Introduction to Web application firewalls in the enterprise

Expert Brad Causey takes a close look at Web application firewalls, explains how WAF technology can prevent Internet-based attacks from known and unknown applications threats, and offers advice on WAF management and deployment.

Firewalls have significantly improved the overall security posture of organizations since they first came on the scene back in the late 1980s. Like everything else, though, firewalls have evolved. They've morphed to adapt to new technologies and, more importantly, new threats.

Enter Web application firewalls, or WAFs.

Developed in the early 1990s, WAFs were a new species of firewall initially created to respond to threats beyond the scope of traditional firewalls. These threats were dangerous because they utilized authorized protocols (such as HTTP), but attacked the application or underlying infrastructure over that protocol. This was especially dangerous because hackers could attack over trusted protocols to directly compromise systems and steal information, effectively bypassing traditional firewalls.

Modern WAFs have evolved into a number of different implementations, each carrying its own cost/benefit matrix.

Web application firewall basics: Three deployment options

No matter who manages a WAF, an organization's application or development team must also be involved in its administration.

WAFs are available in three rather broad categories: network-based, application-based and cloud-hosted.

Network-based WAFs are the traditional implementation of the technology. It offers several benefits and drawbacks. The largest benefit is that network-based WAFs are usually hardware-based and, being local, it reduces latency and negative performance impacts. The largest drawback is that this type of WAF product tends to be more expensive to both purchase and implement.

Application-based WAFs are generally installed closest to the application, such as on the hosting platform, and often times are fully integrated into the application code itself. The benefits of this type of WAF implementation are increased performance and customization options. As an example, since ModSecurity (an open source WAF) can be installed as a module in Apache, an application can take full advantage of the features while allowing the overhead to be handled by the server locally. The cost of deploying an application-based WAF is typically low as well, but the flexibility and scalability can leave something to be desired for larger organizations.

Cloud-hosted WAFs, meanwhile, offer a low-cost/low-effort application firewall implementation opportunity for organizations that want a turnkey product. These are easy to deploy, as they often require only a simple DNS change to redirect application traffic, and are available on a subscription basis. While customization and performance limitations are usually drawbacks of cloud-based WAF products, they are often a viable stop-gap product that can be deployed rapidly.

Using WAFs to help secure applications and networks

The real challenge of providing Web services in any form is securing them against attacks. That's why any organization with technology exposed to the Internet can benefit from having a WAF. This, of course, describes most businesses today.

Even those with something as simple as a website hosted on the Internet are at risk of exposure. Include with that any services offered to customers over the Internet, or any intranet interfaces between business partners, and the list of reasons to deploy a WAF starts to grow.

Because of the nature of Web security and how it constantly evolves, it is difficult to integrate comprehensive security into the application and keep it up to date. Having a WAF helps here in two ways: It protects against known threats (just like antivirus software) and it protects against unknown threats.

SQL injections are examples of known threats that are easily detected by a WAF. They're usually stopped by a combination of input validation and database-level protections by WAFs.

While it's impossible to know what the threats of tomorrow may be, if a threat utilizes an overflowing form field as a means of attack, a WAF can still stop it -- even if the application is not coded to handle it.

Who benefits most from Web application firewalls?

While organizations of all sizes (enterprises, SMBs, midmarket) can make use of a WAF, the market section that will benefit most from the technology is that which provide products over the Internet. So the likes of Web hosts, online bankers, social media platform providers and even mobile application developers (the latter leveraging cloud-based WAFs, for instance) can take advantage of the centralized control and update capabilities of a WAF in order to increase the security posture of applications.

Managing and supporting Web application firewalls

WAF management and support structure depends largely on how it's implemented.

For network-based WAFs, the IT security or network team will often manage its configuration for the organization. Management of these is usually offered as a managed service by the vendor as well, making administration fairly straightforward and simple. And, because WAFs use a central set of signatures and configuration options, dozens of applications can be protected with much less effort and expense. Additionally, most major network-based WAF vendors allow replication of rules and settings across multiple appliances, thereby making large scale deployment and configuration possible.

Application-based WAFscan be a challenge to manage because they live locally but are usually integrated into the application. In other words, application-based WAFs require local libraries, compatible environments (such as Java or .net) and use local server resources to run effectively. They are also entirely software-based, so a combination of the server-management and security teams will likely need to be involved with installation and management.

Cloud-based WAFs are usually managed by the service provider with a configuration interface made available to the customer. The interface will usually allow the security or application team of the customer to customize the settings of the firewall. These settings can include how the WAF will respond to certain threats, such as SQL injection, or even a DDoS attack. They also include notification options and the ability to turn off certain rule sets.

No matter who manages a WAF, an organization's application or development team must also be involved in its administration. Why? Because an incorrectly configured WAF can have a negative impact on the availability and performance of the application it's tasked with protecting.

Some management training of IT staff will be required no matter which type of WAF is implemented. In most cases, the more in-depth a configuration management role a company wishes to play, the more training will be required.

As an alternative, professional services can eliminate this effort, for a fee. By bringing in consultants, or professional services, a business can avoid having to train existing IT staff, speed up the implementation of a newly installed WAF, or pay them to manage an existing WAF long term.

The hard and soft costs of Web application firewall deployment

The hard cost of a WAF varies widely from "free" to millions of dollars. Hard costs are associated with the cost of the physical components required to implement the technology. There are open source WAF implementations that can be downloaded and installed for no hard cost, for example, but those often have substantial soft costs, involving development time, staff training and/or supporting efforts.

In addition, the type of WAF chosen affects the hard costs involved for deployment and support. And, keep in mind, any time the behavior of an application is significantly altered, there will be a proportionate jump of soft costs in time and effort.

Web Application Firewall Hard Costs and Soft Costs

Cloud-based WAFs are significantly cheaper to deploy and support than network-based (hardware) WAF products. Application-based WAFs fall somewhere between the two, and would be more suited for a small application footprint.

What a Web application firewall is not

A WAF is not a replacement for proper application security, such as input filtering and user authentication/authorization. It is intended as one component in a layered approach to a secure Web application.

It is also not a set-and-forget technology. As an application changes and the threats evolve, care must be taken to properly maintain rules and configuration options.

It is also important to differentiate a WAF from a next-generation firewall, or NGFW. A WAF is intended to inspect the application traffic on a narrow protocol scope and focus only on that traffic. A NGFW is a comprehensive product to replace or augment existing network firewalls.

NGFWs may sometimes include WAF components, but are intended to operate on a much larger scope (and cost) within the organization.

Next Steps

In part 2 of this series, find out about the business cases for Web application firewalls

Part 3 of this series looks at the four questions to ask before buying a Web application firewall

Part 4 compares the best Web application firewall products on the market.

Delve deeper into Web application firewalls with this technical guide

Find out why WAFs may not fix all Web application security issues

Dig Deeper on Application and platform security