Centralized Web Application Firewall Security System

In this paper we propose a centralized web firewall system for web application security which will provide a new type of synchronized system, which has the ability to detect and prevent a variety of web application attacks for a wide range of hosts at the same time , using an centralized command and control system, the attacked client then sends the information to a centralized command and control server which will distribute the attack information to all of the integrated clients connected to it. The distributed information contains all of the attack information including the type of attack, the IP address of the attacker, and the time of attack. The process of receiving the attacker's information and distributing it through the centralized web firewall is done automatically and immediately at the time of the attack. And all of the receiving clients will take actions against the threat depending on the distributed information such as banning the IP address of the attacker. The main process aims to protect multiple clients from any possible attack from the same attacker or the same type of attack. The system has been implemented to protect a real web application. Experiments showed that the attacks has been successfully prevented on multiple hosts at the time. This paper came to provide a centralized web firewall system that connect different web firewalls in order to detect and prevent different types of web attacks and work as a fully integrated system with the different clients.


Introduction
Recently, the revolutionary growth of web application usage started to increase in a large way which made the possibility of more web application weaknesses and vulnerabilities to appear and more infiltration attempts to happen on daily basis .thedevelopment of web applications witnessed a huge change along with the event of the Internet appearance .Most companies and individuals have started to use web applications on daily basis (Rababah O. et al. 2016).The web became the main link that connects all users all over the world where private information about the web users is stored in databases.Some of these activities contains sensitive data about the users such as e-banking.Social security, passwords, and money authorization transactions information (Peotta L. et al., 2011).The security of the user's information is a major concern for all e-business owners and administrators because of the existence of successful infiltration attempts against web applications across the history.Many attackers may be able to compromise some web applications and get access to private data across the globe by exploiting several web application vulnerabilities (Chavan S., & Meshram B., 2015).Such cyber threats can cause financial loss for many parties including private companies and any other type of infrastructure.
Different types of web security mechanisms have been developed to detect and prevent multiple types of web threats.
The idea of detecting web threats and passing down the information's to other web hosts plays a major role in preventing the occurrence of possible attacks performed by the same attacker or using the same technique of attack (Chou T., 2013).
There is a demand to develop a better and fast methods and systems that work as a fully integrated system with different web firewalls to detect, warn, prevent and take actions against the attacker.

Related Works
(Shadi Aljawarneh et al., 2013) have focused on one issue, namely the integrity of web content.It has been shown that given the limitations of SSL, a loss of web content integrity is possible because of the statelessness of HTTP.In an attempt to overcome this problem, we have formulated a systematic web security framework that could provide continued reliable and correct services to external users, even though a web data manipulation problem may have occurred.It was suggested that such a framework will offer an increased level of user confidence, since the framework provide a greater protection against web server subversion.
An approach for (Raikar D., 2012), it is based on identification of hotspot from the application and data sources which are trusted and highlighting data that come from these sources as trusted, with the notice that only trusted data can form the parts of queries which are semantically relevant such as SQL keywords and generators.
A mechanism was developed by (Hidhaya S. et al., 2012), for the detection of SQL injection.By employing a Reverse proxy and MD5 algorithm to watch SQL injection in input.Using rules of grammar expressions for checking SQL injection in URL's.No changes are done in the application's source code by their method.Investigating and decreasing the attack is automatically done.The increasing in the number of proxy servers makes web applications able to handle any number of requests with no delay of time, and makes it able to protect the application from SQL injection attack.
A prevention technique against DDoS attack on REST based web service, was presented by (Lad and Baria, 2014), in this technique, resources were represented by a special URL that was generated by a part of the core set of HTTP orders: Put, Post, Get and Delete.Web services which are REST based perform DDoS easily.It'll monitor the behavior of the IP address, by employing a number of requested URL and time Interval Analysis which is based on threshold.
A technique for automated detecting weaknesses in web application and preventing many attacks on web application was proposed by (Dr.Meshram, 2012).Its function is monitoring all data incoming or outgoing in the application and blocking attacked related to web like SQL injection attacks, Directory traversal attacks, Cookie poisoning, Buffer Overflow attacks, Forceful browsing and Cross Site Scripting attacks.An application firewall tool was presented for protecting applications from being hacked.Proposed a technique for prevention and detection of intrusion by the improvement of reverse proxy .Double Guard is an application developed by (Reddy et al., 2015), used for checking the intrusions in multi tier application.This application is used for back-end and front-end and its independent, it is also operated in dynamic and static servers in the web, these servers provide better protection for the application and information.
An IDS system which has the function of predicting the actions related with user across front-end web server and back-end repository, was proposed by (Namratha et al., 2013), by keeping in touch with www and going after what the database asks for, what it does is ferreting out attacks whose independent IDS won't be able to identify.The restrictions of virtually any multitier IDS related to training consultations and covering features are quantified.
An approach whose base is learning was presented by (Laranjeiro et al, 2010), for securing web services against SQL and XPath Injection attacks.Valid requests patterns were learnt by the approach, and that is called the learning phase, then it was able of detecting and aborting requests which might harm the server, which is called the protecting phase.Some heuristics might be used to deal with suspicious cases when there isn't a possibility to have a finished learning phase.The technique was executed to keep TPC-App services safe, and for opening source service effect.

Proposed System
The design of the proposed system aims to provide the best warning and preventing methodology with the maximum security measures for all the integrated clients.The main idea is based on detecting the attack on one of the integrated hosts and passing down the information to the centralized command and control center which will send the information to the other integrated hosts, in order to take actions against the same attacker and the same type of attack as one fully integrated system.So basically the system role begins whenever a host detects an attack and send the needed information to begin sending the information to other clients and take the needed countermeasure in order to prevent such events.Moreover the system has a backup measures to prevent one point failure in the whole system such as having another centralized command and control center in-case of crash or shutdown or any-type of system failure in the main command and control center, the backup command and control center goes up and takes control of the integrated clients to make sure that is the system performance doesn't undergo any changes and to make sure that the system keeps functioning normally.The main goal is achieved by sharing the attack information with other clients through a new genre of modified web application firewall which has the ability to send and receive the threat information also take actions depending on these provided information.
The flow chart of the proposed system is illustrated in figure 1.

Figure 1. Flow chart of the web firewall mechanism
The system will act as soon as an attack is detected and take action against the threat also notify other firewalls after sharing the information attack through the command and control center, in order to take actions against the threat.The first step to trigger the system is to detect the attack and simply after that sending the detected log information to the command and control center which will pass the information to all of the connected clients to take the known precocious steps against the threat depending on the type of the firewall genre and rules assigned to it, The centralized web firewall system is simply an enhancement that can apply on all of the web firewall technology that has added a new approach and made it different from the standalone web firewall services to enhance web firewall detecting and control process capabilities.The integrated clients will automatically update their information about the new detected threat and take actions according to the received information inside the attack log file which contains; type of attack, date and time and The IP-Address of the attacker.The following figure illustrate the process:

Results
To test the proposed system a web firewall has been designed and implemented using all the previous steps and mechanisms shown in figure 1 and figure 2, the implementation was done using php language, the system has been implemented on 50 hosting server each of them integrated with each other, several attacks has been performed on different clients.The system was success in 100% to prevent the attack on different clients after it has been detected and distributed to all of the connected clients in the system, also the system was able to detect attacks such as (xss,Ddos,sql injection).And it has prevented all the threats mentioned before.Any further attack for different clients by the same attacker was prevented after banning the IP-Address of the attacker.All of the clients' firewalls took the same action before they get the attack and by this process of synchronization and distributing the log attack we were able to enhance the security of different hosts on different networks and web applications hosted on different servers and different platforms using this easy to use solution.

Conclusion
The proposed system for the centralization process of web firewalls, enhances the process of detecting and preventing the web application based attacks through making the standard standalone web firewalls work together as one fully integrated system, simply by updating and distributing the attack log to all firewalls connected in the system.Although every Web Firewall contain its own log attack and can work independently which will enhance the functionality and reduce the possibility of attack in all of the integrated system.And increased the possibility of reducing and preventing of many types of attacks.

Figure 2 .
Figure 2. Centralized web firewall system

Table 2 .
Comparisons between Web detection and prevention methods