Is the use of a web application firewall (WAF) a mandatory standard for securing web resources, or is it an important but optional layer of protection? How to choose and implement a WAF? What does the future hold for this market? Keep reading to get the answers.
What does a web application firewall do?
It is hard to imagine a modern company that does not need a WAF. This instrument is only redundant if there are no digital assets to protect. It helps safeguard web resources if they are the backbone of business activity, if they are used to store critical data of employees and customers, or if they are linked to the organization’s infrastructure and could become an entry point for intruders.
A web application firewall also protects custom solutions used by companies. These systems often contain vulnerable code and can pose a threat to enterprise security. A WAF provides defenses at Layer 7 of the Open Systems Interconnect (OSI) model. It analyzes requests that neither traditional firewalls nor next-generation firewalls (NGFWs) can control. In addition to securing a corporate website, it protects web application servers, supervises integrations with third-party services, and handles threats unrelated to vulnerabilities, such as DDoS attacks.
There are two fundamental differences between a WAF and other firewalls: functional and architectural. Functional features include the ability to parse specialized formats within HTTP (e.g., JSON), which is something that NGFW and other systems cannot do. Architectural characteristics relate to the way it is implemented within a network. A web application firewall works primarily as a reverse proxy, dealing only with in-house applications.
Figuratively speaking, a WAF is a product that prevents a vulnerable website from getting hacked. In terms of the location, NGFW is installed at the gateway, while WAF is installed where the website resides.
NGFW, a regular firewall, and a classic intrusion prevention system (IPS) are multiprotocol devices, while a WAF is confined to web application protocols that use HTTP as the transport. Such a solution shows greater efficiency in a particular niche due to the deeper analysis of specialized protocols. Importantly, a WAF “knows” exactly which applications it is protecting. It can apply different security policies depending on what object the traffic is directed to.
Is it possible to use an outsourced solution in this area? This is a viable approach, but it is exceedingly difficult to put into practice. In this case, the company essentially becomes the developer of its own solution and must handle not only its development but also the full technical support cycle.
Another important aspect is the choice between an on-premises implementation variant and a cloud service. This is largely a matter of trust in the cloud provider. The web application security market is actively migrating to the cloud, which means that more and more customers find the risks of such services acceptable.
It is also worth touching upon the pros and cons of off-the-shelf software and hardware WAF toolkits versus their counterparts that are based on software only. Solutions fine-tuned for specific hardware may work more efficiently than universal systems that run on any equipment. The other side of the coin boils down to the customer’s likely desire to work with certain hardware platforms already in use.
The issue also has organizational and bureaucratic aspects. Sometimes it is easier for an information security department to buy a turnkey hardware and software bundle than justify two separate budget items.
Every WAF has a set of protection modules all traffic passes through. The security usually starts with the basic levels – DDoS protection features and signature analysis. The ability to develop your own security policies and a mathematical learning subsystem is one level higher. A block of integration with third-party systems usually appears at one of the final deployment stages.
Another important component of a WAF is a passive or active scanner that can detect vulnerabilities based on server responses and endpoint surveys. Some firewalls can detect rogue activity on the browser side.
As for attack detection technologies, there are two fundamentally different tasks: validation (checking data in specific requests) and behavioral analysis. Each one of these models applies its own set of algorithms.
If we look at WAF operation in terms of the request processing stages, there is a series of parsers, decoding modules (not to be confused with decryption), and a set of blocking rules responsible for the final verdict. Another layer spans security policies developed by humans or based on machine learning algorithms.
Regarding the interaction of a web application firewall with containers, the only difference may be in the deployment peculiarities, but the basic principles are always the same. In a containerized environment, the WAF can act as an IP gateway by filtering all requests that flow into the virtualization ecosystem. In addition, it can operate as a container itself and be integrated with a data bus.
Is it possible to provide a WAF on a software-as-a-service (SaaS) basis? Essentially, the SaaS principle grants full access to an application and its administration in the cloud. This approach does not bring any significant advantages, but it is the first step to move an IT infrastructure to the cloud. If the company also delegates system control to a third party, this is more reminiscent of the managed security service provider (MSSP) paradigm, which can provide some significant benefits.
A pentest that the customer can conduct at the pilot project stage will help assess how effective the WAF is. In addition, vendors and system integrators can provide the customer with regular firewall performance reports reflecting the results of traffic analysis.
How to deploy a web application firewall
The main stages of WAF deployment are as follows:
- Creating a pilot project.
- Selecting the vendor.
- Determining the architecture of the solution.
- Specifying backup techniques.
- Deploying the software or hardware complex.
- Training and motivating the staff to use the WAF.
In an ideal world, it takes mere minutes to integrate a WAF monitoring service into a single application. However, configuring the rules to block threats will take extra time. There are also additional aspects of the implementation, including approvals, personnel training, and other technicalities. The deployment period also depends on the method as well as the specific application and the types of traffic to be monitored.
A well-orchestrated deployment process will help minimize false positives. Extensive testing at the pre-production stage and after the system launch should do the trick. An important part of this routine is to “teach” the solution: a security specialist can correct some of its verdicts during the tests. InfoSec teams should study WAF-generated statistics within the first month of operation to see if the system is blocking legitimate traffic. At the same time, experts emphasize that all WAF tools have a certain false positives rate.
When it comes to WAF integration with other security mechanisms, here are the main areas of this activity:
- Security information and event management (SIEM) systems (WAF acts as a data provider).
- Different kinds of sandboxes.
- Antivirus cores.
- Data loss prevention (DLP) systems.
- Vulnerability scanners.
- Security tools within the Kubernetes platform.
WAF market trends and predictions
The popularity of various open-source Web APIs is on the rise, and analysts predict a shift in security solutions’ focus towards these frameworks. Gartner even has a definition for such a product – Web Application & API Protection (WAAP).
The pandemic has caused the dependence on the online world to grow dramatically. Therefore, the importance of WAF will increase, and it may become one of the main prerequisites for ensuring the security of any web resource. It will most likely become yet “closer” to web applications and will be integrated into the development process.
Regarding the technological trends of WAF evolution, experts predict a more active involvement of artificial intelligence and multi-level machine learning systems. This will take the capabilities to detect various threats to a new level, and the use of pre-generated models created inside the company will become the norm. In addition, analysts note the growing implementation of filtering mechanisms based on behavioral factors.
On the deployment side, the integration of WAF with cloud services will continue. A trend toward using open security systems will influence this industry as well. Both customers and vendors will benefit from this natural response to the current market demands.
The web application firewall is a key element of present-day web security. The growing number of critical tasks performed via web interfaces and open APIs is a powerful driving force in this area. A customer can choose between deploying a WAF within their infrastructure, integrating off-the-shelf hardware and software systems into it, or using cloud services.
Another game-changing trend is the integration of WAF with other information security systems and website development workflows. This makes it an inalienable component of an effective DevSecOps process.