Every business exposing online applications, services, and APIs needs a Web Application Firewall (WAF) to operate safely and protect against cybersecurity threats. A WAF identifies and blocks attacks that lead to downtime, leaked data, and compromised transactions and accounts. However, you might find that choosing the right WAF is a tricky business.
There is no shortage of WAF options, all targeting different use cases. Somehow, you need to select the one that’s best for your business, both today and in the future. If you make the wrong choice, you might expose your business to security risks or lock your team into infrastructure that doesn’t meet your needs.
This guide will help you choose the right WAF for you, to protect your business and fit your tech stack, teams, and workflows.
What does your network architecture and application infrastructure look like?
Start by drawing a diagram to represent your network architecture and your existing application infrastructure. Identify the backend servers you need to protect and the ingress points where you need a WAF to secure traffic.
Then, identify the clouds, platforms, app architectures, traffic types, and protocols involved in the backends and at the ingress point.
You will need to choose a WAF that can:
- secure the backend architecture, ideally with the ability to discover or understand the backends automatically
- deploy to the platforms at the ingress, for example, in VMs or containers or cloud plug-ins
- handle the traffic, protocols, and encryption passing through the ingress.
Which teams will use the WAF and how?
Every business is different. You might have a small IT team managing (among many other things) security for a few web servers or you might have multiple distributed teams handling dedicated functions like app development, platform engineering, and SecOps. You should choose a WAF that enables your business to control it in a way that works for you.
For some businesses, that might mean a WAF that supports the simplest standalone deployment, via VM or container image, with an easy-to-use web GUI for management and configuration.
Alternatively, you might need a WAF that supports a mixture of GUI control for global policy management and API automation for app dev and DevOps teams, with role-based access control (RBAC) for managing multi-team access, and centralized control of hundreds or thousands of instances.
Where will you deploy a WAF?
A WAF is usually deployed as an appliance in the line of traffic between the client and the application server, inspecting requests and responses before forwarding them. Inline deployments tend to be very effective in actively blocking malicious traffic. However, you must be careful when applying rules and policies to avoid blocking legitimate traffic.
Alternatively, you can deploy a WAF ‘out of band’ meaning that the WAF is not in the line of traffic but observes traffic from a monitoring port. This ‘passive’ deployment option is non-intrusive. It is ideal for testing the WAF without affecting traffic while still enabling the WAF to block malicious requests.
Which detection and blocking techniques suit your traffic and risk profile?
Today’s leading WAFs use negative and positive security techniques to ensure accurate detection coverage without blocking legitimate traffic. If malicious traffic presents the biggest risk to your business, choose a WAF that offers the strongest protection and least-permissive model. If blocking legitimate traffic presents a high risk to your business, you should choose a WAF that allows you to use a more permissive security model.
Negative security model
A negative security model assumes all traffic is safe unless it is identified as unsafe. Traffic that matches predefined threat signatures or violates a security rule is identified as unsafe.
A WAF with a negative security model will allow all incoming requests by default and will only block requests identified as unsafe.
Positive security model
A positive security model assumes that all traffic is unsafe unless it is identified as safe. Traffic that passes security checks and matches the characteristics of legitimate user requests is identified as safe.
A WAF with a positive security model will only allow legitimate users and will block requests displaying anomalies. In some cases, a WAF will allow anomalous traffic but will analyze it further (with a low tolerance for irregular behavior) before making a block decision.
A WAF using a positive and negative security model in combination is much more effective than a purely negative security model at protecting against:
- Unknown attacks
- Modified attacks
- Attacks that look very similar to legitimate user behavior
- Exceptions and edge cases
Which application attacks present the biggest risks to your business?
Different industries are exposed to different levels of risk in different areas of application security. You should understand which types of attacks present the biggest risks to your business and choose a WAF that provides strong protection against current and emerging threats.
Most WAFs target protection against the OWASP Top 10 application vulnerabilities, with some also protecting against the OWASP Top 10 API vulnerabilities.
Common application layer threats include:
- Denial of Service (DoS) and Distributed Denial of Service (DDoS)
- SQL injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Account Takeover
- Content Scraping
You should also consider application-specific threats. For example, you might need to secure AJAX applications and JSON payloads. Ensure your choice of WAF covers your specific use cases.
Finally, consider how your tolerance for risk affects your posture towards zero-day threats. If you have a very low tolerance for risk, you might need a WAF powered by real-time threat intelligence to ensure that zero-day threats are blocked pre-emptively or same-day.
Would your apps benefit from virtual patching and scanner integration?
Every application contains vulnerabilities, even when developers apply best practices in secure coding and run security testing. When vulnerabilities are identified, you can either patch your application and release new code as soon as possible or you can use virtual patches to remove the immediate risk and release a code patch later.
Virtual patching requires no immediate changes to the application code and allows you to secure vulnerable applications immediately upon dynamic application testing.
If you cannot release code patches quickly in response to new vulnerabilities, you can mitigate the risk by choosing a WAF that integrates well with a vulnerability scanner to detect, validate, and patch software exposures quickly until new application code is available.
Do you need PCI-DSS compliance for secure transactions?
Malicious attacks designed to steal sensitive credit card information are increasing, with more security breaches and data thefts occurring daily. If you process credit card transactions you are required to comply with PCI-DSS regulations,
PCI-DSS stands for Payment Card Industry Data Security Standard. It is an industry-standard designed to protect cardholder data from loss or theft during transmission over open networks. PCI-DSS compliance is required by most merchants that accept credit cards. The goal is to ensure that all transactions are secure and safe.
If this applies to your business, you will need to choose a WAF that supports PCI-DSS.
Do you need to terminate SSL traffic?
Attackers are increasingly encrypting their attacks. You cannot protect against encrypted attacks without the capability to decrypt traffic in your WAF.
What kind of visibility and reporting does your SecOps team need to be effective?
Telemetry, alerts, and reports provide visibility and intelligence into traffic, attacks, and security trends. This enables rapid incident response, long-term forensics, and identification of new threats. SecOps teams rely on this intelligence to be effective.
Many WAFs provide some level of telemetry or built-in reporting and intelligence capabilities. Some WAFs integrate well with security platforms and SIEM systems. Others use a centralized control plane to centralize telemetry in distributed WAF deployments covering thousands of nodes.
Choose a WAF that provides the intelligence your SecOps team needs. If they rely on a WAF to be a complete security platform, choose a WAF that features built-in reporting and analytics tools. If they use an existing security orchestration platform, choose a WAF that integrates well.
If your network architecture is highly distributed and you need WAF security in multiple locations, ensure you can aggregate all your data in one place, for example, by using a WAF platform with a centralized control plane.