Choose a WAF Article | Cyber Security Talks
Please enable Javascript in your browser.

Web Application Firewall Guide

By on November 25, 2017

Cyber Threats survey - Source: Incapsula

How to Choose a WAF

To start, you need to "read up on these we application firewall products from OWASP. This is a consortium of vendors and leading Web security developers who have tried to put down in one place what you need to know to build the best possible Web applications and protect them from harm. They have a comprehensive vendor list, a collection of best practices, sample "top-ten" attacks that you can use to harden your own applications and an evaluation guide."

Then, ask (and answer) these questions:

  • Can the product decrypt SSL traffic streams and examine potential exploits that are in these payloads?
  • How much inbound and outbound traffic can the appliance handle?
  • How quickly can they learn about your traffic patterns and translate them into implemented and useful policies?
  • How much of the Payment Card Industry (PCI) Data Security Standard (DSS) requirements do they automatically handle?
  • Do you already have anti-virus, load balancing, proxy servers, or intrusion protection devices? If so, look for Web application firewall add-ons to your existing products or those that combine two or more protective technologies.

How to Buy a Web Application Firewall

We all know that the Web is a nasty place, with denial of service attacks, SQL injection, cross-site scripting and other malware invented hourly to try to pry into your networks. Over the years, a number of vendors have come up with various solutions that go under the broad heading of Web application firewalls, or ways that they can help prevent the bad stuff from entering your user's desktops. It's worth diving into these products because they offer a great deal of protection that can save you aggravation down the road.

What are they, exactly? One definition can be found in a white paper written by Securosis' Rich Mogull: "A web application firewall is a firewall specifically built to watch HTTP requests and block those that are malicious or don’t comply with specific rules. The intention is to catch SQL injection, Cross Site Scripting, directory traversal, and various HTTP abuses, as well as misuse of valid authorization, request forgeries, and other attempts to manipulate web application behavior." That is a mouthful to be sure.

These exploits aren't new, and what is sad is that many of them are so old that they go back to the early days of the Web when Netscape was still around. For example, several years ago I wrote a white paper for Breach Security that demonstrated how easy it is to create a SQL injection attack – this information is still unfortunately quite current, and these attacks happen every day to sites that should know better.

The trouble with this category of security products is that it isn't very well defined. There aren't any hard edges, unlike a network firewall that has a pretty limited purpose in life. This could be because Web firewalls come in many different shapes and sizes, and can be integrated into other devices including Web servers, proxy or caching servers, load balancers, email anti-virus protection, intrusion prevention boxes and more. Layer on top of this the issue that most Web apps are in a constant state of change, making it hard to know when a site has been taken over by bad guys.

Complicating the picture is that some Web apps are internally developed and maintained by IT or other departments who have a varying degree of skill when it comes to protecting them. And many products have built-in Web servers that are used for configuration and reporting interfaces, even though the products themselves serve other purposes. All of these need some sort of protection from abusers and hackers, and sorting all this out isn't easy, which is why this category of products remains somewhat off the corporate radar screen.

Cyber Threat Defense report - Source: Incapsula

WAF Market Definition/Description (as per Gartner Report 2017)

The web application firewall (WAF) market is driven by a customer's need to protect public and internal web applications when they are deployed locally (on-premises) or remotely (hosted, cloud-based or as a service). WAFs protect web applications and APIs against a variety of attacks, notably including injection attacks and application-layer denial of service (DoS). They should not only provide signature-based protection, but should also support positive security models and/or anomaly detection.

WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics. WAFs are most often deployed in-line, as a reverse proxy, because historically that was the only way to perform some in-depth inspections. Today, other deployment modes exist, such as transparent proxy or network bridge. Some WAFs can also be positioned out of band (OOB, or mirror mode), and therefore work on a copy of the network traffic. Not every feature can work in all of these deployment choices, and reverse proxy is the most prevalent option for many organizations. In recent years, increased use by web applications of Transport Layer Security (TLS) encryption, based on cipher suites that require in-line traffic interception (man in the middle) to decrypt, have reduced the number of OOB deployments.

In recent years, WAF delivered as a cloud-based service directly by the vendor (cloud-based WAF service) has become a more popular option for a growing number of enterprises, beyond its initial target of midmarket organizations. Cloud-based WAF service combines a cloud-based deployment with a subscription model. The customers might also select a vendor's managed services for its cloud-based WAF service, or be forced to use it because it is a mandatory component of the offering. Some vendors have chosen to leverage their existing WAF solution, repackaging it as SaaS. This allows vendors to have a cloud-based WAF service available to their clients more quickly, and they can leverage the existing features to differentiate from cloud-native cloud-based WAF service offerings.

One of the difficulties with this approach is simplifying the management and monitoring console to meet clients' expectations. Cloud-based WAF service, built to be multitenant and cloud-based from the beginning, could avoid costly maintenance of legacy code in the long term. It also provides a competitive advantage with faster release cycles and rapid implementation of innovative features. One of the main challenges for users consuming cloud-based WAF service built separately is the absence of a unified management console to support hybrid scenarios.

When speaking with clients about WAF adoption, Gartner observes occasional confusion with the application control feature (application awareness) present on network firewalls. The primary WAF benefit is protection for custom web applications' "self-inflicted" vulnerabilities in web application code developed by the enterprise, and protection for vulnerabilities in off-the-shelf web application software. These vulnerabilities would otherwise go unprotected by other technologies that guard mainly against known exploits (see "Web Application Firewalls Are Worth the Investment for Enterprises" ). Most attacks on these corporate applications come from external attackers.

WAF Leaders map - Source: Gartner Report

Editor Choice: Imperva (Incapsula)

Imperva (Incapsula) is in the Leaders quadrant. The vendor competes and frequently wins on the basis of security features and innovation. Imperva (Incapsula) can provide strong WAF functionality as a traditional appliance and cloud-based WAF service, but faces stronger competition for its cloud offering.

Based in Redwood Shores, California, Imperva (Incapsula) (IMPV) is an application, database and file security vendor. SecureSphere is Imperva's (Incapsula) WAF appliance, and Incapsula is its cloud-based WAF, which is delivered as a service. Imperva (Incapsula) also has packages for security monitoring and offers managing service of the SecureSphere and Incapsula WAFs.

Both SecureSphere and Incapsula are deployed mostly in blocking mode. The SecureSphere WAF is available in seven physical and three virtual appliances, with two models each available for AWS and Microsoft Azure. Two models of physical and virtual appliances are also available for dedicated management. ThreatRadar is the family of add-on subscription services available for SecureSphere, available in five offerings: account takeover protection, reputation feed, bot protection, fraud prevention and community defense. Imperva (Incapsula) can be bundled with other services, including DDoS mitigation and CDN features.

Recent news includes the release of FlexProtect, which allows customers to deploy both SecureSphere and Incapsula with a single subscription, potentially providing more flexibility as customers move workloads to the public cloud. In addition, Imperva (Incapsula) has announced enhancements to the Incapsula CDN and has made Incapsula available in the Azure marketplace. SecureSphere has added ThreatRadar Emergency Feed, which provides immediate access to zero-day discoveries, and has new support for HTTP/2 traffic.

Imperva (Incapsula) is a good shortlist candidate for many organizations. High-security use cases in larger organizations are addressed with SecureSphere, and organizations that want a cloud-delivered solution to protect public facing web applications should consider Incapsula.

Number of DDos attacks - Source: Incapsula


Product strategy: The introduction of FlexProtect is lauded by many Imperva (Incapsula) customers, who previously pointed to disjointed management and lack of feature parity of SecureSphere and Incapsula as a weakness. This new unified licensing and security view provides Imperva (Incapsula) customers with easy deployment options as their application environments shift.

Sales and marketing strategy: With Incapsula, Imperva WAF has found an effective route to serve smaller organizations that previously would not consider the high cost and overhead that come with some SecureSphere deployments. Imperva (Incapsula) has done an effective job focusing Incapsula messaging — DDoS-focused to some audiences, WAF-focused to others.

Sales execution: Gartner sees Imperva (Incapsula) consistently scoring very high and/or winning competitive assessments done by Gartner clients, with a high success rate when security is the most-weighted criteria.

Customer experience: Gartner clients are highly satisfied with Imperva (Incapsula) customer support, citing high-quality, easy ticket resolution.

Capabilities: SecureSphere ThreatRadar feeds go beyond reputation only, and protect against multiple attack profiles. ThreatRadar community sharing, augmented by Imperva's (Incapsula) threat research team, can quickly mitigate new attack campaigns.

Geographic strategy: Imperva (Incapsula) has strong WAF presence in most geographies, and offers effective support across most regions. Recent presence has been especially strong in the Asia/Pacific region.

Number of repeated assaults for protected web sites - Source: Incapsula

Understanding Pulse Wave DDoS Attacks Free White Paper Download

Elmalla A. (@elmalla) is Chief Sales Officer at i-AWCS, which focuses on web application security solutions.