[Part 4] DevSecOps WAF&NGFW

Welcome to the 4th DevSecOps article (previous articles:
Part 0: https://medium.com/@lahutsin/part-0-devsecops-introduction-412e3aa019a6
Part 1: https://medium.com/@lahutsin/part-1-devsecops-analytics-41c560004da3)
Part 2: https://medium.com/@lahutsin/part-2-devsecops-nast-96f7c9e25645
Part 3: https://medium.com/@lahutsin/part-3-devsecops-sca-ids-ips-33f8838047b5 (0–7 — spoiler). Today we will talk to you about the types of firewalls. This useful type of utility is usually required to protect web applications from various types of threats, for example, when a potentially vulnerable component is already in the production environment and it takes time to fix it. I hope you will be satisfied with getting some knowledge in this specialization, and continue to develop this area in the future. This series of articles assumes a basic understanding and knowledge of DevOps. As an author, I do not claim to have a final or conclusive expert opinion in this area.

WAF

WAF stands for “Web Application Firewall” and is a security system that protects web applications from various types of attacks, such as SQL injection, cross-site scripting (XSS), and others.

WAF works as a layer between the web server and client applications, analyzing traffic and blocking requests that are potentially malicious. It can use a variety of methods to detect and block attacks, such as regular expressions, subscription-based filters, behavior analysis, and other technologies.

WAF is one of the important components of web application security and is often used in DevSecOps to ensure security and protection from web application vulnerabilities in real-time.

There are several types of WAFs that can be used in DevSecOps to secure web applications:

• Deployed WAF: This type of WAF is deployed on the server side and works as a filter, blocking requests that are potentially malicious. It can be installed on a separate server or virtual machine and can be configured to work with multiple web applications.
• Cloud WAF: This type of WAF is deployed in the cloud and can be used to protect web applications that run in the cloud. A cloud WAF can detect and block attacks based on traffic analysis and shared security information that is exchanged with the cloud.
• API WAF: This type of WAF is used to protect APIs that are used by web applications. It can detect and block attacks that are targeted at APIs, such as SQL injection, brute-force attacks, or API scanning.
• Network WAF: This type of WAF operates at the network layer and can detect and block attacks that are targeted at web applications. It can be installed on a firewall or other network security device and can be configured to protect multiple web applications that run on the same network.

Here are some additional details about each type of WAF:

• Deployed WAFs: Deployed WAFs are the most common type of WAF. They are typically installed on a dedicated server or virtual machine and are configured to protect a specific web application or set of web applications.
• Cloud WAFs: Cloud WAFs are a scalable and cost-effective option for protecting web applications. They are hosted in the cloud and can be deployed and configured quickly and easily.
• API WAFs: API WAFs are designed to protect APIs from attacks. They can detect and block attacks that are targeted at the API’s endpoints, such as the API’s URL and the API’s headers.
• Network WAFs: Network WAFs are placed between the web application and the internet. They can detect and block attacks that are targeted at the web application’s IP address or domain name.

Given the above, we are directly concerned only with cloud WAFs. Because in general, we work with web applications, and everything else can be regulated by access levels and policies. It is important to understand that modern cloud solutions always provide an all-in-one package and breaking WAF into fractional utilities does not make sense for our application. In other words, this has its place but does not relate to our specialization in general

Analytical reports

There are a number of companies that produce analytical reports and evaluations of tools in the field of DevSecOps. One of them is Gartner.

Here are some of their most well-known analytics:

• Magic Quadrant for DevOps and Continuous Delivery Tools (Continuous Integration/Continuous Delivery, CI/CD): This report evaluates and compares different tools and platforms for developing, testing, and delivering applications within the DevOps approach.
• Magic Quadrant for Application Security Testing (AST): This report analyzes tools and platforms for vulnerability detection, security testing, and application code analysis to ensure development security.
• Hype Cycle for DevOps: This cycle assesses the maturity and adoption of various technologies and methodologies within DevOps, and provides forecasts and recommendations for their use.
• Best Practices and DevSecOps Research Reports: Gartner also releases reports that discuss best practices and methodologies in the field of DevSecOps, as well as provide recommendations for organizations seeking to integrate security into development and operations processes.

These analytical reports and assessments from Gartner are a valuable source of information for organizations looking for guidance and direction in the field of DevSecOps and the selection of appropriate tools and practices. They help identify market leaders, understand development trends, and make informed decisions in their security and development strategies.

However, the reality is that not all companies that have undergone this analysis make the reports publicly available, and access to similar reports is mostly paid. Therefore, companies that provide a paid report about themselves for free are a priority for consideration.

NGFW

NGFW stands for “Next-Generation Firewall” and is an evolution of the traditional firewall that protects the network from external threats. NGFW adds additional security features, such as application control, intrusion prevention (IPS), policy-based access control, and others.

NGFW uses deep packet inspection (DPI) to analyze traffic and identify the type of traffic, which allows for more accurate security policy application. It can also use intelligent algorithms to detect and block new threats that can bypass traditional firewalls.

NGFW can be used in DevSecOps to secure the network and protect against vulnerabilities such as brute-force attacks, application vulnerability attacks, application attacks, and others. It can be integrated with other security components, such as WAF, IDS/IPS, and log analysis systems to provide comprehensive protection for the network and web applications.

There are several types of NGFW that can be used in DevSecOps to secure the network and protect against vulnerabilities:

• Hardware NGFW: This is a physical device that is placed on the network perimeter and acts as a firewall that controls and blocks traffic based on established security policies. It can be configured to work with various types of networking technologies and provide high performance.
• Virtual NGFW: This is a virtual device that can be deployed on a virtual machine and acts as a firewall to control and block traffic. It can be used to protect virtual networks and clouds, and it can also be scaled to meet needs.
• Cloud NGFW: This is an NGFW that runs in the cloud and protects web applications and other resources that are hosted in the cloud. It can be configured to work with various cloud platforms and protect cloud resources from various threats.
• Software NGFW: This is software that can be installed on a server or workstation and used to protect against threats that may arise in a local network. It can be used in small and medium-sized organizations that do not require the high performance and functionality of physical devices.

The choice of NGFW type depends on the needs and characteristics of the specific network and infrastructure.

Using Next-Generation Firewall (NGFW) in DevSecOps practice can be a valuable tool for securing and automating development and operations processes. Here are some practices for using NGFW in DevSecOps:

• Perimeter protection: NGFW can be used to secure the network perimeter, control access, and filter network traffic. It can detect and block malicious attempts to access infrastructure and applications, providing protection from network-level attacks.
• Microsegmentation: NGFW allows you to create and manage network microsegments, which helps improve security and reduce risks within the network. This is especially useful in the context of DevSecOps, where different components of applications and environments can be divided and protected by responsive security policies.
• Integration with DevOps tools: NGFW can be integrated with DevOps tools and processes, such as configuration management systems, automated deployment platforms, and CI/CD pipelines. This allows you to automatically update and apply security policies, monitor changes to infrastructure, and quickly respond to potential vulnerabilities.
• Intelligence and monitoring: NGFW can be used for active monitoring of network activity, detecting anomalous behavior, and security incidents. It can provide detailed reports and event logs that help identify and investigate potential threats, as well as ensure compliance with security requirements.
• Automation and orchestration: NGFW can be integrated into automation and orchestration tools, such as container management systems or Kubernetes orchestrators. This allows you to manage and apply security policies in dynamic and distributed environments, providing centralized control and automatic protection.

The practice of using NGFW in DevSecOps requires close collaboration between development, security, and operations teams. It contributes to improving the security of applications and infrastructure, automating processes, and ensuring consistent security throughout the application development and operation lifecycle.

WAF vs NGFW

NGFW

The main difference between WAF and NGFW is that WAF protects web applications from various types of attacks, while NGFW protects the network from external threats.

WAF

WAF uses special rules to detect and block attacks on web applications, such as SQL injections and cross-site scripting (XSS), and can also provide access control and protection from brute-force attacks. NGFW, on the other hand, uses deep packet inspection to analyze traffic, detect and block threats in the network, and can also provide application control and protection from brute-force attacks.

Another difference between WAF and NGFW is that WAF operates at the application layer and protects only web applications, while NGFW operates at the network layer and protects the entire network, including web applications.

Despite these differences, WAF and NGFW can be used in combination with each other to provide comprehensive protection for web applications and networks. For example, WAF can be used to protect web applications from application-level vulnerabilities, while NGFW can be used to protect the network from external threats and provide application control.

The question arises, why do we need NGFW if we already have WAF? It’s simple because it is able to filter packets, which is essential for critical parts of the system, the human factor is because where there are clients in the web application, there are system administrators because attackers strive to get more privileged machines for their purposes. In fact, some services provide WAF with the ability to fine-tune out of the box, especially when this applies to cloud services. It is fair to note that if we use any kind of clustered approach, then a cloud WAF for public web applications is acceptable. But if we are an organization that uses a web application to work with customers, then of course NGFW is the best solution in production.

Extra:

WAF:

• Cloudflare WAF
• Akamai WAF
• Imperva WAF
• Zscaler WAF
• F5 WAF
• Sucuri WAF
• SiteLock WAF
• Web Application Firewall (WAF) by Incapsula
• Barracuda Web Application Firewall
• and more…

NGFW:

• Palo Alto Networks NGFW
• FortiGate NGFW
• Cisco ASA
• Checkpoint NGFW
• SonicWall NGFW
• Juniper SRX
• Barracuda NGFW
• WatchGuard NGFW
• Sophos NGFW
• and more…

Write your opinions in the comments.
What do you think about this?

Best Regards,
Alex Lahutsin