Next-generation WAFs: What they are, and why you need one

Cyber criminals have discovered that web and mobile applications are great channels through which to mount their attacks on digital assets. According to Akamai, the number of web app attacks in Q3 2017 increased by 69% compared to Q3 2016. Verizon’s 2017 Data Breach Investigations Report says that 29.5% of breaches were carried out through web app attacks. A Q1 2018 report by Sitelock found that virtually all web apps have some form of vulnerability, with 50% vulnerable to unauthorized access, 44% placing personal data at risk, and 70% vulnerable to leakage of critical business information. Most web app attacks are automated barrages that are difficult to detect within the ocean of web traffic, with the most popular being SQL injection (SQLi), cross-site scripting (XSS), and Local File Inclusion (LFI).

Although the quantity and “quality” of attacks on web apps are on the rise, developers have known for a long time that web apps are vulnerable and must be secured. One of the most common lines of defense are web application firewalls (WAFs). But WAFs have been around since the late 1990s, and early-generation tech is no match for today’s sophisticated attackers. Thus, we are now seeing the emergence of so-called next-generation WAFs.

In this post, we explore what true next-generation WAFs are, and how they provide unified, comprehensive and adaptive protection for web applications.

A Brief History of WAFs

The first WAFs were on-premise appliances that were expensive, hard to deploy, and required considerable expertise and effort to keep them updated as new threats arose. Deployed inline, they would inspect traffic one packet at a time against a set of patterns or signatures, allowing all transactions except those that seemed to contain a threat.

Although WAF appliances have evolved in terms of performance and ease of installation, they are still hard to configure. They are often prone to being either overly permissive and generating too many false negatives, or being over-protective and blocking too much legitimate traffic with false positives. Despite their limited protection, however, companies continued to use them because there was no other solution and, in some sectors, they were mandated as preventive controls by compliance frameworks such as PCI-DSS.

Today the leading WAFs are cloud-based, so they are easier to deploy and have a more convenient pay-as-you-go or subscription business model. However, many are claiming to be next-generation, even though they use the same security paradigms as first-generation WAFs, and they are still outmatched by today’s sophisticated attackers.

Their inadequate security paradigms include: reliance on overly simple signature-based detection methods; inspecting incoming traffic one raw packet at a time, with little or no contextual information; and one-dimensional negative security models that block commonly known threats, but cannot be updated quickly enough to effectively deal with new threats as they emerge.

Needed: True Next-Generation WAFs

Web applications today tend to be complex, incorporating open-source modules and often based on containerized and/or serverless architectures. Similarly, the cloud infrastructures on which they are deployed are often complicated hybrid, multi-region, multi-cloud configurations in order to optimize performance and cost.

All of these advances, coupled with the high velocity of continuous integration/continuous deployment made possible by automated DevOps frameworks, are a double-edged sword.

On the one hand, web app owners can now achieve their business objectives and maintain their competitive edge in a more agile manner. On the other hand, today’s web apps present large attack surfaces that are constantly expanding and changing.

In this environment, legacy approaches to security offer partial protection at best. And partial protection is really no protection at all.

What does a true next-generation WAF look like?

Reblaze’s WAF is one part of a holistic security suite that provides comprehensive web security (including not just the next-gen WAF, but also DoS and DDoS protection, bot detection, and more.)

These modules work together to provide better security than a WAF alone can provide. For example, a typical WAF cannot prevent site scraping, because this type of attack does not require a breach of the targeted site; it can be accomplished merely by a collection of bots submitting innocuous HTTP requests. But Reblaze’s advanced bot detection can recognize that these are not legitimate human visitors, and then the WAF blocks their access to the targeted site.

Also, although each Reblaze WAF operates independently, each also coordinates and communicates with other Reblaze deployments worldwide. Each WAF streams its (anonymized) traffic data to a central Big Data depository, where continual Machine Learning analysis detects new threats as soon as (and wherever) they appear. Information about new threats is immediately broadcast to all deployments worldwide, as well as the most effective means for countering that threat.

While most WAFs are stand-alone security devices, each Reblaze WAF is part of a global, autonomous, intelligent security network that recognizes new threats as they arise, and hardens itself against them, even if that specific WAF has not yet encountered a particular threat.

Other important characteristics of next-generation WAFs, as seen in Reblaze, include:

• Behavioral analysis that establishes acceptable application and network performance baselines and thus quickly detects — and blocks — anomalous behavior indicative of automated or manual intrusion attempts such as pen tests or reverse engineering.
• Establishing and maintaining strict, granular, application-specific rules that can detect and deny zero-day exploits or other attempts of any kind to inject code.
• Integration of both negative and positive security models, as appropriate. Thus, for example, Reblaze incorporates both blacklisting of traffic based on a database of known threats (i.e., allowing all traffic except that which contains a threat) and whitelisting of applications (i.e., allowing no traffic except that which meets the granular application-specific rules, as noted above).
• An effortless, fully managed, transparent solution that scales automatically, has little or no impact on performance, and supports an automated incident response workflow.

In short, a true next-generation WAF is a unified, autonomous solution with real-time and end-to-end visibility into existing and future web application security threats. It provides seamless and robust protection, even against new attack vectors.

Final Note

According to Gartner, in its August 2018 report, Magic Quadrant for Web Application Firewalls, “By 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection and WAFs. This is an increase from fewer than 10% today.”

Reblaze’s machine-intelligent web security platform was built from the bottom up as a comprehensive, effective, adaptive, and easy to use solution that meets — and exceeds — all of the requirements described above. Our ACL capabilities, for example, lead the industry in terms of granularity, allowing users to control access from specific countries, states, cities, networks, companies, anonymizer networks, cloud and data-center networks, platforms and more. In addition, our unique single-tenant VPC architecture avoids the vulnerabilities inherent to other cloud-based security solutions with their multi-tenant deployments.

Reblaze combines the advantages of physical/virtual appliances and cloud security solutions without their respective drawbacks. The company’s mission is to make web platforms “secure by default.”

To get a demo of Reblaze, or just to learn more about its features and benefits, get in touch with us.