The use of Web Application Firewalls (WAFs) has grown steadily in the past few years. In 2019, 97% of respondents to the Neustar International Security Council (NISC) survey indicated that they believed that a WAF was an essential component of security infrastructure. As the WAF has grown increasingly ubiquitous, however, it is useful to take a step back to consider how the landscape has changed, to ensure that you are getting full benefit from these valuable services. Here are six features that we think are key to choosing a WAF.
1. Seamless Integration
As in most areas of security, providing the right protection begins by analyzing the asset that you are trying to protect. You may already have assets with a hardware WAF in front of them. These devices are typically tuned with precision to protect your specific applications, and it can be useful to put a cloud-based WAF in front of them to offload more common web attack traffic. You probably have some assets in the cloud, and, if you’re like most companies these days, you are either pursuing or considering a multi-cloud strategy. In that case, it is important to think about a security offering that is environment-agnostic.
2. Positive and Negative Security Capabilities
It is useful to then consider different defense posture types, starting with positive or negative security. A negative security posture assumes that all traffic is allowed except that which includes an already identified threat or an attack. This has traditionally been the most popular deployment type for WAFs, and it is easy to see why – a negative approach is much less likely to block legitimate traffic. The success of this approach obviously relies on the state of the security vendor’s signature rule database and knowledge of upcoming attacks, as this outlines the protections that can be expected. As attacks are developed and morph over time, it is essential that the databases keep pace if you choose this stance. Zero-day threats will not be caught when using this model, as these attacks, by definition, have no associated signatures.
The positive security model, on the other hand, takes the position that unless traffic is explicitly permitted it is denied. This approach will catch zero-day threats, as well as attacks that feature malformed packets or non-RFC-compliant traffic. A positive security approach is dependent on traffic heuristics and automated learning, it can empower you to match the profile to the traffic.
If your service features a positive security stance, it is also vital that you be able to add exceptions, or “relaxation rules” quickly and easily. This is helpful in the cases where an application may be built on code that has a known unusual pattern but that is still legitimate. Relaxation rules allow you to enable these applications without the risk of blocking traffic.
3. Learning Mode
To ensure optimal protection, it is also important that the service/device itself can “learn” from its experiences. This is a vital feature, and something that the service is well situated to contribute to. Because security teams are often sufficiently decoupled from development teams that they may not have insight into components or what constitutes “good behavior” for a specific application. Learning mode takes note of the traffic passing through the device and makes recommendations on what relaxation rule, if any, should be applied. This feature profiles traffic and can help you to delineate between true anomalous behavior, which you might want to block, and an application that features an unusual pattern but is still considered legitimate, which you can allow via a relaxation rule.
4. Flexibility to Customize
Vulnerability and attack signatures are well-known WAF components. It is important that companies are staying on the cutting-edge researching vulnerabilities and regularly putting out signatures for protecting vulnerable services as well as open source libraries. It is important to be able to integrate the signatures that come up from other sources, whether industry ISACs or purchased from 3rd parties. It should also be simple for you to create your own signatures to add to the WAF rules based on your own experience and knowledge. The combination will not only help you to make the most of your research but allows you to customize protection based on your particular industry.
5. Easy to Use
As WAFs become increasingly mission-critical, it is vital that they are also easy to use. 34% of participants in the May 2020 NISC survey said that it was between moderately and extremely difficult to alter policies on their WAF, while almost two thirds of respondents indicated that over 10% of attacks bypassed their WAF completely. You should have a broad selection of controls to choose from, and the ability to apply those controls in a granular fashion, including the ability to apply policy to groups of applications. While having a WAF deployed may be table stakes, having a WAF that can be easily updated and maintained is a differentiator. Because threats are constantly evolving a WAF must be flexible enough to keep pace.
6. Ability to Maximize Coverage
Your WAF, regardless of depth of features, is one part of a layered security strategy. By ensuring any WAF you choose is part of a vendor/CDN-neutral security chain, you can go a long way towards ensuring comprehensive protection for your business critical applications — from the broadest attacks to the most specific threats.
