Web application firewalls have long served as one of an organization's bedrock security technologies. But even as cybercriminals have gotten sharper at sidestepping traditional security, WAFs have maintained their value. Just consider the high-impact "Drupalgeddon 2" and Apache Struts vulnerabilities, which have exposed millions of websites to compromise and backdoor infections. Other than patching the flaws, experts agree that WAFs rank next on the list in terms of solution.
While there is a promising industry trend toward more secure development, applications still house major vulnerabilities as you can see. In fact, according to the 2018 Global Security Report, the Trustwave SpiderLabs team identified at least one vulnerability in 100 percent of the applications they investigated. Most had more than one.
The WAF market is growing. Do a web search on WAF market growth, and most studies predict 17-20 percent growth, about double that for the overall cybersecurity industry. One of the reasons for WAF growth is simply the increasing number of applications that need protection, as well as relentless attacks on those applications. It's also that WAFs are changing, giving buyers more options. In the past, your WAF choices were limited to a few vendors selling a physical appliance with similar capabilities. Today, dozens of vendors offer physical, virtual and cloud-based solutions with varying capabilities and complementary technologies.
If you're considering a WAF for the first time or replacing the one you have, you have a lot to consider. Let's look at five things that should help you make the decision process easier. We're not implying these are the only considerations, but hopefully these will help you get started.
1. What Are the Applications You Want to Protect?
Ideally, you'll want WAF protection as close to your applications as possible. So, if the applications that need defending are mostly cloud-based, then a cloud-based WAF might be the best option for you. Similarly, if most of your applications and IT environment is on premises, then look for a WAF that you can deploy on site as a physical or virtual appliance.
If like many organizations today your IT environment is hybrid, and you have a mix of on-prem and cloud applications, you could look at deploying multiple WAFs. Finding a WAF vendor that offers both on-prem and cloud options could be an advantage if you want to work with a single provider and learn and operate one technology.
2. How Will You Want Your WAF to Operate?
WAFs have different modes of operation. At a high level, these modes are either passive or active. When operating in passive mode, the WAF will monitor web traffic and log activity, and perform checks. But, it won't act on the traffic, though it can be configured to send alerts or send events to other systems like a SIEM for analysis. A WAF operating in active mode, on the other hand, will purposely manipulate traffic. For example, an active mode-WAF might obfuscate data, block attacks or redirect workflows depending on the policies that have been set.
There are reasons for choosing one operating mode over another. An WAF in active mode can provide better protection by blocking malicious traffic, but might also block legitimate traffic and create false positives. A WAF in passive mode allows all traffic through, which means legitimate and malicious users will never be blocked (unless the security team identifies the threat and takes action).
Most WAFs deployed as a physical or virtual appliance are flexible. You'll have both passive and active operating modes as options and can change the mode over time.
If you deploy a WAF in cloud infrastructure or as part of a SaaS (security-as-a-service) model, however, you'll likely be limited to active operating mode. Amazon Web Services (AWS) and Microsoft Azure, for example, require WAFs deployed in their infrastructure to be in an active in-line reverse proxy mode (this mode helps protect their underlying cloud infrastructure.) If you never want to inadvertently block legitimate traffic to your application, this might not be the best operating mode for you.
3. How Much Visibility Into and Over Your WAF Data Do You Need?
Your WAF is going to generate and collect data, like details on the policies you set and events that get logged. Your organization likely has a preference on how much visibility and control you want over that data. This might be because your applications fall under a compliance mandate that requires you to store their data in a certain way. Or perhaps the nature of the application you're protecting (for example, an e-commerce app) makes it so you need to know how the data is being stored, encrypted, etc.
Like the previous consideration, how you deploy a WAF will impact how much control you have over the data the WAF generates. If you want complete control over your data, choose a WAF that can be deployed on prem as a physical or virtual device. Deploying a WAF in a cloud infrastructure provider, like AWS or Microsoft Azure, also offers a high level of visibility and control, as your data resides in your part of their network. Choosing a SaaS-based WAF gives you the least amount of visibility and control over your WAF data, but that can be acceptable for many types of web applications and comes with the benefit of having someone else manage the WAF infrastructure for you.
4. How Much Time and How Many Resources Do You Have to Manage Your WAF?
You've probably asked yourself this question as you've considered on-prem versus cloud options for other products. If you deploy in the cloud or choose a SaaS option, someone else is going to manage the infrastructure for you. With on prem, you're responsible so you'll need to build in time for things like software updates, patches and change management.
Regardless of how you choose to deploy the WAF, you'll need to dedicate time and resources for ongoing WAF-specific management (unless you choose a Managed WAF service). This includes the day-to-day technical adjustments that make your WAF match the security requirements of your organization. Adjusting policies to reduce false positives, changing the rule base, reviewing new rules and reviewing events can all help you tune your WAF so that it's better able to protect your web applications.
5. What Does it Cost?
Price is always an important consideration. When licensing a WAF, consider the initial purchase price, as well as ongoing costs.
When you look at initial license fees, you'll probably have options like you have with other technology purchases - choices like a higher license fee with lower ongoing maintenance payments versus a monthly/annual subscription that includes maintenance. Also factor in things like training costs and professional service fees if you want help getting up and running with your new WAF.
When you consider ongoing costs, there are some key differences between on-prem versus cloud-based WAFs. With on-prem WAFs, consider all the costs of maintaining devices onsite. Here a few to start with:
- Initial upfront hardware costs.
- Cost of replacement parts.
- Power and cooling electricity expenses.
- Labor expenses for maintenance work.
- The need to hire multiple IT pros as backup (e.g., vacation coverage).
With cloud-based WAFs, while you won't have to factor in things like hardware and power costs, but do consider if ongoing costs are fixed or variable. In cloud marketplaces, pricing is often based on usage. If the applications your WAF is protecting have spikes in traffic (e.g., a retail or e-commerce application), your usage fees will vary. That might be OK. Or maybe not.
While you can consider many more things when selecting a WAF, hopefully these five will help get you started. If you'd like to discuss more, we'd love to hear from you. And if you're considering a new WAF, we invite you to add Trustwave to your list. With our enterprise Trustwave WAF product and Managed WAF service, we offer flexible physical, virtual and cloud-based deployment options that you can run on your own or with the help of our experts.
Diane Garey is a senior product marketing manager at Trustwave. Read more Trustwave blogs here.