, store or transmit electronic protected health information (ePHI) and need to meet HIPAA compliance, the Technical Safeguards of the HIPAA Security Rule mandate that they must:
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (Standard 164.312(e)(1)).
- Provides an extra layer of protection that a network firewall and IDS cannot
- Can prevent attacks and data exposure before it happens by detecting malicious users and requests for information
- Dynamic profiling means the WAF can set criteria for accepted traffic based on user behavior
- Can identify malicious sources to stop automated attacks
- Fulfills PCI DSS requirement 6.6 to install a WAF in front of public-facing web applications
Download our Web Application Firewall datasheet today.