NGFWs vs WAF [Guide]
There was a time, not far back, when network layer firewalls were considered the epitome of information security. It required a great level of human skill to infiltrate through these asset guards and reach to the sensitive data sectors. However, over the last decade, the rise of web applications along with rising exploitations through domain control compromise, exposed servers, session hijacking, and IP forge have belittled these once-mighty network-level firewalls. Although the Next-Generation Firewalls (NGFWs) added a layer to the security, application layer vulnerabilities and attacks were largely unaddressed.
Start by finding the vulnerabilities using Indusface WAS Free Website Scan.
There was a constant need to develop something that could shield web server and apps, while also intelligently learning rules through a high level of customization, and thus Web Application Firewall was born.
Today, WAF is internationally the most powerful defense system for any organization dependent on web applications for carrying out business or public processes. In fact, it is expected to evolve beyond a mere tool to defend into something much more prolific. Here’s everything that you’ll need to understand about it.
Next-Generation Firewall and Web Application Firewall: The Difference
Next-generation firewalls have a strong traditional firewall foundation with VPN support and packet filtering basics, plus deep packet inspection, antivirus inspection, web site filtering, and a bunch of other features that focus on network security. In fact, many of the next-generation firewalls even include intrusion prevention systems or IPS. NGFWs definitely provide an added security feature, but they are largely incapable of handling application vulnerabilities.
On the other hand, a Web Application Firewall is usually a cloud-based appliance governed by intelligent rules to prevent common application layer attacks like SQL Injection, Cross-Site Scripting, and Cross-Site Request Forgery. Most importantly, WAF can be configured to learn new rules in real-time and block potential threats. It is also helpful in mitigating DDoS attacks at various levels.
Can You Just Pick One?
Indian organizations, especially small to medium organizations, operate under a very tight information security budget. CIOs and CISOs have to explain the spending to excruciating details, and often there is no choice but to pick one firewall or detection system. So, it’s rather obvious to look for an answer in black and white.
Unfortunately, according to security analysts across the world, no security tool is absolute. It’s the matter of tailoring the tools according to your business, deployment, and other necessities. When it comes to a multiprotocol system and network security, NGFWs offers great support. But, Web Application Firewalls provide far more specialized and in-depth security checks for web attack signatures, web vulnerability signatures, automatic policy learning, parameter protection, and app layer vulnerability patch that traditional FW even NGFWs cannot handle. As security consultants, we highly feel WAF should go down an independent path of becoming an NGWAF coexisting with NGFWs instead of a basic PGFW (previous gen WAF being incorporated in NGFWs). NGWAF & NGFWs should complement each other and all website owners should stress on equal or more importance to application-level security rather than feeling secure with network-level security.
Layered Protection: The New Security Parameter
Earlier in this decade, security analysts knew that depending on a single security entity or tool was not enough. There was a constant call to develop something that can take care of upper layers of the Open Systems Interconnection (OSI) communication model to support end-to-end communication.
That is exactly where the alliance between next-generation firewall and web application firewall comes in where NGFW can secure the network services and WAF can mitigate application-layer attacks.
Advanced Layer 7 firewalls have been specifically developed to protect custom web applications backed by an understanding of Layer 7 attacks and web protocol. It also offers DMZ port 80/443 support for malicious traffic monitoring.
Witted Answer to False Positives
Now and in the future, for any business, in any part of the world, time and money are two of the most critical resources and false positives stand against that. It’s a false alarm that blocks legitimate access or traffic and wastes both money and manpower hours.
Though many people associate false positive just with web application firewalls, it can happen with any automated technology including antiviruses and next-generation firewalls. So, what’s the solution then?
While it’s practically impossible to expect tools to be smart enough to dodge false positives with a 100% success rate, our 80-20 information security rule can help. According to this rule, sophisticated tools can handle around 80% of the diagnostics and mitigations, but for the remaining 20% human intelligence yielding to audits, logic checks, asset awareness, updates, and vulnerability patches is critical. A deep understanding of the application logic is needed to come up with a positive security model and this cannot be done with 100% accuracy without human intervention. A tool can be used to detect changes but human intervention is required if a 100% accurate positive security model is needed
Next Generation of Smarter Web Application Firewalls: The Next Logical Step
In the coming years, WAF is expected to evolve further. It will offer Policy Engine Enforcement based on Programmatic API for run-time application self-protection, something which will take app security to a whole new level.
It has been seen that when it comes to enterprise and e-commerce security, REGEX or Regular Expression creates problems with business logic, and developers never truly accept it as a potential fix. This conflict between security and development often limits the web application firewall to nothing more than a monitoring tool to detect attacks with the real fix always having to be done in the app, which next-generation web application firewall will resolve in the coming years.
NGWAFs will be an extension of the applications rather than a separate tool, moving the entire data validation logic and enforcement of the policy to the firewall layer, also resolving the security and visibility problems simultaneously. According to Gartner, such a technology will lead to a synergy between web application security and fraud management through data validation and we will see more and more advanced security threats including fraud monitoring being incorporated along with traditional REGEX in the NGWAF.
Right Time to Invest in an Application Layer Firewall
Businesses rely heavily on web-based applications to carry out countless operations. In India alone, the number of web applications being developed has jumped by over a hundred percent in the last decade, and it’s not going to stop. Web applications offer great solutions from making financial transactions easier to simplifying communication.
However, the growth is so wild and uncontrolled that no one really has a standard for securing the communication channels. Gartner says that around 75% of all website attacks happen at the application level and according to The Web Application Security Consortium about 49% of web applications contain vulnerabilities of the high-risk level (Urgent and Critical). In such a scenario, web application firewall deployment becomes of utmost important especially in our country where vulnerabilities like XSS are common and patching takes months.
The depth of WAF Protection
Source: Gartner 2014
Frequent app code changes make it almost impossible to secure every vulnerability with utmost precision and that is exactly where Web Application Firewalls and Next Generation Web Application Firewalls help to protect against exploitations while providing a detailed report on the attempts.
Simply put, web applications are the present and future of internet technology where NGFW alone is not capable of defending exploitations. It’s a task where WAF commands authority and intelligence.