5 Cloud Web Application Firewalls (WAF) Features

Everything you’d want to look for in a Web Application Firewall (cloud WAF).

Did you know that it can take up to 5 months to patch even the most critical vulnerabilities? The Web Application Security Statistics Report states that most companies fix critical vulnerabilities in 146 days on average.

Would hackers wait for your developers to patch code? Even if they have time on hand, wouldn’t you want that time to be spent on more critical business functions? That’s why you need an effective and cost-efficient cloud WAF.

According to the Open Web Application Security Project (OWASP), WAF applies a set of rules to an HTTP conversation to block common attacks. It means that a Web Application Firewall (WAF) is designed to patch application weaknesses. It stops attacks exploiting cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection without development/code changes in the application.

Sounds easy, right? However, with dozens of WAF vendors and a lack of relevant technical guides, companies often struggle with finding the right product. Our security analysts along with industry experts have come up with this guide specifically for companies comparing different WAF products. Here are the features that should be at the top of your checklist.

1. Cloud Availability

(with hybrid deployment model)

In 2008, Arizona State University published a revolutionary article on the future of cloud computing. They compared SaaS models with electricity.

When you plug in a toaster, you do not have to think how far the electrons traveled from the source (coal/nuclear/hydro powered station) in order to power your home. You know that the power is there, and you can pay for the usage every month. You probably will never wonder what the costs of setting up such a power plant would be.

Web application firewall (and the entire SaaS industry) has evolved in a similar fashion. Earlier, when you had to invest in on-premise WAFs, only multimillion-dollar organizations could afford it.

As the online businesses flourished, security concerns and requirements grew too. Not every online company would want to spend such huge sums on the installed device that would also require software upgrades. It’s slow, costly, and unnecessary.

Today, WAFs are the top choice for exponentially-growing online businesses who desire ease of deployment and lower monthly costs.

• Monthly security subscriptions without huge upfront payments
• Bandwidth flexibility
• Automatic updates to patch zero-day vulnerabilities
• Quick custom-rule deployment
• Cost-effective PCI compliance

Additionally, it is also important to support a hybrid deployment model in order to enable your transition towards the cloud (if required) and it cannot happen overnight.  You simply cannot delay security choices during the migration to the cloud nor can you make an investment in an on-premise deployment if it does not support the transition to the cloud at no additional cost.

One of the main barriers of cloud WAF adoption is the concern that there could be an impact on the performance and response time of the website due to an additional hop. This is a valid concern but can be easily mitigated based on certain capabilities the cloud WF can enable.  Most cloud WAF providers should provide an option to enable a CDN along with the WAF service at no additional cost. This ensures that you can actually get a boost in website performance along with security as most of the sites (even the dynamic ones) have more than 75% static content that can be served automatically from the closest edge from where the user is browsing.  Also check if the cloud WAF infrastructure is hosted and built on existing public cloud architectures such as AWS or Azure, as it ensures they can and will automatically be able to enable multiple region support quickly to ensure the entire content including the dynamic ones is served in the most optimal manner to end-user and thereby providing a no trade-off website security offering.

Ensure that across all these deployment models there is a centralized console for management and visibility of the application security provided to the customers.

2. DDoS Protection

Distributed denial of service (DDoS) attacks make an online service unavailable. Such attacks exploit numerous zombie/compromised/hacked systems or other network resources. By definition, every website is vulnerable to DDoS attacks.

DDoS attacks cost up to $100, 000 per hour and if you are planning on comparing a web application firewall, it’s desirable to have some kind of DDoS protection from these attacks.

Modern, intelligent WAFs monitor your traffic continuously to protect against Layer 3, 4, and 7 attacks. Their global threat database feeds attack history and threat intelligence to your WAF for protection.

• Real-time traffic visibility
• Instant Layer 3, 4 and 7 protection
• No downtime
• Instant rules to block traffic from certain countries, IPs
• Global threat database

3. Custom Rules

(based on application risks with quick, managed protection)

Suppose there is an exclusive vulnerability in your application (OWASP calls it Business Logic Flaws) and you want the WAF to cover it. How difficult would that be?

There are several web application firewall vendors that charge for creating custom rules on a per request basis. That would be frustrating and costly if you have a complex website requiring several rules. Also, make sure the guarantee provided by the vendor will check for false positives.  The responsibility of testing and putting them in block mode should not rest solely with the customer but also with the vendor providing those rules and security policy updates.  Look for vendors who back their custom rule services with a Zero False-positive assurance backed with a Service Level Agreement (SLA).

Ideally, the web application firewall should allow you to request custom rules from the portal without creating a fuss about it or charging you for each request. Ensure that you compare this feature from different WAF vendors before paying.

• No charges for creating extra protection rules
• Easy rule request
• Rules created by security analysts eliminating false positives

Enabling WAF policies without an understanding of your application vulnerabilities may put your application at high risk.  It is important that the WAF provides an integrated offering to include security testing of your application and an integrated offering to instantly protect against those risks, along with the option to request custom rules.

Also, the WAF must come with default policies that can be deployed in BLOCK mode from day-1 so that most of the common attacks can be blocked instantly.

4. Block-Log- Challenge Switch

Security intelligence is an unparalleled asset.

It helps you build stronger web applications that can guard requests, protecting critical data. WAF logs are critical to building a central security intelligence repository.

While a basic web application firewall act as robots blocking requests based on prewritten rules, intelligent WAFs give you the power of decision-making.

• Block- Block the request completely. The user/attacker will not bypass the request (for critical assets and requests)
• Log- Flag the request to study user behavior. Enable block or challenge after reviewing the logs
• Challenge- Throw a CAPTCHA request to allow access
• Use each of the above incidences as foundation units of intelligence to learn and update policies in order to further enhance the defense posture and prevent future attacks

5. Free, Full Feature Trial

It’s a no-brainer. You wouldn’t want to purchase a critical tool such as a web application firewall without a trial. After all, you will only gauge potential benefits and/or product compatibility issues after the onboarding.

Ensure that the cloud WAFs that you compare have a full feature trial option without “money-back” or “we need a card for authentication” prerequisites. You wouldn’t want to enter a credit card for 3 different subscriptions for trial and end up being charged for them.

Ideally, a full-feature WAF trial should include everything that it has to offer for testing, but you can also settle for the following:

• • • Protection from OWASP top 10 and SANS 25 issues
    • Zero-day vulnerability Protection
    • One-touch Country/IP Blacklisting
    • Full Access to the dashboard including reports
    • Anti-DDoS
    • Chat/Email/Phone Support for questions during the trial
    • At least 30 GB of bandwidth
    • Security assessment of your application with security scans
    • Customs rules and virtual patching
    • Clear visibility into security risks in correlation to attacks happening

End Notes

Whether you are a startup, a small business, or a booming giant,  web application firewalls have become a modern online business necessity. Irrespective of your company’s patching capabilities, you cannot afford risks with customer data, financial transactions, and asset availability.

Also, the WAF has to facilitate the customer journey into cloud adoption by allowing hybrid deployment models but with the cloud benefit of a centralized pane for visibility of security posture across all web application independent of where the firewall is deployed

According to Gartner, using a SaaS-based managed web application firewall such as AppTrana is a good alternative for enterprises that do not want to procure new hardware and have time to hire and train staff to manage it.

Get Instant Protection, Continuous Management & Zero False-positive WAF.  Start a Free Trial