ASPA Web Application Firewall System (ASPA Web Application Firewall)
Comprehensive protection of web applications against all types of attacks
ASPA-WAF (Native and Iranian WAF) Overview
ASPA-WAF is a native and Iranian Web Application Firewall (WAF) designed to protect websites and organizational systems against cyber attacks. The system is developed in compliance with international standards PCI DSS and ISO/IEC 27001 and covers all vulnerabilities identified by OWASP.
- System Introduction
- ASPA-WAF is a product designed to combat various web attacks such as XSS, SQL Injection, Remote File Inclusion, Local File Inclusion and other application layer threats.
- In this system, all web transactions are reviewed in 5 independent phases: Request Header, Request Body, Response Header, Response Body and Logging.
- The security rules of this system are developed from a combination of several international laboratories and optimized by analyzing redundancies.
- Updates are performed online and offline from servers inside Iran.
- HTTPS protocol decryption in this system allows encrypted content to be controlled and encrypted attacks to be prevented.
- The ability to use HTTPS Offloading to reduce the processing load of main servers is also available.
Types of ASPA-WAF Deployment
Web Application Firewalls can be deployed in various ways within network architecture. Generally, there are three deployment models for placing a WAF in the network: Inline Deployment1, Out-of-Band Deployment2, and In-App Deployment3. Since out-of-band deployment is not effective in mitigating attacks and in-app deployment requires installing the WAF on each main application and making changes to them, these two models are not suitable in most conditions. The ASPA-WAF supports inline deployment, which we will review below.
Inline Deployment
In this deployment type, the WAF is one of the components through which traffic directly passes. Inline deployment in ASPA-WAF includes two architectural models:
1) Reverse Proxy4
In this model, the system actively intercepts all connections. Users send their HTTP(S) requests directly to the WAF address. After analyzing the request and approving it, the WAF generates a corresponding request and forwards it to the protected web application. Upon receiving the response from the backend server, the WAF inspects it again to prevent possible data leakage. To ensure that users send their requests directly to the WAF server, the DNS service must provide the WAF IP address for the domain name. If the website does not have a domain name, the WAF IP address must be provided instead of the original web server IP.
2) Transparent Reverse Proxy5
In this architecture, the WAF analyzes both request and response traffic and actively intercepts all HTTP connections between the client and the web application. Users send their requests to the original server without being aware of the WAF. However, active devices such as stateful firewalls modify the destination using DNAT and redirect the traffic to the WAF. The rest of the process is the same as the standard reverse proxy. The advantage of this method is its transparency and the immediate redirection of traffic to the WAF. Using DNS may cause propagation delays during deployment or unexpected delays if the WAF needs to be bypassed in emergency situations.
High Availability (HA) Deployment Modes
Another important factor in WAF deployment architecture is how multiple devices operate in a High Availability (HA) setup. The ASPA-WAF HA service includes the four main modes below:
| 1. | 2. | 3. | 4. |
|---|---|---|---|
| Active Passive HA | Active Active HA | Distributed Active Active WAF | CDN |
Below is an overview of each model.
1) Active Passive HA
In this deployment model, two or more WAF nodes are installed in a data center, with one active and the others in standby mode. In case of failure of the primary WAF, one of the standby nodes automatically becomes active within a minute. After the failed server is restored, it is moved back to the standby queue.
2) Active Active HA
In this model, two or more WAF nodes operate simultaneously in active mode. Each WAF has its own dedicated IP addresses and provides websites uniformly across multiple nodes. All devices are centrally and synchronously managed. This mode provides higher availability and greater processing power than Active-Passive. Traffic must be distributed across nodes, which can be handled by external load balancers or ASPA Web Load Balancer.
3) Distributed Active Active WAF
A Web Application Firewall focuses on application-layer messages and related web protocols, detecting attacks that traditional firewalls or IDS may overlook. According to security communities such as OWASP, these include injection attacks such as SQL, HTML, XSS, etc. DoS and DDoS attacks are also within the WAF protection scope. However, in extremely large-scale attacks, no localized equipment is sufficiently effective, because attackers may saturate the available bandwidth before traffic even reaches the WAF.
In such cases, a distributed approach becomes essential. The distributed ASPA-WAF mechanism allows large organizations with multiple geographic locations to deploy WAF nodes in different data centers and manage them centrally and in real time. This creates a distributed WAF using the combined bandwidth of all data centers. Traffic distribution between nodes can be handled using GeoDNS or BGP Anycast if supported by the organization.
4) CDN
The difference between this deployment and the previous one (DAA-WAF) is that ASPA-WAF natively supports BGP Anycast. Therefore, ASPA-WAF itself is responsible for routing user traffic.
One key point regarding the last two deployment models is their ability to create a dedicated content delivery network. Yes, a dedicated CDN is a byproduct of these two distributed deployment types. However, the key difference is that ASPA-WAF is first a complete WAF with all required features—and only then a CDN. This advantage is minimal or absent in traditional CDNs.
Another important point is that, except for the Active-Passive model, all other models require analyzer nodes in addition to WAF nodes.