There was a time, not far back, when network layer firewalls were considered the epitome of information security. It required great level of human skill to infiltrate through these asset guards and reach to the sensitive data sectors.

However, over the last decade, rise of web applications along with rising exploitations through domain control compromise, exposed servers, session hijacking and IP forge have belittled these once mighty network level firewalls. Although the Next Generation Firewalls (NGFW) added a layer to the security, application layer vulnerabilities and attacks were largely unaddressed.

There was a constant need to develop something that could shield web server and apps, while also intelligently learning rules through high level of customization, and thus Web Application Firewall was born.

Today, WAF is internationally the most powerful defense system for any organization dependent on web applications for carrying out business or public processes. In fact, it is expected to evolve beyond a mere tool to defend into something much more prolific. Here’s everything that you’ll need to understand about it.

Next Generation Firewall and Web Application Firewall: The Difference

Next generation firewalls have a strong traditional firewall foundation with VPN support and packet filtering basics, plus deep packet inspection, antivirus inspection, web site filtering and a bunch of other features that focus on network security. In fact, many of the next generation firewalls even include intrusion prevention system or IPS. NGFWs definitely provide an added security feature, but they are largely incapable of handling application vulnerabilities.

On the other hand, Web Application Firewall is usually a cloud-based appliance governed by intelligent rules to prevent common application layer attacks like SQL Injection, Cross Site Scripting, and Cross Site Request Forgery. Most importantly, WAF can be configured to learn new rules in real-time and block potential threats. It is also helpful in mitigating DDoS attacks at various levels.

Can You Just Pick One?

WAFIndian organizations, especially small to medium organizations, operate under a very tight information security budget. CIOs and CISOs have to explain the spending to excruciating details, and often there is no choice but to pick one firewall or detection system. So, it’s rather obvious to look for an answer in black and white.

Unfortunately, according to security analysts across the world, no security tool is absolute. It’s the matter of tailoring the tools according to your business, deployment and other necessities. When it comes to multiprotocol system and network security, NGFW offer great support. But, Web Application Firewalls provide far more specialized and in-depth security checks for web attack signatures, web vulnerability signatures, automatic policy learning, parameter protection, and app layer vulnerability patch that traditional FW even NGFW cannot handle. As security consultants, we highly feel WAF should go down an independent path of becoming a NGWAF coexisting with NGFW instead of a basic PGFW (previous gen WAF being incorporated in NGFW). NGWAF & NGFW should complement each other and all website owners should stress on equal or more importance to application level security rather than feeling secure with network level security.

WAF

       Source: Gartner

Layered Protection: The New Security Parameter

Earlier in this decade, security analysts knew that depending on a single security entity or tool was not enough. There was a constant call to develop something that can take care upper layers of the Open Systems Interconnection (OSI) communication model to support end-to-end communication.

That is exactly where the alliance between next generation firewall and web application firewall comes in where NGFW can secure the network services and WAF can mitigate application layer attacks.

Advanced Layer 7 firewalls have been specifically developed to protect custom web applications backed by an understanding of Layer 7 attacks and web protocol. It also offers DMZ port 80/443 support for malicious traffic monitoring.

WAF

Witted Answer to False Positives

Now and in the future, for any business, in any part of the world, time and money are two of the most critical resources and false positives stand against that. It’s a false alarm that blocks legitimate access or traffic and waste both money and manpower hours.

Though many people associate false positive just with web application firewalls, it can happen with any automated technology including antiviruses and next generation firewalls. So, what’s the solution then?

While it’s practically impossible to expect tools to be smart enough to dodge false positives with 100% success rate, our 80-20 information security rule can help. According to this rule, sophisticated tools can handle around 80% of the diagnostics and mitigations, but for the remaining 20% human intelligence yielding to audits, logic checks, asset awareness, updates, and vulnerability patches is critical.  A deep understanding of the application logic is needed to come up with a positive security model and this cannot be done with 100% accuracy without human intervention.  A tool can be used to detect changes but a human intervention is required if a 100% accurate positive security model is needed

Next Generation of Smarter Web Application Firewalls: The Next Logical Step

In the coming years WAF is expected to evolve further. It will offer Policy Engine Enforcement based on Programmatic API for run-time application self-protection, something which will take app security to a whole new level.

It has been seen that when it comes to enterprise and ecommerce security, REGEX or Regular Expression creates problems with business logics and developers never truly accept it as a potential fix. This conflict between security and development often limits web application firewall to nothing more than a monitoring tool to detect attacks with the real fix always having to be done in the app, which next generation web application firewall will resolve in the coming years.

NGWAFs will be an extension of the applications rather than a separate tool, moving the entire data validation logic and enforcement of policy to firewall layer, also resolving the security and visibility problems simultaneously. According to Gartner, such a technology will lead to synergy between web application security and fraud management through data validation and we will see more and more advanced security threats including fraud monitoring being incorporated along with traditional REGEX in the NGWAF.

Right Time to Invest in an Application Layer Firewall

Businesses rely heavily on web-based applications to carry out countless operations. In India alone, the number of web applications being developed has jumped by over a hundred percent in the last decade, and it’s not going to stop. Web applications offer great solutions from making financial transactions easier to simplifying communication.

However, the growth is so wild and uncontrolled that no one really has a standard to securing the communication channels. Gartner says that around 75% of all website attacks happen at application level and according to The Web Application Security Consortium about 49% of web applications contain vulnerabilities of high risk level (Urgent and Critical). In such a scenario, web application firewall deployment becomes utmost important especially in our country where vulnerabilities like XSS are common and patching takes months.

Depth of WAF Protection

WAF

Source: Gartner 2014

Frequent app code changes make it almost impossible to secure every vulnerability with utmost precision and that is exactly where Web Application Firewalls and Next Generation Web Application Firewalls help protecting against exploitations while providing detailed report on the attempts.

Simply put, web applications are the present and future of internet technology where NGFW alone are not capable of defending exploitations. It’s a task where WAF commands authority and intelligence.

Start Here

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.