Journal of Theoretical and Applied Information Technology

15th February 2022. Vol.100. No 3

© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

EXPERIMENTAL STUDIES OF THE FEATURES OF USING

WAF TO PROTECT INTERNAL SERVICES IN THE ZERO
TRUST STRUCTURE
LAKHNO V. 1, BLOZVA A. 2, KASATKIN D. 3,
CHUBAIEVSKYI V. 4, SHESTAK Y. 5, TYSHCHENKO D. 6, BRZHANOV R. 7
1,2,3
National University of Life and Environmental Sciences of Ukraine, Kyiv, Ukraine,
4,5,6
Kyiv National University of Trade and Economics, Department of Software Engineering and
Cybersecurity, Kyiv, Ukraine,
7
Caspian State University of Technology and Engineering named after Sh. Yesenov, Aktau, Kazakhstan

E-mail: [email protected], [email protected], [email protected],

4
[email protected], [email protected], [email protected], [email protected]

ABSTRACT

With the growth of web applications popularity, the need to protect them from hacking and unauthorized
access is growing even faster. More than 75% of hacker attacks are aimed at vulnerabilities in web
applications and corporate websites. The consequences of such malicious actions are quite obvious and not
very pleasant for companies (especially their customers): the loss of personal data, including payment
information, the ability to access trade secrets and confidential documents via enterprise networks.
Traditional firewall methods do not prevent attacks on web services. Firewalls target threats at the network
and transport layers, while web applications operate at the application layer. A Web Application Firewall
(WAF is a type of firewall that is used to protect web applications. While a forward proxy server protects the
client computer's identity using an intermediary, WAF deploys in front of web applications (in reverse proxy
mode) and analyzes bi-directional HTTP / HTTPS traffic to entice malicious traffic and block it. WAFs are
not the ultimate security solution, rather they are intended to be used in conjunction with other network
perimeter security solutions such as next-generation firewalls (NGFW) and intrusion prevention systems
(IPS).
Keywords: Security, Firewalls, OWASP, WAF

1. INTRODUCTION Most web applications are developed by

dividing the core functionality into 3 tiers:
A web application architecture is a mechanism presentation tier, business tier, and resilience tier.
that defines how the components of a program The presentation layer reflects the interface and
interact with each other. Other words, a web is designed for user interaction. It is developed
application architecture is a model for the using three main technologies: HTML is the
interaction between the various components of a markup language that defines the structure of the
web application. Most of the web applications site, CSS allows you to control the appearance of
consist of two parts: client (front-end) and server the application, and JavaScript with supporting
(back-end). The server-side code (back-end) is frameworks make the site interactive.
responsible for rendering the page requested by the The business layer, also called business logic,
user, as well as for storing various data, including accepts requests from the user, processes them and
user-profiles and data entered by the user. This determines the routes along which data will be
code is always hidden from the user. To write accessed. For example, if the application provides
client-side code (front-end), a combination of hotel booking functionality, the business layer will
technologies such as HTML, CSS, JavaScript is be responsible for the sequence of actions to be
used. Client-side code specifically designed for taken when booking a room.
user interaction [1]. The resiliency tier, or storage tier, is a
centralized location that accepts all data requests
and provides access to application storage.

705
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

The storage infrastructure includes a server and The OWASP (Open Web Application Security
a database management system, the software that Project) community is responsible for classifying
communicates with the database [12-14]. attack vectors and vulnerabilities. It is an
Some components are parts of a web international non-profit organization focused on
application, but separated from the main layers - analyzing and improving software security.
end-to-end code and third-party integrations. End- OWASP has created a list of the 10 most
to-end code handles application functionalities dangerous attack vectors for Web applications,
such as communications, operational management this list is called OWASP Top Ten, it contains the
and security. It affects all parts of the system, but most dangerous vulnerabilities.
should never mix with them. Third-party
integrations are integrations that are connected to
the back-end of the application using sеnippets of
code called APIs [2].
Today, there are several types of web
application architecture, depending on how the
interaction between the client and server-side
takes place. The most common of these are single-
page applications (SPA) and multi-page
applications (MPA).
Single Page Applications - A type of web
application that uses a single HTML page to
display all of the information. In practice, it means
that the user observes the main content of the page
in the browser, but when scrolling or switching to
another page, all the necessary elements are
dynamically updated instead of reloading the page
and sending a new request to the server. Examples
of single-page applications include Gmail,
Facebook, Twitter.
Multi-Page Applications is a web application
consisting of multiple pages that are loaded every
time the user visits them. Each time a new page is
requested, a request is sent to the server and all
data is completely refreshed. This is a traditional Figure 1. OWASP Top Ten
web application development pattern that is used Today, the issue of web application security is
on sites with a lot of content. As a rule, MPA very acute, since web applications are tightly
applications have a complex structure, with a large integrated into the modern world. The OWASP
number of levels and links. The content of such "Top 10" is a recognized global methodology for
web applications is divided into several sections assessing vulnerabilities, reflecting modern trends
and subsections. An example of a multi-page in web application security. While the global web
application would be Amazon or eBay [3]. application security policy has slowly changed in
Today, a large number of people use web the right direction over the past few years. During
applications to find the products and services they 2020 and the COVID-19 pandemic, this process
want. Customers that provide their names, has stopped and, in some cases, the situation has
payment system data, can become a gold mine for slightly deteriorated.
hackers who seek to get hold of confidential
information. That being said, protecting a site is 2. THE AIM OF THE STUDY
also a matter of protecting physical equipment.
In this paper, we aim to apply WAF to the
Hackers can not only steal sensitive client
internal web resources of the Free Economic Zone
information but also infect a website with malware
in systems with zero trust in users. With a possible
that can affect physical hardware. Website security
response to the threats posed by OWASP. We
is critical to the longevity of a business, as
strive to ensure the effectiveness of such an
unauthorized access can have a significant impact
approach to the most common threats and increase
on reputation, downtime, and also result in
the effectiveness of protection of end users and
decreased performance.
free services.

706
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

We set ourselves the opportunity to improve the The WAF sits between external users and web
algorithm for protecting services in the local applications and analyzes all HTTP / HTTPS
networks of universities to protect end users and traffic, identifying and blocking malicious
services. requests before they can affect users or the web
application. As a result, WAFs protect business-
3. MODELS AND METHODS
critical web applications and web servers from
A Web Application Firewall (WAF) is a device attacks.
that protects web applications from most common
attacks (including OWASP Top Ten).

Figure 2. Scheme of WAF

Traditional network firewalls protect the local WAF protects against attacks at layer 7 of the OSI
network from unauthorized access. Their main model - the application layer. The main threats at
purpose is to separate the protected area from the this level are attacks on various frameworks,
less secure one and further control the cookie manipulation, SQL injection exploitation
communication between them. The key technical and cross-site scripting attacks. Traditional
difference between application layer firewalls and network firewalls operate at layers 3 and 4 of the
network layer firewalls is the layer at which they OSI model to protect network traffic. For this
operate, as defined by the Open Systems reason, a traditional standalone network firewall
Interconnection Model, which characterizes and will not protect businesses from attacks on web
standardizes communication functions in pages [9].
telecommunications and computing systems.

Figure 3. Comparison of the traditional firewall with web application firewall in countering web attacks

WAF operates on a set of rules called policies, today. Many WAF services provide a default set
which are used to filter most of the attacks known of rules that are updated periodically.

707
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

WAFs can operate on negative security There are many free WAFs that are capable of
(blacklist), positive security (whitelist) or hybrid securing web applications. The biggest advantage
model. The blacklist model uses predefined of the open-source WAF is the freedom to modify
signatures to block harmful web traffic, as well as the code to suit the needs of the projects. The most
signatures designed to prevent attacks that exploit famous open-source WAFs include:
specific vulnerabilities in websites and  ModSecurity. This firewall is well equipped
applications. For example, if multiple IP addresses with many features and offers complete
are sending many more packets than is typical, a freedom to expand its capabilities. Among the
blacklisted firewall can prevent a DDOS attack. main features of this firewall are the
The whitelist model allows web traffic to meet following: application security monitoring
specially configured criteria. For example, a and real-time access control, HTTP traffic
firewall can be configured to only allow HTTP logging, continuous passive security
GET requests from specific IP addresses. assessment. The ModSecurity community is
Whitelisted firewalls are best for intranet web actively and constantly releasing updates.
applications that are intended to be used only by a  NAXSI. The acronym comes from Nginx
limited group of people, such as company Anti XSS & SQL Injection. The main purpose
employees [11]. of this firewall is to protect against SQL
WAF can be implemented in one of the injection and cross-site scripting.
following ways, each with its advantages and  WebKnight. Designed for Microsoft IIS. The
disadvantages: toolkit checks all requests and filters them
 Network WAF, usually hardware. Installing according to the policies set by the
locally minimizes latency, but is a more administrator. The firewall aims to prevent
expensive option. buffer overflow attacks, SQL injection,
 Host-oriented WAF. This solution is cheaper character encoding [5].
than network WAF and offers more WAF can be integrated into the network in the
customization options. The disadvantages of following ways: network monitoring mode via
a host-based WAF are local server resource SPAN port, bridge mode, reverse proxy).
consumption, implementation complexity In monitor mode, packets do not go through the
and maintenance costs. web application firewall. The Switched Port
 Cloud WAF. Provides the simplest Analyzer (SPAN) feature forwards a copy of
implementation, has the lowest initial cost, traffic on a port to another port on the same switch.
and offers a solution that is constantly In this mode, the firewall analyzes the copy of the
updated to protect against new threats without monitored traffic, rather than the packets that are
additional work or cost on the customer side. being sent. The advantage of operating in this
Flaw cloud WAF is a third-party liability. mode is that WAF does not affect traffic, avoiding
One of the most popular cloud web performance and latency issues. The disadvantage
application firewalls is Cloudflare WAF. of working in this mode is that WAF works with a
In this project, WAF is implemented in a host- copy of the traffic and cannot prevent attacks on
based mode on the Nano Pi R1 hardware platform web applications.
(appearance, the layout of board elements are
given in Appendix A, technical specifications are
given in Appendix B).

Figure 4. An example of WAF implementation in monitoring mode

708
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

In bridge mode, WAF sits on the same line between the firewall and web servers and acts as a Layer 2
bridge.

Figure 5. An example of WAF implementation in monitoring mode

Direct proxy server - when using the term
Reverse proxy server. Typically, proxy servers "proxy", most often they mean a direct proxy
act as intermediaries for online connections. server. Forward proxies are types of proxies that
Proxies can be divided into types according to clients use to hide their IP addresses and maintain
various criteria. The type of proxy depends on the anonymity when browsing the Internet. When
type of device acting as a proxy server, the level of using a forward proxy server, the device sends a
anonymity of the client when using the proxy, and normal request that the proxy server does not exist,
the method of data management. According to but all requests to the target system will go through
another criterion - location in the network structure the proxy server. The proxy accepts requests and
- the proxy server is divided into reverse and redirects them through its IP address, hiding the
forward. user's real IP address. Most often, direct proxy
servers are used by ordinary users to bypass
blocked services.

Figure 6. An example of a direct proxy server

A reverse proxy is a proxy that accepts requests anonymity for web servers. They hide the
on behalf of web servers. A reverse proxy does not reallocation of the servers from clients.
work for clients, but web servers. Whereas a The reverse proxy accepts requests from the
forward proxy is designed to provide anonymity to Internet and determines whether to forward the
clients, a reverse proxy is designed to provide request to a real server [7].

709
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Figure 7. An example of a reverse proxy server

Reverse proxies can be used to:  caching. It is the process of keeping a copy of
 load balancing. Typically, sites with a lot of files in the cache for faster re-access. Caching
daily users cannot handle all traffic with a allows sites to efficiently reuse previously
single egress server. In this way, the reverse acquired data. This allows web applications to
proxy can evenly distribute the load among run more efficiently;
the back-end servers;  SSL encryption. Encrypting and decrypting
 additional security of internal servers. If the connections for each user can be ineffective
web uses a reverse proxy, its address is for the egress server. A reverse proxy server
hidden, and users can only access the IP can do this job by encrypting and decrypting
address of the reverse proxy. This introduces all requests [8-11].
an additional element of security. For Implementing a firewall as a reverse proxy
example, it is much more difficult to conduct server is by far the most popular and widely used.
a denial of service attack;

Figure 8. Implementing WAF as a reverse proxy server

A firewall is a device that secures networks by at layers 3 and 4 of the OSI model to protect
monitoring network traffic based on established network traffic. For this reason, a traditional
sets of security rules. A Web Application Firewall network firewall alone will not protect businesses
(WAF) is a device that protects web applications from attacks on web pages. WAF protects against
from most attacks today (including OWASP Top attacks at layer 7 of the OSI model - the application
Ten). The WAF sits between external users and layer. The main threats at this level are attacks on
web applications and analyzes all HTTP / HTTPS various kinds of frameworks, cookie
traffic, identifying and blocking malicious manipulation, exploitation of SQL injection,
requests before they can affect users or the web cross-site scripting attacks as a result of WAF
application. Traditional network firewalls operate protecting business-critical web applications and

710
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

web servers from attacks. WAF operates on a set configure the Apache webserver in reverse proxy
of rules called policies, which are used to filter mode. We enable additional modules that are
most of the attacks known today. Many WAF required for the Apache webserver to function as a
services provide a default set of rules that are reverse proxy server (mod_proxy is the main
updated periodically. The most commonly used Apache proxy module that manages and redirects
method for implementing WAF on the web is as a connections, mod_proxy_http is the proxy server
reverse proxy. functions for HTTP and HTTPS protocols,
The firewall function was assigned to the mod_proxy_balancer and
ModSecurity program. WAF budo is deployed in mod_lbmethod_byrequests)
reverse proxy mode. To do this, you need to

Figure 9. Connecting additional Apache modules

4. EXPERIMENTAL STUDIES This is useful because it allows the backend

server to know the address used to access the
Let's edit the default configuration file 000- application.
default.conf to enable the proxy function.  ProxyPass is the main directive for proxy
During the experiments, they were limited by configuration. In this case, it specifies that
the small amount of statistical data accumulated everything after the root URL (/) should be
for a relatively small segment of the institute's sent to the server at the given address.
network - the university.  ProxyPassReverse - must-have settings
In this experimental part of the work, we set similar to ProxyPass. It tells Apache how to
ourselves the goal of applying WAF to the internal change the headers in the response from the
web resources of the university in a system with backend server. Thus, it is guaranteed that the
zero trust to users. With the possible response to client's browser will be redirected to the proxy
the threats that OWASP relies on, we strive to address and not to the backend server address.
make sure that this approach is effectively applied As a result of the proxy settings, when accessing
to the most common threats and increases the the address http://192.168.1.251/, a page will be
effectiveness of protecting end users and opened located on the server with the address
university services. 192.168.1.44/.
Three directives are used to configure the proxy:
 ProxyPreserveHost forces Apache to pass the
output Host header to the backend server.

711
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

After you finish configuring the Apache web

server, you need to install ModSecurity using the
command apt-get install libapache2-modsecurity.

Figure 10. Editing the 000-default.conf file

Figure 11. Installing ModSecurity

To check if the installation is correct, use the installation was successful, the command should
command apachectl -M | grep security. If the output security2_module (shared).

Figure 12. Checking the correctness of the ModSecurity installation

ModSecurity includes a recommended must rename it using the mv

modsecurity.conf-recommended configuration /etc/modsecurity/modsecurity.conf-recommended
file located in the / etc / modsecurity directory. In /etc/modsecurity/modsecurity.conf command.
order for this file to work with ModSecurity, you

712
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Figure 13. Renaming the configuration file

Using any text editor, edit the contents of the Detection Only" to "SecRuleEngine On", save
modsecurity.conf file. Change "SecRuleEngine changes and exit the text editor.

Figure 14. Editing the modsecurity.conf file

After editing the file, restart the Apache webserver.

Figure 15. Rebooting the webserver

ModSecurity comes with many Core Rule Set. with a minimum of false positives. CRS rules are
CRS aims to protect meb applications from a wide stored in the / usr / share / modsecurity-crs
range of attacks (including OWASP Top Ten), directory

713
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Figure 16. Set of basic CRS rules

For further work, the set of rules downloaded crs command. Create a new directory in the
from Github will be used. Remove the default Apache directory using the command:
ruleset with the rm -rf / usr / share / modsecurity-

Figure 17. Creating the modsecurity-crs directory

Download the basic Modsecurity ruleset using Github and unpack it with tar xvf v3.3.0.tar.gz

Figure 18. Downloading the core Github ruleset

Move the unpacked directory to / etc / apache2 / modsecurity-crs /. Go to the directory again and change
the name of the crs-setup.conf.example file.

714
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Figure 19. Setting up directories for storing Core Rule Set

For Apache to read the .conf files in directories, you need to edit the security2.conf file.

Figure 20. Editing the security2.conf file

We check the Apache configuration and restart the webserver.

Figure 21. Checking the configuration and restarting the Apache server

WAMP server with installed WordPress and configured standard page was chosen as a test server. For
access, the IP address is 192.168.1.44 without WAF, and 192.168.1.251 - through WAF.
1. OWASP ZAP

715
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Figure 22. Selecting the scan mode

Figure 23. URL for scan

Once the scan is complete, you can view the results on the Notifications tab. Alerts are represented by 5
types of alerts, the severity of which is indicated by a specific color of the checkbox.

Figure 24. Alert severity

Web page scan results not protected by WAF:

Figure 25. Testing a web page that is not Figure 26. The result of testing a page that is
protected by WAF protected by WAF
2. ARACHNI

Figure 27. New scan

716
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

In the next window, select the Default scan type, set the URL for scanning and click "Go".

Results of a 4-hour scan without WAF:

Figure 28. Scan without WAF

No vulnerabilities were found during scanning by XSS and SQL profiles.
Scanning via WAF lasted only 2 minutes, results:

Figure 29. Scanning via WAF

3. VEGA

717
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Select the "Start New Scan" option. In the window that will open, enter the URL for scanning and click
Finish.

Figure 30. URL to scan

Figure 31. Scanning without WAF

Figure 32. Scanning via WAF

4. W3AF

Select the OWASP Top 10 scan profile, enter the URL and click the Start Scan button

718
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Figure 33. Adjusting the scanner settings

The scan ended at 1:30 after the start. The scanner could only find information about the version of the
operating system, Apache and PHP.

Figure 34. Scan results without WAF

WAF scans ended in 1:17. As a result, the scanner was able to find one page with an Apache webserver
error.

Figure 35. Scanning via WAF

A Web Application Firewall (WAF) is a device identifying and blocking malicious requests before
that protects web applications from most of today's they can affect users or the web application. As a
attacks (including OWASP Top Ten). The WAF result, WAFs protect business-critical web
sits between external users and web applications applications and web servers from attacks. WAF
and analyzes all HTTP / HTTPS traffic, operates on a set of rules called policies, which are

719
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

used to filter most of the attacks known today. corresponding needs. It is also an opportunity to
Many WAF services provide a default set of rules work with the introduction of elements of artificial
that are updated periodically. The most commonly intelligence in the approach to protection. In future
used method for implementing WAF on the web is studies, we plan to consider approaches to using
as a reverse proxy. The firewall function was neural networks to study traffic passing through
assigned to the ModSecurity program. To install the WAF and use the data obtained to improve the
the ModSecurity web application firewall, the artificial intelligence algorithm for identifying
Apache webserver was installed and configured threats [14-16].
for further operation in the reverse proxy server
6. CONCLUSIONS
mode. To block attacks, the most current version
of the OWASP CRS rules downloaded from A pilot study was carried out Using WAF to
GitHub was uploaded to the webserver. To protect protect internal services in the Zero Trust
against denial of service attacks, distributed denial structure. The system was tested in two stages.
of service (DoS, DDoS) and brute-force attacks, First, we used tools to automate the search for web
the mod_evasive module was installed. The main vulnerabilities (web vulnerability scanners). No
settings for this module are located in the high severity vulnerabilities were found when
/etc/apache2/mods-enabled/evasive.conf file. scanning a vulnerable application through a
5. DISCUSSION OF RESEARCH RESULTS firewall. At the same time, there is a significant
decrease in the number of vulnerabilities of
Testing of the system was carried out in two medium and low severity levels. At the second
stages: at the first stage, tools for automating the stage, manual testing of applications for
search for web vulnerabilities (web vulnerability vulnerabilities of SQL injection, cross-site
scanners) were used. No high severity scripting, and Path Traversal attacks was carried
vulnerabilities were found when scanning a out. When an attempt was made to attack an
vulnerable application through a firewall. At the application protected by a firewall, the response
same time, there is a significant decrease in the was "403 Forbidden", which indicates the
number of vulnerabilities of medium and low impossibility of carrying out attacks. ModSecurity
severity levels. uses two types of logs to track webserver attacks:
At the second stage, manual testing of the error log (error.log) and the modsec_audit.log
applications for vulnerabilities of SQL injection, audit log. An error log is generated when an error
cross-site scripting, and Path Traversal attacks was is encountered or when an attack is attempted.
carried out. When an attempt was made to attack Since ModSecurity is paired with Apache, all error
an application protected by a firewall, the response logs (Apache error logs + ModSecurity error logs)
was "403 Forbidden", which indicates the are generated in one file. The audit log begins to
impossibility of carrying out attacks. ModSecurity fill up after an event is recorded in the error log.
uses two types of logs to track webserver attacks: The audit log records more detailed information
the error log (error.log) and the modsec_audit.log about a blocked attack. ModSecurity audit logs are
audit log. An error log is generated when an error generated according to the unique identifiers of the
is encountered or when an attack is attempted. error log.
Since ModSecurity is paired with Apache, all error Also we need to study the use of neural
logs (Apache error logs + ModSecurity error logs) networks to study traffic from IoT devices to
are generated in one file. The audit log begins to identify possible threats from such devices. But we
fill up after an event is recorded in the error log. have the opportunity to improve the protection and
The audit log records more detailed information protection algorithm of services in local area
about the blocked attack. ModSecurity audit logs networks for the protection of end users and
are generated according to the unique identifiers of services.
the error log. The use of WAF in zero-trusted systems is a
The issues of using neural networks to study fairly common option for protecting services
traffic from IoT devices to determine possible within the organization. But the use of open
threats from such devices need to be studied. solutions in this approach makes it possible to
Using WAF in zero-trust systems is a fairly more flexibly and personally adjust the protection
common option for securing services within an to the appropriate needs. It is also an opportunity
organization. But the use of open solutions in this to work on the introduction of elements of artificial
approach allows you to customize protection more intelligence in the approach to protection. In future
flexibly and personally according to the research, we plan to consider approaches to using

720
 Journal of Theoretical and Applied Information Technology
15th February 2022. Vol.100. No 3
© 2022 Little Lion Scientific

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

neural networks to study traffic passing through Automation. Apress, Berkeley, CA, 2021.
WAF and use the data to improve the artificial p. 215-245.
intelligence algorithm to identify threats. [10] Y. SUN, S. NANDA and T. JAEGER,
"Security-as-a-Service for Microservices-
REFERENCES:
Based Cloud Applications," 2015 IEEE 7th
[1] D. APPELT, C. D. NGUYEN, A. International Conference on Cloud
PANICHELLA and L. C. BRIAND, "A Computing Technology and Science
Machine-Learning-Driven Evolutionary (CloudCom), 2015, pp. 50-57, doi:
Approach for Testing Web Application 10.1109/CloudCom.2015.93..
Firewalls," in IEEE Transactions on [11] TORRANO-GIMENEZ, Carmen, et al. An
Reliability, vol. 67, no. 3, pp. 733-757, Anomaly-based Web Application Firewall.
Sept. 2018, doi: In: SECRYPT. 2009. p. 23-28.
10.1109/TR.2018.2805763. [12] KHOROLSKA K., LAZORENKO V.,
[2] APPELT, Dennis & NGUYEN, Cu & BEBESHKO B., DESIATKO A.,
BRIAND, Lionel & ALSHAHWAN, KHARCHENKO O., YAREMYCH V.
Nadia. (2014). Automated Testing for SQL (2022) Usage of Clustering in Decision
Injection Vulnerabilities: An Input Support System. Intelligent Sustainable
Mutation Approach. 2014 International Systems. Lecture Notes in Networks and
Symposium on Software Testing and Systems, vol 213. Springer, Singapore.
Analysis, ISSTA 2014 - Proceedings. https://doi.org/10.1007/978-981-16-2422-
10.1145/2610384.2610403. 3_49
[3] Chen, ZHIYU & Yan, LONGCHUAN & Lü, [13] BEBESHKO, B., KHOROLSKA, K.,
ZITONG & Zhang, YANLING & Guo, KOTENKO, N., KHARCHENKO, O., &
YONGHE & Liu, WENJING & Xuan, ZHYROVA, T. (2021). Use of neural
JIAXING. (2021). Research on Zero-trust networks for predicting cyberattacks. Paper
Security Protection Technology of Power presented at the CEUR Workshop
IoT based on Blockchain. Journal of Proceedings, 2923 213-223
Physics: Conference Series. 1769. 012039. [14] LAKHNO, V., MALYUKOV, V.,
10.1088/1742-6596/1769/1/012039. AKHMETOV, B., KASATKIN, D.,
[4] DEMERTZIS, Konstantinos; ILIADIS, PLYSKA, L. (2021). Development of a
Lazaros. Cognitive Web Application model for choosing strategies for investing
Firewall to Critical Infrastructures in information security, Eastern-European
Protection from Phishing Attacks. Journal Journal of Enterprise Technologies, 2 (3-
of Computations & Modelling, 2019, 9.2: 1- 110), pp. 43-51.
26. [15] LAKHNO, V., AKHMETOV, B.,
[5] GARBIS, Jason; CHAPMAN, Jerry W. Zero MAZARAKI, A., KRYVORUCHKO, O.,
Trust Architectures. In: Zero Trust CHUBAIEVSKYI, V., DESIATKO, A.
Security. Apress, Berkeley, Ca, 2021. P. 19- Methodology for assessing the effectiveness
51. of measures aimed at ensuring information
[6] JINGYAO, Sun, et al. Securing a Network: security of the object of informatization,
How Effective Using Firewalls and VPNs (2021) Journal of Theoretical and Applied
Are?. In: Future of Information and Information Technology, 99 (14), pp. 3417-
Communication Conference. Springer, 3427.
Cham, 2019. p. 1050-1068.
[16] Buriachok, V., Ageyev, D., Zhyltsov, O.,
[7] MACDONALD, Neil; ORANS, Lawrence;
Skladannyi, P., & Sokolov, V. (2020).
SKORUPA, Joe. The Future Of Network
Invasion detection model using two-stage
Security Is In The Cloud. Gartner. Viitattu,
criterion of detection of network anomalies.
2019, 1: 2021.
Paper presented at the CEUR Workshop
[8] RATH, Annanda, et al. Security Pattern for
Proceedings, , 2746 23-32.
Cloud SaaS: From System and Data
Security to Privacy Case Study in AWS and
Azure. Computers, 2019, 8.2: 34.
[9] STEFANOVIC, Vladimir; KATINSKI,
Milos. Network Traffic Management.
In: Pro Azure Administration and

721