Web Application Firewalls Are Worth the Investment for

Enterprises
28 February 2014 ID:G00258206
Analyst(s): Jeremy D'Honne! A"am Hls
VIEW SUMMARY
Fre#alls an" ntruson $re%enton systems "on't $ro%"e su&&'ent $rote'tons &or most $ubl'(&a'n) #ebstes
or nternal busness('rt'al an" 'ustom *eb a$$l'atons+ Here! #e e,$lan -o# *eb a$$l'aton &re#alls
-el$ se'urty lea"ers to better $rote't *eb a$$l'atons n t-er or)an.atons+

Overview
Key Findings
*eb a$$l'aton &re#alls (*AFs) are "&&erent &rom ne,t()eneraton &re#alls (/GF*s) an" ntruson
$re%enton systems (I01s)+ *AFs $rote't! at a )ranular le%el! t-e enter$rse's 'ustom *eb a$$l'atons
a)anst *eb atta'2s+
3%en #-en /GF*s an" I01s are "e$loye"! t-e *AF s most o&ten t-e only te'-nolo)y t-at ns$e'ts en'ry$te"
an" unen'ry$te" nboun" *eb tra&&'+
4n"erstan"n) -o# mu'- #or2 your sta&& #ll un"erta2e s a 'rt'al "e'son &a'tor n #-et-er you em$loy a
*AF an" -o#+ A%o"n) &alse alerts (5&alse $ost%es5)! n $art'ular! re6ures s$e'&' attenton+
3nter$rses ten" to &o'us t-er *AF e&&orts on 'om$lan'e or $rote'tn) $ubl'(&a'n) 'ustom *eb
a$$l'atons! but o&ten ne)le't e6ually m$ortant nternal a$$l'atons+
Recommendations
1e'urty lea"ers s-oul":
1tr%e &or more t-an 07I 'om$lan'e+ Assess t-e nee" &or *eb a$$l'aton &re#alls! base" on t-e busness
m$a't o& ea'- *eb a$$l'aton 8 $ubl'(&a'n)! $artner(&a'n) or nternal 8 rat-er t-an $rote'tn) $ubl'(
&a'n) *eb a$$l'atons only+
3%aluate an" "e$loy *AF te'-nolo)y! n 'ombnaton #t- alternat%e se'urty sa&e)uar"s! su'- as a$$l'aton
se'urty testn) an" se'ure 'o"n) $ra't'es+
3%aluate #-'- "e$loyment use 'ases are a''e$table &or your or)an.aton! an" un"erstan" t-e s$e'&'
'-allen)es &or ea'-+
In%est enou)- tme n trann) se'urty sta&&! 'on"u'tn) ntal 'on&)uraton tunn) "urn) t-e learnn) $ero"
an" $er&ormn) nte)raton #t- ot-er net#or2 se'urty te'-nolo)es+ 9-en! 'ontnuously montor an" u$"ate
t-e *AF 'on&)uraton to )an t-e bene&ts &rom t-e te'-nolo)y+
TABLE OF CONTENTS
CONTENTS
What You Need to Know
Analysis
Technology Description
Web Attacks Command More Than Signatures
Technology Deinition
!ses
"eneits and #isks
Technology Alternati$es
Selection %uidelines
WA& Deployment Scenario Dri$es the Selection 'rocess
(nterprises Need to Compare WA&s "eyond Datasheet Check Marks
Web Application Security )s the *+ea$enly #ealm* or ($asion Techni,ues
'rice 'erormance
Technology 'ro$iders
TABLES
FIGURES

What You eed to Know
*AFs are "e$loye" on or n &ront o& *eb ser%ers! an" n'lu"e $rote'ton te'-n6ues "e"'ate" to t-e )ranular
$rote'ton o& s$e'&' *eb a$$l'atons+ *AFs 'ombne ne)at%e ($rote'tn) a)anst 2no#n atta'2s) an"
$ost%e (en&or'n) le)tmate tra&&' only) se'urty mo"els to "ete't an" $rote't a)anst *eb atta'2s an"
re"u'e t-e rs2 o& &alse $ost%es+
1e'urty $ro&essonals sometmes 'on&use *AFs #t- /GF*s! or estmate t-at *AFs "o not brn) enou)-
%alue to :ust&y t-e 'ost #-en 'om$are" #t- I01s+ ;r)an.atons alrea"y e6u$$e" #t- best(o&(bree"
&re#alls an" I01s m)-t %e# *AFs as an e,$onental n%estment &or n'remental bene&ts+ Ho#e%er! I01
$rote'tons a)anst *eb %ulnerabltes are too )eneral< o&ten lmte" to 2no#n %ulnerabltes &rom o&&(t-e(
s-el& t-r"($arty lbrares an" &rame#or2s+ 9-ese $rote'tons are also mostly "sable" by "e&ault+ 7or$orate
#ebstes an" *eb a$$l'atons 'arryn) busness('rt'al o$eratons! su'- as &or $ayroll! e(ban2n)
transa'tons an" e('ommer'e or"ers! o&ten n'lu"e a 'ombnaton o& 'ustom 'o"e! #t- sel&(n&l'te"
%ulnerabltes an" t-r"($arty 'om$onents+ 7I;s 'an't "e'"e to lea%e 'rt'al *eb ser%ers untou'-e" &or &ear
o& &alse alerts or ser%'e nterru$tons! be'ause t-e 'om$le, *eb lan)ua)es (H9=>5! Ja%a1'r$t) )%e
atta'2ers attra't%e tar)ets+
1e'urty lea"ers s-oul" 'ons"er n%estn) n *AFs! a$$l'aton se'urty testn) an" se'ure 'o"n) tools &
t-er or)an.aton o#ns $ubl' #ebstes! ma2es nternal *eb a$$l'atons a%alable to $artners an" 'lents! or
-as busness('rt'al nternal *eb a$$l'atons+ ;r)an.atons t-at re'e%e t-e )reatest bene&ts &rom *AFs
#ll )o beyon" 'om$lan'e+ 9-ey #ll s$en" enou)- tme to sele't t-e r)-t *AF "e$loyment s'enaro! tran
o$eratonal sta&&! tune t-e "&&erent $rote'tons an" montor t-e n&rastru'ture 'losely+
Table of Contents
Analysis
In t-e early 2000s! most enter$rses #ere not usn) *AFs to $rote't t-er *eb ser%ers an" a$$l'atons+
Fre#alls #ere t-e best $ra't'e! an" ntruson "ete'ton an" $re%enton #ere stll maturn)+ 9-e relat%ely
lo# 'om$le,ty o& t-e *eb a$$l'atons #as not a su&&'ent "r%er to :ust&y an a""tonal n%estment! an"
atta'2ers #ere not yet ba'2e" by #ell(&un"e" or)an.atons+
1n'e t-en! *eb a$$l'atons -a%e be'ome more 'om$le,! relyn) on lan)ua)es an" s'r$ts su'- as H9=>5!
Ja%a! Ja%a1'r$t! an" 0H0 &or r'- nter&a'e a$$l'aton (?IA)!e,tens%e &rame#or2s an" 'om$le, t-r"($arty
lbrares+ False $ost%es an" $er&orman'e -ts arsn) &rom $rote'tons t-at rele" on tra&&'($attern mat'-n)
be'ame a real ssue+ I01 %en"ors ele'te" to "sable most o& t-e *eb a$$l'aton $rote'ton s)natures by
"e&ault to mt)ate t-ese ssues+ 9y$e A or)an.atons real.e" t-e nee" &or a ne# a$$roa'- to *eb
a$$l'aton se'urty! an" -a%e a""e" *AFs to t-er se'urty $ort&olos+
In 2008! t-e 07I 1e'urty 1tan"ar"s 7oun'l (07I 117) release" t-e 07I Data 1e'urty 1tan"ar" (07I D11)
1+2 #t- an u$"ate" re6urement 6+6! #-'- allo#e" *AFs as a %able alternat%e to *eb a$$l'aton
%ulnerablty assessments+1 9-e 07I re6urement -as )%en a""tonal momentum to t-e *AF mar2et! -el$n)
t e,$an" beyon" n'-e use 'ases! es$e'ally n &nan'al an" ban2n) or)an.atons+
4n&ortunately! many enter$rses an" *AF %en"ors use t-e lo# 07I 'om$lan'e stan"ar" as t-e )oal an" "o
not see2 more t-an a su''ess&ul au"t+ Goo" *eb a$$l'aton se'urty re6ures more t-an a '-e'2bo,
a$$roa'-+ =ost *AFs 'an $ro%"e t-e 07I '-e'2 mar2 but! as -story o&ten remn"s us! 'om$lan'e s not
automat'ally e6u%alent #t- )oo" se'urty+ 7om$ett%e e%aluatons &or *AF te'-nolo)es are stll
'om$l'ate" an" re6ure a len)t-y $roo& o& 'on'e$t! be'ause smlar &eature names mas2 s)n&'ant
"s're$an'es n se'urty "e$t-+ ;n'e n $ro"u'ton! *AFs 'ontnue to "eman" 'lose montorn) to "el%er
-)- %alue+
Table 1. WA& Selection -uestions or Dierent Deployment !se Cases Table 2. Analy.ing Depth o WA& 'rotection
Figure 1. Web Application &irewall Deployment /ptions or /n0'remises Web Applications Figure 2. Main Dierences "etween WA&1 )'S and N%&W
9-s resear'- 'o%ers t-e ma:or &eatures o& *AF te'-nolo)y! e,$lans t-e "e$loyment o$tons an" $ro%"es
sele'ton )u"elnes+ It #ll -el$ se'urty lea"ers res$onsble &or *eb a$$l'aton se'urty $ro:e'ts to better
un"erstan" t-e bene&ts an" '-allen)es o& *AF m$lementaton+
Table of Contents
!echnology "escription
*eb a$$l'aton &re#alls $rote't *eb ser%ers an" -oste" *eb a$$l'atons a)anst atta'2s at t-e a$$l'aton
layer an" non%olumetr' atta'2s at t-e net#or2 layer+ It 'an be "e$loye" as an en"$ont a)ent on t-e *eb
ser%er! a so&t#are or -ar"#are net#or2 a$$lan'e! a so&t#are mo"ule -oste" on an a$$l'aton "el%ery
'ontroller (AD7< see 5Magic -uadrant or Application Deli$ery Controllers5)! a %rtual a$$lan'e or a 'lou" ser%'e (see
F)ure 1)+ =ost o& t-e tme! *AFs are n(lne! a'tn) as a re%erse $ro,y! but ot-er "e$loyments are a%alable!
su'- as trans$arent $ro,y! net#or2 br")e or out(o&(ban"+
Figure 1. Web Application &irewall Deployment /ptions or /n0'remises Web Applications
#ource$ %artner &February '()*+
Table of Contents
Web Attacks Command More Than S!nat"res
9-reats a)anst *eb a$$l'atons are #ell("o'umente"+ 9-e ;$en *eb A$$l'aton 1e'urty 0ro:e't
(;*A10) Top Ten! CW(2SANS Top 34 Most Dangerous Sotware (rrors an" *eb A$$l'aton 1e'urty 7onsortum
(*A17) Threat Classiication $356 an" Cross #eerence 7iew 'an -el$ rase a#areness o& t-e t-reat lan"s'a$e!
$ro%"n) elements to :ust&y t-e nee" &or te'-nolo)y "e"'ate" to *eb a$$l'aton se'urty+ Ho#e%er!
se'urty sta&& o&ten &al to e,$lan -o# *AFs 'an $ro%"e "ee$er! more()ranular *eb a$$l'aton sa&e)uar"s
t-an /GF*s an" I01s+ F)ure 2 -)-l)-ts &eature "&&eren'es bet#een /GF*s! I01s an" *AFs #-en t 'omes
to *eb a$$l'aton se'urty+
Figure 2. Main Dierences "etween WA&1 )'S and N%&W
I0 @ Internet 0roto'ol
#ource$ %artner &February '()*+
Fre#alls an" I01s $ro%"e s)natures! mostly a)anst S-8 in9ection :S-8i; or cross0site scripting :<SS;! but "o not
n'lu"e more a"%an'e" &eatures t-at *AF te'-nolo)es 'an o&&er! su'- as:
7onte,tual.e" *eb tra&&' ns$e'ton: *AFs embe" "e"'ate" ns$e'ton en)nes &or *eb $roto'ols an"
lan)ua)es! to $er&orm tra&&' "e'o"n) an" normal.aton be&ore a$$lyn) n('onte,t se'urty ns$e'ton+ 9-s
m$ro%es t-e e&&e't%eness o& *eb atta'2 an" *eb %ulnerabltes s)natures+
Automat' $ol'y learnn): 9-e *AF se'urty en)ne lstens to H990 re6uestsAans#ers &or 'on&)ure" *eb
"omans! 'reates a ma$ o& 4?>s an" "&&erent $arameters! t-en su))ests a$$ro$rate #-telstn)
en&or'ements (o&ten 'alle" $ost%e se'urty mo"els)+
5Brtual $at'-n)5: 9-e name s an o%erstatement+ 9-e *AF 'an le%era)e "ata &rom "ynam' a$$l'aton
se'urty testn) (DA19) tools to su))est or automat'ally enable a""tonal 'ontrolsAs)natures to $rote't
a)anst t-e "ete'te" t-reats+ 9-e le%el o& %alue $ro%"e" -)-ly "e$en"s on t-e 6ualty o& t-e %ulnerablty
assessment tool+
Ant(automaton: 9-s "stn)us-es real -umans &rom automate" 'lents t-at #oul" ntera't #t- a *eb
a$$l'aton+
Cusness lo)' "e&ense: *AFs montor user sessons to "ete't atta'2s t-at e,$lot busness transa'tons n
or"er to $er&orm mal'ous a't%tes t-at "sru$t a normal busness $ra't'e+
Ant(DDo1: *AFs m)-t n'lu"e $rote'ton a)anst a$$l'aton(tar)ete" "strbute" "enal o& ser%'e (DDo1)!
but 'an't mt)ate %olumetr' atta'2s+ Ben"ors #t- a 'lou" o&&er o&ten try to u$sell t-er ant(DDo1 solutons
to t-er 'lents usn) *AFs+
9-ese &eatures are not t-e only "&&eren'es bet#een *AFs an" ot-er net#or2 se'urty te'-nolo)es+ I01
a$$lan'es 'an o$erate out(o&(ban"! on a 'o$y o& t-e tra&&' 8 or n(lne! n br")e mo"e+ *-le a &e# *AF
te'-nolo)es su$$ort t-ese t#o "e$loyment mo"es! most o& t-em use t-e more ntrus%e re%erse or
trans$arent $ro,y mo"es+ A'tn) as a $ro,y allo#s a""tonal o$eratons:
1e'ure 1o'2ets >ayer (11>)A9rans$ort >ayer 1e'urty (9>1) "e'ry$tonAo&&loa"n):?e%erse or trans$arent
$ro,y mo"es allo# "e'ry$ton o& 9>1 tra&&' #-en usn) '$-er sutes t-at enable &or#ar"
se're'y2 (3$-emeral D&&e(Hellman DDH3E an" 3ll$t' 7ur%e D&&e(Hellman D37DHE)+ For ot-er '$-ers! *AFs
m)-t o&&er t-e ablty to "e'ry$t a 'o$y o& t-e en'ry$te" tra&&'! #-en "e$loye" n n(lne br")e mo"e! or
out(o&(ban"+
*eb 'ontent mo"&'aton: *AFs mo"&y t-e res$onses sent by *eb a$$l'atons #t- te'-n6ues su'- as
'oo2e s)nn)! 4?> en'ry$ton! 'ustom error $a)e! an" 'o"e n:e'ton n *eb $a)es (&or e,am$le! to
$re%ent cross0site re,uest orgery =CS#&>)+
Aut-ent'aton ser%'es: *AFs 'an $ro%"e sn)le s)n(on &or e,stn) *eb a$$l'atons! or a't as an
aut-ent'aton bro2er &or le)a'y a$$l'atons t-at "on't -a%e any aut-ent'aton n $la'e+
9-e ablty &or *AFs to "e'ry$t 11> tra&&' ma2es a b) "&&eren'e #-en 'om$are" to /G*Fs an" I01s+ In
201F! Gartner 'on"u'te" an n"ustry sur%ey o& net#or2 se'urty %en"ors an" enter$rses to &n" out -o#
or)an.atons are ta'2ln) t-e '-allen)e o& tra&&' "e'ry$ton (see 51e'urty >ea"ers =ust A""ress 9-reats
From ?sn) 11> 9ra&&'5)+ 9-e sur%ey re%eale" t-at less t-an 20G o& or)an.atons #t- a &re#all! an I01 or
a un&e" t-reat mana)ement (49=) a$$lan'e 'an "e'ry$t nboun" or outboun" 11> tra&&'+ Ho#e%er! more
t-an H0G o& or)an.atons #t- a $ubl' #ebste an" a *AF 'an "e'ry$t nboun" *eb tra&&'+
*AF te'-nolo)y m)-t $ro%"e many ot-er &eatures! n'lu"n) a" -o' re$orts &or 07I au"t! mult$roto'ol
ns$e'tons to 'o%er ot-er ser%'es $ro%"e" by *eb a$$l'atons (su'- as F90)! *eb ser%'e se'urty! or
remote userA-ost &n)er$rntn)+
Table of Contents
!echnology "efinition
A *eb a$$l'aton &re#all s a s-el"n) sa&e)uar" nten"e" to $rote't a$$l'atons a''esse" %a H990 an"
H9901 a)anst e,$lotaton+ *AFs &o'us $rmarly on *eb ser%er $rote'ton at >ayer I 8 t-e a$$l'aton layer
8 #-'- n'lu"es 'lasses o& 5sel&(n&l'te"5 %ulnerabltes n 'on&)ure" 'ommer'al a$$l'atons! or n 'ustom(
"e%elo$e" 'o"e t-at ma2es *eb a$$l'atons sub:e't to atta'2s+ *AFs may also n'lu"e sa&e)uar"s a)anst
atta'2s at ot-er layers+
Table of Contents
,ses
3nter$rses $rmarly use *AFs to $rote't $ubl' *eb a$$l'atons! as #ell as 'ustom an" nternal a$$l'atons
su'- as $ayroll! *eb mal or e,tranet+ ;n rare o''asons! or)an.atons also use *AFs to $rote't t-er on(
$remses nternal a$$l'atons! su'- as ntranet! sn'e t-ese a$$l'atons are some o& t-e easest tar)ets &or
atta'2ers loo2n) &or a lateral mo%e a&ter an ntal n&e'ton+ *AF $ro:e'ts 'an be "r%en by 'om$lan'e ssues
or ntate" to m$ro%e t-e se'urty o& busness('rt'al *eb a$$l'atons+ At tmes! or)an.atons le%era)e
ot-er n&rastru'ture $ro:e'ts to n'lu"e *AFs n an AD7 "e$loyment or #t-n a DDo1 mt)aton $ro:e't+
Table of Contents
-enefits and Ris.s
*AF te'-nolo)y le%era)es t-e 2no#le")e )ane" on *eb a$$l'atons %a 'are&ul montorn) o& t-e
a$$l'atons' be-a%or to m$lement t)-tene" se'urty 'ontrols+ *-en 'orre'tly m$lemente" an" tune"!
*AFs are t-e te'-nolo)y o& '-o'e to en-an'e t-e se'urty o& e,stn) *eb a$$l'atons+ Ho#e%er! #-en
or)an.atons "on't n%est enou)- ener)y n t-er *AF "e$loyment! t-ey o&ten &a'e "sa$$ontn) results+
?s2s:
False $ost%es are t-e most m$ortant rs2 #-en "e$loyn) *AFs+ Fear o& &alse $ost%es a&&e'ts many *AF
m$lementatons an" 'an lea" to t-e "s$la'ement o& t-e te'-nolo)y+
Automat' $ol'y learnn) 'an &al n %arous #ays+ I& usn) a *AF as a $ermanent montorn) tool s not t-e
ob:e't%e! t-s m)-t be an m$ortant ssue+ ;r)an.atons #t- &ast('-an)n) *eb a$$l'atons sometmes
ne%er $ro)ress beyon" t-e learnn) $ero"! "ue to a &ear o& &alse $ost%es+ 1e'urty lea"ers s-oul" also
ant'$ate busness(s$e'&' use 'ases! l2e C2C 'ommer'e #t- a $ea2 $ero" at t-e en" o& e%ery 6uarter! or
e('ommer'e stes #t- annual e%ents su'- as t-e -ol"ay season at t-e en" o& t-e year+
*AF nner %ulnerabltes are more 'rt'al t-an &or ot-er net#or2 se'urty te'-nolo)es+ *-en a'tn) n
re%erse or trans$arent $ro,y mo"e! t-e *AF tsel& m)-t be a tar)et &or atta'2ers+
*AFs "on't $rote't a)anst %olumetr' DDo1 atta'2s! #-'- 'an brn) "o#n $ubl' #ebstes an" *eb
a$$l'atons allo#n) remote a''ess+
Table of Contents
!echnology Alternatives
*-en 'om$lan'e "'tates t-e *AF m$lementaton $ro:e't! a$$l'aton se'urty testn) (A19) 'ou$le" #t-
so&t#are "e%elo$ment best $ra't'es o&ten 'om$ete #t- t-e *AF bu")et (see 5=a)' Jua"rant &or
A$$l'aton 1e'urty 9estn)!5 5Intera'ton Cet#een 1e'urty 1'anners an" =ontors 1tren)t-ens A$$l'aton
0rote'ton5 an" 5A$$l'aton 1e'urty Dete'ton an" 0rote'ton =ust Intera't an" 1-are Kno#le")e5)+
;r)an.atons s-oul" $ut e&&ort nto se'ure "e%elo$ment $ra't'es t-rou)- "e%elo$ment sta&& trann) an"
stat' 'o"e analyss an" s'annn)! an" t-ey s-oul" 'ons"er t-e use o& s$e'&' sant.aton lbrares (see
t-e /WAS' De$eloper %uide)+ Ho#e%er! *eb a$$l'atons rely -ea%ly on t-r"($arty mo"ules or lbrares! so t-e
"ete'ton o& %ulnerabltes 'an &all out o& t-e "re't 'ontrol o& *eb a$$l'aton "e%elo$ment teams+ 4$)ra"n)
t-ese 'om$onents m)-t not be $ossble n a tmely manner! an" net#or2(base" 'om$ensatory 'ontrols
m)-t reman ne'essary+ 4sn) $enetraton testn) a$$l'atons 'an 'om$lement a se'ure "e%elo$ment
a$$roa'- to $ro%"e a better assessment o& t-e rs2s &or *eb a$$l'atons+
/GF*s an" I01s n'lu"e s)nature sets &or *eb a$$l'aton $rote'ton+ 3nter$rses m)-t see t-em as a
$r'e(attra't%e soluton 'om$are" #t- a "e"'ate" *AF+ As "s'usse" earler n t-e "o'ument! t-ese
te'-nolo)es only o&&er a subset o& t-e many $rote'tons te'-n6ues a%alable #t- a *AF+ =oreo%er! *eb
se'urty s)natures are "sable" n most "e&ault 'on&)uratons! #-'- means t-e #or2loa" s trans&erre" to
t-e net#or2 se'urty sta&&+ Fne(tunn) t-e 'on&)uraton $er *eb "oman m)-t also be "&&'ult! #t-
te'-nolo)es not o$tm.e" to be su&&'ently )ranular+
;$en(sour'e! &ree *eb a$$l'aton &re#alls l2e t-e ub6utous =o"1e'urty or t-e more re'ent IronCee o&ten
'om$ete a)anst 'ommer'al o&&ers+ 3%en #-en a 'ommer'al set o& s)natures s a%alable! or)an.atons
s-oul" 'are&ully assess #-at t-e true )ans #ll be! sn'e t-ese solutons are l2ely to re6ure mu'- more
'on&)uraton #or2 an" rely on s)natures! #-'- s t-e te'-nolo)y most $rone to &alse alerts+
;t-er %en"ors! su'- as 1-a$e 1e'urty or Jun$er /et#or2s! #t- ts *ebA$$ 1e'ure o&&ern)! &o'us on a &e#
nno%at%e te'-n6ues to $rote't *eb a$$l'atons+ ;n(ser%er se'urty a$$l'atons (su'- as runtme
a$$l'aton sel&($rote'ton D?A10E) are also a%alable+
Table of Contents
#election %uidelines
;r)an.atons #lln) to $er&orm a 'om$ett%e assessment o& *AF %en"ors m)-t &a'e une,$e'te" "&&'ultes+
07I 'om$lan'e an" t-e a%alablty o& %arous a" -o' t-reat lsts s-a$e many ?F0s+ 9oo o&ten! t-e 'om$arson
s-rn2s to a lst o& &eatures! #-'- la'2s t-e ne'essary "e$t- to un'o%er true "&&eren'es bet#een *AF
%en"ors+
9-e *AF mar2et lan"s'a$e n'lu"es many "&&erent 'ate)ores o& %en"ors: lar)e an" small *AF $ure $layers!
more )eneral net#or2 se'urty %en"ors! AD7 %en"ors! an" 'lou" ser%'e $ro%"ers+ A number o& t-e %en"ors
are also relat%e ne#'omers to t-e *AF mar2et! an" are n t-e m""le o& an ambtous roa" ma$ &or *eb
a$$l'aton se'urty+ ;r)an.atons s-oul" un"erstan" t-e '-ara'terst's o& ea'- %en"or to "etermne
#-et-er t-e %en"or meets t-e or)an.aton's nee"s+
Table of Contents
WAF #e$%o&ment Scenaro #r'es the Se%ecton (rocess
3nter$rses s-oul" &rst e%aluate #-'- "e$loyments o$tons are a''e$table &or t-em+ 3a'- "e$loyment
s'enaro brn)s ts o#n '-allen)es (see 9able 1)! an" many *AF %en"ors $ro%"e only t-e re%erse $ro,y
mo"e+
Table 1. WA& Selection -uestions or Dierent Deployment !se Cases
Use Case Major Challenges Subsequent Questions
Internet-Hosted
Cloud!
Need or SS8 decryption :secret key
management;
'rotection o internal Web applications
)ncident response
/pt out
+ow do the organi.ation?s compliance re,uirements aect its ability to
delegate SS8 decryption@
+ow will the organi.ation handle incidents and alse alerts :monitoring
and response;@
What is an acceptable S8A or each le$el o incident@
+ow long does it take to opt out rom the WA& pro$ider@
"e#erse or Trans$arent
%ro&'
'erormance
Tighter dependency with Web application due
to *man in the middle* approach
+ow can the WA& scale up and scale hori.ontally :cluster;@
+ow does the WA& integrate or partner with load balancers2ADCs@
What does the application team manage@ What belongs to the security
team@
In-line (ridge Mode SS82T8S decryption with perect orward
secrecy
8imited ability to modiy content
What are the compensatory controls your organi.ation can deploy to
replace the eatures that re,uire content modiication@
Do :or will; the Web applications implement Diie0+ellman cipher
suites :orward secrecy;@
)ut-of-band #estricted number o WA& $endors
8imited ability to block1 and no ability at all to
modiy content
SS82T8S decryption with perect orward
What are the acceptable compromises to keep this deployment
scenario@ What wouldn?t be acceptable@
+ow will the organi.ation handle incidents and alse alerts :monitoring
and response;@
Use Case Major Challenges Subsequent Questions
secrecy Do :or will; the Web applications implement Diie0+ellman cipher
suites :orward secrecy;@
#ource$ %artner &February '()*+
In lar)e(s'ale "e$loyments n #-'- or)an.aton use AD7s! t-e nte)raton o& *AF &eatures #ll bene&t &rom
a%alable $er&orman'e o$tm.aton &eatures an" s-are" tra&&' $ro'essn) e&&orts+
;n'e t-e "e$loyment s'enaro s '-osen! se'urty lea"ers s-oul" ta2e s$e'al 'are o& -)-(a%alablty
re6urements! n'lu"n) 'luster u$)ra"e $ro'e"ures an" t-er m$a't on t-e $ro"u'ton en%ronment+
Table of Contents
Enter$rses Need to Com$are WAFs Be&ond #atasheet Check Marks
D&&eren'es bet#een *AF te'-nolo)es re)ar"n) $r'e an" $er&orman'e may be easly re'o)n.e" &rom t-e
start! but "s'o%ern) "s're$an'es n $rote'ton te'-n6ues re6ures &urt-er n%est)aton+ Ce'ause t-ese
"&&eren'es e,st (see 9able 2 &or e,am$les)! se'urty lea"ers s-oul" not rely on %en"or 'lams! but s-oul"
use t-e $roo& o& 'on'e$t an" re6uest &ee"ba'2 &rom t-er $eers to %er&y t-e e&&'en'y o& t-e "&&erent
te'-n6ues n t-er o#n en%ronment+
Durn) *AF 'om$ett%e assessment! se'urty lea"ers s-oul" s$e'&'ally 6ueston smaller *AF %en"ors an"
ne#'omers to t-e mar2et about t-er re$utaton "atabases an" t-er atta'2 s)natures "atabases+ Ce #ary
about mra'ulous )ener' a$$roa'-es! es$e'ally &or $rote'tons a)anst L11 an" 1J>+ 3%en t-e most bas'
$rote'tons are teste" a)anst 2no#n tools l2e =etas$lot! so t 'an be use" as an e,'luson 'rteron! but
s-oul" not be 'ons"ere" as su&&'ent+ In 201F! 650 L11 atta'2s an" 150 1J>s -a%e been a""e" to t-e
7ommon Bulnerabltes an" 3,$osures (7B3) "atabase+* 1ele'tn) a &e# 2no#n re'ent atta'2s an" as2n)
%en"ors about t-em #ll )%e se'urty lea"ers a better sense o& a %en"or's 'o%era)e+
;r)an.atons s-oul" also un"erstan" t-at some atta'2s! su'- as 71?F! are -ar" to 'at'-! an" t-at no
turn2ey $re%ent%e soluton 'an )uarantee a $er&e't $rote'ton+
Table 2. Analy.ing Depth o WA& 'rotection
Threat Mini+al %rote,tion More--d#an,ed Te,hniques
Cross-Site S,ri$ting
.SS!
SQ/ Inje,tion SQ/i!
'attern0matching signatures aimed at
catching keywords
Analy.ing re,uests and responses
Multiple pass or traic normali.ation co$ering $arious e$asion techni,ues
Aggregated and conteAtual scoring to reduce alse positi$es
Supplementary ad hoc signatures or known attacks
(norcement using whitelisting rules
-uto+ati, %oli,'
/earning
None :manual import o site map; or
/ne0time period without automatic
ending
"eha$ioral analysis automatically disables signatures that would trigger alse
positi$es
Automatic policy update when application changes
'redeined templates or well0known applications :Microsot Share'oint1
Microsot /utlook Web Access1 etc5;
01irtual %at,hing0
None or
Manual import o $ulnerability scan
resultand/or
8imited number o supported scanners
Automatic enorcement or critical $ulnerability
Ability to launch a second test to conirm that a $ulnerability is patched
)mpact assessment o *$irtual patch* deployment to help with the
administrator?s decision
#ource$ %artner &February '()*+
Web A$$%caton Sec"rt& Is the )*ea'en%& Rea%m) +or E'ason Techn,"es
9-e 'om$le,ty o& $ro)rammn) lan)ua)es use" n *eb a$$l'atons! an" t-e e,tens%e use o& t-r"($arty
sour'e 'o"e an" t-r"($arty byteAbnary 'o"e n t-e &orm o& lbrares or &rame#or2s! 'reate $er&e't 'on"tons
&or e%ason te'-n6ues+ A sn)le %ulnerablty 'an be tr))ere" n %arous #ays! an 1J> 'an be "strbute"
o%er se%eral 4?> or &orm $arameters! or t-e same strn) 'an be en'o"e" n alternate #ays+ In a""ton!
bro#sers m)-t nter$ret t-e same 'ontent n a "&&erent #ay+2
1e'urty lea"ers s-oul" re6uest &rom *AF %en"ors a""tonal elements re)ar"n) -o# t-er te'-nolo)y 'an
$re%ent 2no#n e%ason te'-n6ues an" ant'$ate u$'omn) ne# %arants+33%aluaton s-oul" only ta2e nto
a''ount s$e'&' e,am$les o& real atta'2s an" "s'ar" mar2etn) statements t-at are not ba'2e" u$ #t-
e%"en'e+
As a start! the WASC?s Web Application &irewall Criteria :WA&(C;1 "es$te t-er $ubl'aton n 2006! reman a )oo"
n"e$en"ent tem$late to 'o%er t-e bas's o& a *AF sele'ton ?F0! e%en & or)an.atons must a"a$t ea'-
se'ton to t-er s$e'&' nee"s+
Table of Contents
/rice /erformance
*AF $r'n) mo"els m)-t %ary base" on t-e %en"ors an" t-er "e$loyment use 'ases+ *-le most %en"ors
o&&er t-e tra"tonal ntal $ur'-ase 'ou$le" #t- mantenan'e an" subs'r$tons bun"les! a &e# *AF %en"ors
a"" a""tonal lmts! su'- as t-e number o& *eb a$$l'atons! ser%er I0 a""resses! or t-e 704 'ore &or
so&t#are a$$lan'es+ A""tonal lmts base" on $er&orman'e metr's! su'- as t-e number o& transa'tons $er
se'on"! m)-t also a$$ly+ 7lou" $ro%"ers use subs'r$ton &ees (mont-ly or yearly)! o''asonally 'ou$le"
#t- $er&orman'e(relate" restr'ton ($a)e %e#s)+
Gartner re'ommen"s t-at 'lents as2 *AF %en"ors &or sm$le $r'n) mo"els an" re6ure $ro$osals #t- total
'ost o& o#ners-$ &or mult$le years! n'lu"n) all t-e re'urrn) subs'r$tons+ 0er&orman'e measurement
'an't be relably assesse" &rom %en"or's 'ollaterals! an" s-oul" be 'on&rme" "urn) a $roo& o& 'on'e$t+
A""tonal 'osts &or 11> a''eleraton m)-t s)n&'antly m$a't t-e total 'ost+ =oreo%er! Gartner obser%es
t-at many *AF "e$loyments &a'e une,$e'te" s-ort l&e 'y'les "ue to a la'2 o& ant'$aton o& )ro#n)
a$$l'aton tra&&'+ ;r)an.aton s-oul" $ro%son &or )ro#n) *eb an" en'ry$te" tra&&' base" on tren"s
obser%e" n t-e $ast an" 2no#le")e o& u$'omn) '-an)es n t-er a$$l'aton o&&ers+
Table of Contents
!echnology /roviders
1am$le *AF Ben"ors:
A10 /et#or2s
A"/o%um
A2ama 9e'-nolo)es
An'-%a
Carra'u"a /et#or2s
Cee *are
Cu)1e'
7tr,
7lou"Flare
DCA001e'urty
DenyAll
3r)on In&ormat2
F5 /et#or2s
Fortnet
I)a#are
Im$er%a
/s&o'us
0enta 1e'urty
0ost%e 9e'-nolo)es
Jualys
?a"#are
?%erbe"
1an)&or
1u'ur 1e'urty
9rust#a%e
4nte" 1e'urty 0ro%"ers
Benuste'-
1am$le ;$en(1our'e 0ro:e'ts:
=o"1e'urty
IronCee