Need a 101 lesson on Web application firewalls? Here's your crib sheet on what a WAF is, how it works, and what to look for when you're in the market for a new solution.
Spring chickens they're not, but Web application firewalls (WAFs) are surging in popularity as more industries connect critical business functions to the Internet — and attackers inevitably follow.
So what exactly is a WAF, and what are the tool's benefits and drawbacks?
What a WAF Is
"A WAF has two primary uses: visibility into incoming malicious HTTP(S) attack traffic [and] the ability to fend off attacks, especially where a Web application is known to be vulnerable, until the underlying code can be properly fixed," says Jeremiah Grossman, CEO of Bit Discovery and founder of WhiteHat Security.
Traditionally, WAFs have existed in the form of physical or virtual appliances, and "increasingly are delivered from the cloud, as a service (cloud WAF service)," according to Gartner.
What a WAF Isn’t
"WAFs cannot 'fix' Web application vulnerabilities," Grossman says. "It can only shield them."
Further, a WAF product might perform a wider variety of tasks than described above — but it might not.
As Eric Parizo, senior analyst at Ovum, explains, WAF vendors have begun to wrap in capabilities often provided by other tools, like runtime application security, anti-bot protections, anti-DDoS services, and API abuse prevention. However, if you're in the market for a WAF, you shouldn't assume all products will come with these capabilities.
How a WAF Works
"Similar to a network firewall that inspects and discriminates traffic based upon IP address and port, a web application firewall inspects and discriminates based on HTTP(S) traffic," Grossman explains. "Specifically, input parameter data and format, cookie data and format, and so on. … Incoming HTTP(S) traffic is analyzed and parsed where traffic can be optionally denied."
"WAFs can be functionally deployed in-line with a website, as an out-of-band deployment, or as a software component on the Web server itself," he adds.
Why You Might Want a WAF
Although WAFs won't "fix" Web app vulnerabilities, it can identify those vulnerabilities and implement security controls over incoming HTTP(S) traffic that might cause a threat to those vulnerable apps.
Although new vulnerability classes are emerging, the old standby vulns are still going strong. For example, the enterprise DevOps movement is inspiring attackers to create more API-based attacks, but good-ol' SQL injection and cross-site scripting attacks are still plaguing security teams.
A WAF also might help satisfy compliance needs.
"The WAF was given life by the payment card industry," Ovum's Parizo says. As he explains, WAFs didn't really begin to catch on until the release of PCI DSS 6.6, which established new requirements for automated technical solutions to protect Web apps and put forth WAFs as a way to satisfy the new rule. PCI DSS 6.6, in Parizo's words, "shoved the technology like a boulder downhill."
Why You Should Be Careful With Your WAF
Like any security solution, a WAF will not solve all your problems.
Although 75% of respondents to a recent study by Radware, which provides WAFs and other Web appsec solutions, had WAFs deployed (among other Web app security tools), 90% of respondents nevertheless experienced appsec-related breaches.
Further, the recent Capital One breach that exposed extensive personal data of over 106 million people was enabled by a misconfigured WAF. The breach was allegedly perpetrated by a former Amazon Web Services (AWS) employee who was able to exploit a weakness in a misconfigured (by Capital One) WAF to gain access to the files stored in an AWS database. The WAF was apparently granted too many permissions, which allowed the attacker to allegedly use a server-side request forgery attack to exploit the vulnerable Web app.
The Most Common Mistakes People Make When Using/Configuring a WAF
"The No. 1 challenge by far," says Grossman, "is underestimating the deployment time and difficult configuration, and ongoing management of the device."
Capital One's WAF was apparently given too many permissions when granted access to the AWS database.
To avoid incidents like this and others, Dr. Richard Gold, head of security engineering at Digital Shadows, provided this advice in a column for Dark Reading: "It's critical to continuously assess cloud environments for security issues, especially those at risk of external access from the public Internet. Reviewing security group configurations regularly can help ensure that services are not accidentally exposed and access controls are correctly applied."
Companies That Provide WAF Solutions
Traditionally, WAF vendors provided on-premise appliances — Parizo cites Imperva and F5 as examples — but more companies are spinning up cloud-based WAF offerings — Akamai and Cloudflare, he mentions. However, several companies are now providing both appliances and cloud offerings, sometimes by making careful acquisitions. Other players include Barracuda, Radware, Trustwave, Qualys, and Signal Sciences, not to mention open source offerings, such as ModSec (which was at the root of the Capital One incident).
According to Parizo, if these WAF providers don't offer both appliances and cloud offerings now, and if they don't offer cloud-agnostic support, they will be heading in that direction soon.
"The future is going to be a combination," he says.