Difference between Web Application Firewall and Network Firewall service
February 6, 2023 | 7 minute readIntroduction
Web Application Firewall and Network Firewall Service are two very important services that secure the customer's workloads at the network layer. At a first glance, for the untrained eye, these services overlap in features, and there the confusion around the difference between the two services and where can one is best fitted over the other.
For this post, in my tests, I used the following scenario: traffic reaches OCI at the Internet Gateway level, it is forwarded to the Network firewall, and after that to the LB which has the WAF attached and in the end reaches the Web Server.
The Internet Gateway has attached a routing table that has routes for the LB IP address via the Network Firewall Service.
The Network Firewall Service (NFWS)
This service is an enhancement over the native OCI Security Lists and Network Security Groups and is powered under the hood by Palo Alto.
There isn't a feature parity between a Marketplace instance of Palo Alto VM and the Service. At the release of the service, there are gaps between the two implementations and in my opinion, these gaps will narrow down with time.
The NFWS can inspect the intra-VCN and inter-VCN traffic and if we compare it with the native Security Lists, which can only "whitelist" the traffic, the NFWS has actions like Allow, Drop, Intrusion Detection, Intrusion Prevention, and Reject.
For an initial reading on NFWS I suggest you start with the official reference architecture and continue with deep dive posts from my colleagues Bogdan and Aditya:
- OCI Network Firewall - Concepts and Deployment
- OCI Network Firewall - NAT Gateway use case
- OCI Network Firewall - Hub and Spoke traffic inspection
- OCI Network Firewall - Securing the LBaaS traffic
- URL Filtering using OCI Network Firewall
On the Firewall there are the following rules:
| Sources | Destinations | Applications | Action |
|---|---|---|---|
| Any IP Address | IP_LB | https | Intrusion Prevention |
| Any IP Address | IP_LB | http | Intrusion Prevention |
| net_192_168_110_0 | Any IP Address | Any Protocol | Allow |
In order to inspect the HTTPS traffic, the firewall decrypts the traffic by leveraging a decryption profile. For the purpose of this blog, I am not using this feature and the intrusion prevention is done on HTTP.
If we create an attack on the HTTP, the firewall will detect it and take action.
Below is a sample log from the Network Firewall when the Intrusion Prevention is triggered.
In a summary, the Network Firewall is more specialized at the network level as an enhancement for the OCI native Security Lists and Network Security Groups. The Intrusion Prevention mechanism is not configurable so the user is not able to choose which signatures are active.
The Web Application Firewall
This Service is attached to an Application Load Balancer and has Layer 4 capabilities but is best suited for Layer 7 HTTP inspection. The Service will inspect the HTTP traffic and take a configured action. There are several layers that can be configured, in this post, I am using an Access control policy, to allow a specific source IP address and a specific HTTP host header, and Protection Rule.
Below are the Access Controls from the policy I have applied to my test WAF.
| Conditions | Action |
|---|---|
| i_equals(http.request.host, 'web.ateam-oracle.tk') && address_in(connection.source.address, ['188.X.X.X/32']) | Allow |
These Access Controls are a combination of Layer 4 and Layer 7 and use JMESPath language. In this example, the Layer 4 detail is tSeveral layers caner 7 detail is the HTTP host header. More details on conditions can be found here.
The Protection Capabilities are using a collection of signatures that can be grouped on one security threat like "SQL Injection", by the CVE number or by the Methodology issued by OWASP, PCI, etc.
Because the WAF is attached to the LB, it can see the HTTP and HTTPS traffic and can take action immediately if a rule is triggered.
Below you can see a request on HTTPS to the web server that has in the URL an SQL injection attack ("id=1%27%20or%201=1" translates to "id=1' or'1=1").
The WAF was triggered and responded with a configured response HTTP 403. Parts of the log for this request can be observed below.
"datetime": 1671219822903,
"logContent": {
"data": {
"clientAddr": "188.X.X.X",
"countryCode": "ro",
"host": "web.ateam-oracle.tk",
"listenerPort": "443",
"request": {
"agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"httpVersion": "HTTP/1.1",
"method": "GET",
"path": "/?id=1%27%20or%201=1",
},
"requestAccessControl": {
"matchedRules": "allow-host"
},
"requestProtection": {
"matchedData": "Matched Data: s&1 found within ARGS:id: 1' or 1=1;Matched Data: ' or 1= found within ARGS:id: 1' or 1=1",
"matchedIds": "9421000_v002;942432_v001",
"matchedRules": "protection"
},
"response": {
"code": "403",
"contentType": "application/json",
"size": "145"
},
"responseProtection": {},
"responseProvider": "requestProtection/protection",
"timestamp": "2022-12-16T19:43:41Z"
}
}
"datetime": 1671219822903,
"logContent": {
"data": {
"clientAddr": "188.X.X.X",
"countryCode": "ro",
"host": "web.ateam-oracle.tk",
"listenerPort": "443",
"request": {
"agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"httpVersion": "HTTP/1.1",
"method": "GET",
"path": "/?id=1%27%20or%201=1",
},
"requestAccessControl": {
"matchedRules": "allow-host"
},
"requestProtection": {
"matchedData": "Matched Data: s&1 found within ARGS:id: 1' or 1=1;Matched Data: ' or 1= found within ARGS:id: 1' or 1=1",
"matchedIds": "9421000_v002;942432_v001",
"matchedRules": "protection"
},
"response": {
"code": "403",
"contentType": "application/json",
"size": "145"
},
"responseProtection": {},
"responseProvider": "requestProtection/protection",
"timestamp": "2022-12-16T19:43:41Z"
}
}The service is highly specialized for HTTP workloads and is targeted more toward Layer 7 protections.
Conclusion
In the current world, enterprises are moving their workloads from their data centers, where they controlled all the layers, from Physical to Application, to Public Clouds where they are hosted in a multi-tenant environment with a lot of possible threats.
Cybersecurity is more relevant in this context and part of the "Defense in Depth" strategy in the Cloud is the Network security which in OCI, besides other mechanisms must include the Network Firewall and the Web Application Firewall.
Catalin Andrei
Master Principal Cloud Architect
Previous Post
Customer Considerations When Reviewing Oracle DDoS Protection
Next Post