WEBVTT 1 00:00:00.000 --> 00:00:01.380 In this lesson, 2 00:00:01.380 --> 00:00:04.860 we will learn about application layer security. 3 00:00:04.860 --> 00:00:08.880 Application layer security involves protecting applications 4 00:00:08.880 --> 00:00:13.080 and their data from unauthorized access and attacks. 5 00:00:13.080 --> 00:00:16.380 It works at the highest layer of the OSI model, 6 00:00:16.380 --> 00:00:18.240 the application layer, 7 00:00:18.240 --> 00:00:19.938 and it involves the implementation 8 00:00:19.938 --> 00:00:24.938 of both Application Programming Interface or API gateways 9 00:00:25.350 --> 00:00:29.070 and Web Application Firewalls or WAFs. 10 00:00:29.070 --> 00:00:33.000 Let's learn more about API gateways and WAFs. 11 00:00:33.000 --> 00:00:35.640 First we have API gateways. 12 00:00:35.640 --> 00:00:37.636 Let's compare an API gateway 13 00:00:37.636 --> 00:00:39.660 to something we're familiar with, 14 00:00:39.660 --> 00:00:41.910 a toll booth on the highway. 15 00:00:41.910 --> 00:00:43.500 When driving on the highway, 16 00:00:43.500 --> 00:00:45.330 you may pass through toll booths 17 00:00:45.330 --> 00:00:47.340 that control the flow of traffic, 18 00:00:47.340 --> 00:00:50.070 ensuring that only authorized vehicles, 19 00:00:50.070 --> 00:00:53.880 those that have paid or have a pass can continue. 20 00:00:53.880 --> 00:00:57.268 Similarly, an API gateway controls the flow of data 21 00:00:57.268 --> 00:01:00.300 between clients and backend services. 22 00:01:00.300 --> 00:01:02.280 It checks incoming requests 23 00:01:02.280 --> 00:01:05.640 to ensure they meet certain security conditions like 24 00:01:05.640 --> 00:01:09.900 authentication or rate limits before allowing them through. 25 00:01:09.900 --> 00:01:12.930 And just like a toll booth prevents vehicles 26 00:01:12.930 --> 00:01:15.750 that haven't paid from entering the highway. 27 00:01:15.750 --> 00:01:20.310 An API gateway ensures only valid authorized requests 28 00:01:20.310 --> 00:01:22.080 reach the backend server, 29 00:01:22.080 --> 00:01:26.160 protecting it from unauthorized access and overload. 30 00:01:26.160 --> 00:01:29.670 One of the most common roles for an API gateway 31 00:01:29.670 --> 00:01:32.250 is acting as a reverse proxy. 32 00:01:32.250 --> 00:01:35.580 Acting as a reverse proxy means the API gateway 33 00:01:35.580 --> 00:01:39.630 accepts all API calls coming into the network 34 00:01:39.630 --> 00:01:43.230 and routes them to the appropriate backend services. 35 00:01:43.230 --> 00:01:46.770 For example, when you want to watch a movie on Netflix, 36 00:01:46.770 --> 00:01:49.515 the Netflix API Gateway determines 37 00:01:49.515 --> 00:01:52.620 which services are needed based on your location 38 00:01:52.620 --> 00:01:56.190 and the device you're using like a laptop or TV. 39 00:01:56.190 --> 00:02:00.570 Then the API Gateway efficiently directs your request 40 00:02:00.570 --> 00:02:03.450 to the right servers to deliver the content, 41 00:02:03.450 --> 00:02:06.000 ensuring a smooth user experience 42 00:02:06.000 --> 00:02:09.150 across different devices and regions. 43 00:02:09.150 --> 00:02:11.588 But an API gateway can do much more 44 00:02:11.588 --> 00:02:14.430 than just act as a reverse proxy. 45 00:02:14.430 --> 00:02:17.880 API gateways can also perform request routing, 46 00:02:17.880 --> 00:02:20.010 directing traffic to the right service 47 00:02:20.010 --> 00:02:22.170 based on the type of request. 48 00:02:22.170 --> 00:02:24.373 For example, if a request involves 49 00:02:24.373 --> 00:02:27.090 retrieving user account details, 50 00:02:27.090 --> 00:02:32.090 the API gateway can send the request to the account service. 51 00:02:32.100 --> 00:02:35.430 Or if the request is for processing a payment, 52 00:02:35.430 --> 00:02:37.575 the API gateway could route the traffic 53 00:02:37.575 --> 00:02:39.750 to the payment service. 54 00:02:39.750 --> 00:02:41.850 This ensures that each request 55 00:02:41.850 --> 00:02:44.430 is handled by the appropriate service, 56 00:02:44.430 --> 00:02:48.000 improving efficiency and ensuring the right resources 57 00:02:48.000 --> 00:02:51.330 are used to fulfill each specific need. 58 00:02:51.330 --> 00:02:54.840 API Gateways can also handle authentication 59 00:02:54.840 --> 00:02:56.580 and authorization, 60 00:02:56.580 --> 00:02:59.447 ensuring that only users with the correct 61 00:02:59.447 --> 00:03:01.860 can access certain data. 62 00:03:01.860 --> 00:03:05.250 In addition, API gateways can manage rate limiting 63 00:03:05.250 --> 00:03:08.550 and throttling, ensuring that no one device 64 00:03:08.550 --> 00:03:10.770 can overload the system by sending 65 00:03:10.770 --> 00:03:13.380 too many requests too quickly. 66 00:03:13.380 --> 00:03:17.580 An API Gateway can even provide enhanced security 67 00:03:17.580 --> 00:03:20.250 by blocking unauthorized access 68 00:03:20.250 --> 00:03:22.170 and allowing companies to filter 69 00:03:22.170 --> 00:03:24.660 and control the flow of data. 70 00:03:24.660 --> 00:03:27.450 By balancing all these capabilities, 71 00:03:27.450 --> 00:03:30.630 an API Gateway not only helps ensure data 72 00:03:30.630 --> 00:03:32.550 gets to where it needs to go, 73 00:03:32.550 --> 00:03:36.600 but also keeps systems running smoothly and securely. 74 00:03:36.600 --> 00:03:41.580 Second, let's talk about Web Application Firewalls or WAFs. 75 00:03:41.580 --> 00:03:43.440 A Web Application Firewall 76 00:03:43.440 --> 00:03:46.800 is a specialized firewall designed to inspect 77 00:03:46.800 --> 00:03:51.330 and filter HTTP traffic to protect web applications 78 00:03:51.330 --> 00:03:54.390 from common attacks like cross-site scripting 79 00:03:54.390 --> 00:03:56.460 and SQL injection. 80 00:03:56.460 --> 00:03:59.610 These firewalls apply rule sets to detect 81 00:03:59.610 --> 00:04:01.890 and block harmful traffic 82 00:04:01.890 --> 00:04:04.860 before it can reach your web server. 83 00:04:04.860 --> 00:04:07.980 For example, if a hacker tries to insert 84 00:04:07.980 --> 00:04:11.052 malicious SQL code into a web form 85 00:04:11.052 --> 00:04:14.310 to gain unauthorized access to a database, 86 00:04:14.310 --> 00:04:17.550 the WAF can identify and block this attempt 87 00:04:17.550 --> 00:04:20.130 preventing a potential breach. 88 00:04:20.130 --> 00:04:22.560 To provide this level of protection, 89 00:04:22.560 --> 00:04:26.490 WAFs can be installed either as separate appliances 90 00:04:26.490 --> 00:04:29.640 or as a software plugin on a web server. 91 00:04:29.640 --> 00:04:32.130 When installed as a separate appliance, 92 00:04:32.130 --> 00:04:34.620 the WAF functions independently 93 00:04:34.620 --> 00:04:36.900 within the network infrastructure. 94 00:04:36.900 --> 00:04:38.580 When installed as a plugin, 95 00:04:38.580 --> 00:04:42.810 the WAF integrates directly with the web server itself. 96 00:04:42.810 --> 00:04:45.600 WAFs can also be deployed in line 97 00:04:45.600 --> 00:04:48.810 between the network firewall and the web server 98 00:04:48.810 --> 00:04:51.660 where they can actively block live attacks. 99 00:04:51.660 --> 00:04:54.270 But this might slow down traffic a bit 100 00:04:54.270 --> 00:04:57.240 or occasionally block legitimate requests. 101 00:04:57.240 --> 00:05:02.240 So to prevent this, WAFs can be configured as out of band 102 00:05:02.310 --> 00:05:05.627 where they passively monitor traffic by analyzing 103 00:05:05.627 --> 00:05:08.790 a copy of the traffic that they are monitoring. 104 00:05:08.790 --> 00:05:11.100 This allows them to detect threats 105 00:05:11.100 --> 00:05:14.430 but not block communications in real time. 106 00:05:14.430 --> 00:05:18.450 This out-of-band monitoring setup is unintrusive, 107 00:05:18.450 --> 00:05:21.180 but serves more as a detection system 108 00:05:21.180 --> 00:05:23.160 than a prevention system. 109 00:05:23.160 --> 00:05:25.680 Whether inline or out of band, 110 00:05:25.680 --> 00:05:30.060 WAFs can play a critical role in web application security. 111 00:05:30.060 --> 00:05:31.680 So remember, 112 00:05:31.680 --> 00:05:33.797 application layer security focuses 113 00:05:33.797 --> 00:05:37.140 on protecting applications and their data 114 00:05:37.140 --> 00:05:40.020 from unauthorized access and attacks. 115 00:05:40.020 --> 00:05:42.960 Additionally, application layer security 116 00:05:42.960 --> 00:05:46.830 operates at the highest layer of the OSI model. 117 00:05:46.830 --> 00:05:49.980 Two key components of application layer security 118 00:05:49.980 --> 00:05:54.780 are API gateways and web application firewalls. 119 00:05:54.780 --> 00:05:57.282 API gateways manage the flow of data 120 00:05:57.282 --> 00:06:00.420 between clients and backend services, 121 00:06:00.420 --> 00:06:03.180 ensuring requests are valid and secure, 122 00:06:03.180 --> 00:06:06.720 while also performing tasks like request routing, 123 00:06:06.720 --> 00:06:09.390 authentication, and rate limiting. 124 00:06:09.390 --> 00:06:12.375 On the other hand, WAFs are specialized firewalls 125 00:06:12.375 --> 00:06:15.420 that filter and block harmful traffic 126 00:06:15.420 --> 00:06:17.940 to protect web applications from threats 127 00:06:17.940 --> 00:06:21.270 like cross site scripting and SQL injections. 128 00:06:21.270 --> 00:06:24.240 Whether deployed in line or out of band, 129 00:06:24.240 --> 00:06:27.900 WAFs play an important role in maintaining the security 130 00:06:27.900 --> 00:06:31.140 and smooth operation of web applications, 131 00:06:31.140 --> 00:06:34.530 while API Gateways are deployed in line 132 00:06:34.530 --> 00:06:37.893 to manage traffic and security effectively.