At present, web applications have become the top targets for attackers because of potential monetization opportunities. Security breaches on the web application can cost millions. Strikingly, DNS (Domain Name System) related outage and Distributed denial of service (DDoS) lead a negative impact on businesses. Among the wide range of countermeasures, a web application firewall is the first line of defense.
Web Application Firewall’s basic function is to establish a hardened boundary to prevent certain malicious traffic types from acquiring resources. Though WAFs have been available since the late nineties, this early generation technology is no match for recent sophisticated cyber-attacks. They are not capable enough to offer full application control and visibility. With these increasing security risks, the new age web application firewall is the only solution that can provide proper protection.
Traditional WAFs Died Or At Least Dying
In the early days, web apps were less common, and so do web threats. Malevolent bots were less sophisticated and straightforward to detect. Cybersecurity requirements were very minimal and could be tackled with basic cybersecurity management.
Today everything has changed. Web apps can live in on-premises, cloud, or hybrid environments. Customers and employees access them through the web from anywhere. As such, the firewall can’t track what is going on, where the requests are coming, where they are going, and so on as the IP addresses are constantly changing and are obscured by CDN.
WAFs should protect against a wide variety of challenging and complicated threats. Traditional WAFs are implemented as hardware appliances, which are hard to use and suffer from a lack of visibility and poor performance. To such an extent, 90% of organizations state that their WAFs are too complicated.
According to the study of Ponemon, 65% of organizations experienced bypass in their WAFs, while only 9% said they hadn’t been breached. However, there is no guarantee that they will never experience it in the future. Corporates are right to be worried about the performance and security of their WAFs.
Ponemon’s study also states that only 40% of respondents are satisfied with their existing WAF, which means they are not using it to its full potential. Few companies admitted they only use WAF to generate security alerts rather than to block suspicious activity.
At worst, organizations are burned on WAF and regretted to have invested so many assets to make no progress on protecting what matters to them. This is where the requirement for a New Age Web application firewall comes in. The New Age WAFs such as AppTrana are cloud-based, managed, easier to deploy and have a more convenient subscription business model and backed with the expertise to manage the policies on an ongoing basis so that businesses can focus on their core expertise without having to learn new complex skills for application security.
Challenges with Traditional WAF
We often hear from industry members who switched from traditional Web Application Firewall to next Gen WAF what made them switch. Most of the reasons represent a variation of the followings:
1 — Technical Innovation
Web application standards are continually evolving, which raises the requirement of what WAFs must offer.
The growing adoption of JSON payloads and HTTP/2 has left most web application firewall vendors battling to keep up. While the market expects constant innovation, many WAF providers are growing progressively fragile.
2 — Lack of Scalability
An organization’s requirements for network scaling intensify some of the challenges like costly, time-consuming, and complexity. Deploying, as well as maintaining clusters of appliances, becomes very complex.
DevOps and Agile methodologies require consistent re-configuration and re-tuning of the clusters that strain the security team’s resources.
3 — Zero-day Exploits
While WAFs effectively monitor web traffic to prevent HTTP-specific attacks, they’re incapable of defending from zero-day attacks. WAFs are designed to detect pre-configured patterns – Zero-day vulnerabilities can be exploited by any risk vectors, which are uncovered under the pre-configured rules.
4 — Blocking Legitimate Traffic
Another dissatisfaction with most of the WAF users is inadvertent blocking of valid traffic, also known as false positives. While this sounds relatively harmless in terms of security, it can be disastrous for organizations. It might block the visitors from benefiting from the app functionalities, from uploading media or buying products.
One possible way to combat this challenge is to execute the bare minimum number of patterns, but this could make the network more vulnerable. Most WAF solutions find it difficult to balance the action. Unless you put in dedicated resources to manage it, getting the value of the traditional WAF is tough. This is the biggest gap because the traditional WAF failed to live up to its promise.
5 — DDoS Attacks
Most importantly, DDoS difficulties pose issues for WAF installation. We have seen a significant number of organizations use WAFs to prevent DDoS attacks. The main reason they claim is that WAFs can be upgraded to mitigate DDoS attacks.
However, the problem is that traditional WAFs were not set up to withstand large-scale DDoS attacks. Moreover, today’s applications are shared/provided by 3rd party platforms, which can’t be protected by an on-premises layer of defense. Without a cloud-based WAF, it is tough to plan for upfront capacity, and even if you do, it will still have an upper limit.
Cloud WAF and especially managed cloud WAF address this problem with the ability to scale up and down. The business has to pay only based on value without having to pay upfront fixed cost for a future possibility that may or may not happen.
Understanding the Capabilities of New Age WAF
Though many WAF providers are claiming to offer the next generation, most of them are using the same security paradigms as traditional WAFs, and hence it is not NextGEN. We need a New Age WAF that becomes truly next GEN. An essential characteristic of new-age WAFs, as seen in Indusface’s AppTrana, include:
1 — Application and Web Usage Control
Application and web usage control answers the concern, what type of traffic is blocked? The WAF uses multiple identification categories to identify their exact identity of websites and applications crossing the network and determine how to treat them.
Accurate traffic classification is the core of next-gen WAF. This prevents organizations from accessing websites and apps that could create legal issues or be malicious, or have no relevance.
2 — Advanced Web Application Security Analytics
Not only does the cloud-based WAF address emerging attacks that most web apps are experiencing, but it offers steady improvements to threat visibility and analytics. In traditional WAFs, enterprises fly blind, hoping everything is “FINE” until something goes wrong.
WAFs monitors performance metrics in real-time, highlighting what is happening in your infrastructure, applications, and end-users. You can react before anything goes wrong, and you can trust your WAF is functioning as intended.
3 — Web Application security assessment and Malware Detection
New-Age Firewalls understand that even valid sites may unknowingly hold vulnerabilities and maybe even links to malware sites and malicious payload. Also, a business sometimes wants to give access to a social media platform that often includes malicious links or files.
Providing a WAF policy that is correlated with the risk of the application and doing it continuously is the main benefit of new Age WAF such as AppTrana.
4 — Global Threat Intelligence
This cloud-based security platform leverages its international deployments and maintains a complete insight into global traffic trends. It monitors and analyzes the traffic of all global deployments. Once a security threat is identified in one location, all deployments worldwide are updated as well as toughened against it.
5 — Automated Intervention
Cloud-based WAFs not only rely on predefined policies and signatures to block traffic but also provides managed services for accurate risk-based custom rules. It continuously monitors and automatically filters out valid requests and malicious actors based on real-time pattern and behavioral analysis. It also offers virtual patching to prevent the exploits of weak spots like zero-day vulnerabilities.
Moving Forward
There are key differences between traditional and new-age WAF. If the traditional WAF goes inadequate for whatever reasons, your web app will be reachable for attackers. It would be best to opt for advanced web protection, which doesn’t adversely influence your business operations. New-age cloud-based WAF is built to offer adequate web protection and give the value of your money.
Found this article interesting? Follow The Hacker News on Facebook, Twitter and LinkedIn to read more exclusive content we post.