The web application firewall (WAF) market is growing, mainly due to enterprises adopting cloud-based WAF services. Cloud-based WAF services are multi-tenant and cloud-based from the beginning, which can avoid costly maintenance of legacy code in the long run. Additionally, it provides a competitive advantage as release cycles are shorter and innovative features can be implemented quickly.
As the application landscape changes, so do the tools we use to protect enterprise systems and the data they process. Among them, the development of WAF is a prime example of adapting legacy security systems to protect modern enterprises.
Almost all businesses have reason to worry about online breaches. Hackers don't just target websites; they also exploit vulnerabilities in web applications used by employees, customers and partners. Because enterprise applications often contain large amounts of private personal and corporate data, a higher level of protection must be deployed.
Numerous facts have proven that web applications are the main attack vector causing leaks in hacker intrusion activities. According to the latest Verizon data breach investigation report, nearly half of data breaches are caused by the exploitation of web application vulnerabilities. In the case of Equifax data breach, the correct deployment of WAF can prevent this incident from happening.
Cloud WAF requirements
Traditionally, WAF is usually deployed in front of the web server as a physical, on-premises tool to protect web applications and APIs from internal and external attacks, especially injection attacks and application layer denial of service attacks (DoS). , monitor and control access to web applications, and collect access logs for compliance/auditing and analysis. WAFs are most commonly deployed embedded, as a reverse proxy system, because in the past this was the only way to perform deep detection work.
Other deployment models exist today, such as transparent proxies or bridges. Some WAFs can also adopt out-of-band deployment mode (ie OOB or mirroring mode), so they can handle the entire network traffic. However, not every feature works in all of these deployment models; for many organizations, reverse proxy is the most popular solution. In recent years, web applications have increased their use of Transport Layer Security (TLS) encryption—based on cipher suites that require an embedded interceptor (man-in-the-middle) to decrypt the traffic—thus reducing the number of OOB deployments.
If you think of your network as a fortress protected by a wall (i.e. your firewall), then a web application is like a screen door in that wall—no matter how many layers of protection you have deployed, any A web application that is not properly protected can completely destroy everything.
As businesses move to the cloud, applications are no longer hosted on their technology infrastructure. Since then, they have also lost visibility into how the application is being used, who is visiting it, and how much traffic is coming in and out. In recent years, WAF (cloud-based WAF service), delivered directly by the vendor as a cloud-based service, has become a more popular solution for an increasing number of enterprises, driven by the original target group of mid-sized enterprises. Enterprise – Expand to the wider enterprise. Cloud-based WAF services simplify management practices by combining more regular security updates, greater scalability, and monthly or annual subscription models.
People have been using WAFs in detection mode for a long time, but it may be some time before they can be used to block threats. Because WAF provides a wealth of information, it also generates a large number of false positives, which raises concerns among security teams. According to the latest Imperva survey results, 27% of security teams receive more than 1 million security alerts every day, and 53% of IT professionals are struggling to distinguish major security incidents from false positives.
In the past four to five years, more and more enterprises want to obtain better web application support, but suffer from a lack of professional knowledge and talents in related fields. Later, they began to turn their attention to the growing market of cloud-based WAFs, which share threat data and provide similar support services, while also making it easier for enterprises to implement deployment and management tasks.
Cloud-based vs. on-premises WAF: Differences and deployment
There are some major differences between on-premises and cloud-based WAFs, the biggest of which is how they are deployed. On-premises WAFs run in the data center or as virtual machines via Infrastructure as a Service (LaaS). Cloud WAFs, on the other hand, are sold as Software as a Service (SaaS) and managed through a web interface or mobile app. Deploying an on-premises WAF requires you to handle capacity planning and complexity yourself; but with a cloud WAF, these tasks are handled by the WAF provider.
While on-premises WAF has out-of-the-box/plug-and-play policies, administrators have full control over their company's rules. On-premises systems are more customizable and sophisticated, allowing administrators to adjust how applications interact with the WAF. However, this also requires companies to monitor this data to ensure that it cannot be accessed.
However, cloud-based WAFs are different in that the security policy is pre-defined by the WAF provider based on their view of the threat landscape so that the customer does not get too many false positives. Cloud WAFs typically have features such as load balancing, APIs, application delivery rules, and DDoS protection. However, customers typically do not have fine-grained access to on-premise WAFs. The software is hosted in data centers by the provider, who is responsible for securing them.
As for whether to choose a local WAF or a cloud WAF, you need to conduct a comprehensive evaluation based on your specific business needs and the sensitivity of the application and data. Some enterprises will use a hybrid model, deploying hardware WAF on-premises and deploying WAF-as-a-service model in the public cloud. For example, cloud-based WAFs can be placed at the network edge because pre-configured WAFs are capable of analyzing complex insider threat scenarios.
Enterprise security personnel need to combine business needs and figure out whether the enterprise's focus is shifting to the cloud and how fast it is shifting to the cloud. After clarifying the enterprise's business development route, they can decide whether the WAF deployment model they want is local or cloud delivery. WAF.
Summary of advantages and disadvantages of cloud-based VS. local deployment of WAF
As a website operator, how should you choose a WAF that suits you? Different forms of WAF have their own advantages, but they also have their own disadvantages:
Advantages of hardware WAF:
Easy to deploy, plug and play: Hardware WAF only needs to be connected in series to the switch, and web security protection can be implemented after simple configuration.
Can withstand high throughput: Because hardware firewalls are implemented based on hardware devices, they can generally withstand high data throughput.
Large protection range: Since the hardware firewall is directly connected to the switch, all servers under the same switch are within the protection range of the firewall.
Hardware WAF disadvantages:
Expensive: The current hardware WAF in the security industry is too expensive for small and medium-sized enterprises, often costing hundreds of thousands or even millions.
There is a certain degree of manslaughter: Since the hardware WAF identifies abnormal traffic through the attack rule library, when the business system is complex, there may be a certain degree of manslaughter, causing normal functions to be blocked by the firewall and affecting normal business.
There is a certain chance of bypass: the hardware firewall parses the HTTP protocol by itself, which may be inconsistent with the web server's understanding of HTTP requests, leading to bypass.
Cloud WAF advantages:
Simple deployment and low maintenance costs: This is also the most valuable and popular thing about Cloud WAF. There is no need to install any software or deploy any hardware equipment. You only need to modify the DNS to deploy the website within the protection scope of Cloud WAF.
Users do not need to update: Cloud WAF protection rules are all in the cloud. When new vulnerabilities break out, the cloud is responsible for updating and maintaining the rules. Users do not need to worry about being attacked by new vulnerabilities due to negligence.
Can act as a CDN: Cloud WAF not only provides protection functions, but also has the functions of a CDN. While performing protection, it can also increase the rate of website access. The CDN dynamically loads static resources to the server through multi-line intelligent parsing and scheduling across operators. With cloud nodes across the country, when users access a resource, they will be directed to the nearest cloud node to improve access speed.
Disadvantages of cloud WAF:
There is a risk of being easily bypassed: The main implementation principle of cloud WAF is to achieve protection by resolving the user's DNS to the cloud node. In this way, if a hacker obtains the real IP address of the server through relevant means and then forcibly resolves the domain name, it will Cloud WAF can be easily bypassed to launch attacks on servers.
Low reliability: Cloud WAF processes a request, which requires DNS resolution, request scheduling, traffic filtering and other links, which involves collaborative correlation work. If there is a problem in one link, the website will be inaccessible. When necessary, you can only manually switch to the original DNS to ensure normal business operation. Domain name resolution takes a certain amount of time, which will cause the website to be unable to be accessed normally for a short period of time.
Low confidentiality: Website access data is confidential data for some companies and institutions. It may contain users' privacy or business information. This data will be relatively safe if it is controlled by itself. However, if WAF is used, all data will be recorded in the cloud. This It is equivalent to the data being kept by others, and there may be a certain risk of leakage.
After analyzing the pros and cons, we found that cloud-based WAF is more suitable for small and medium-sized enterprises or personal websites with lower security requirements. For websites with higher security requirements, such as governments, finance, operators, etc., cloud WAF may not be able to meet relevant requirements. For task-intensive, Web-based applications, specialized or hardware-type devices are required. However, the specific WAF form to adopt is not a matter of "one size fits all". Enterprises can adopt a wider range of forms to support various network environment needs according to their own circumstances, thereby achieving a greater degree of flexibility and security.
You need to educate people on your team who understand security and applications about the differences and pros and cons of different types of WAFs, teach them how to use cloud WAFs, and how to implement cloud migration effectively and efficiently.
Major cloud service providers begin to shift markets
Early WAF deployments in the public cloud had to be third-party solutions because the public cloud providers at the time did not offer any solutions. Today, some major cloud providers already have basic entry-level WAF services, and application teams are leaning towards solutions from Amazon and AWS.
The specific choice between a third-party solution or a cloud service provider's solution mainly depends on the nature and usage of the application. If your application is extremely vulnerable to attacks, it is recommended that you choose third-party virtual WAF or WAF-as-a-service tools, which currently provide better protection for web applications.
If the application is not very important and users trust that the cloud provider will further improve its WAF service, then you can choose to use cloud-native tools. WAF security from major cloud service providers is not yet consistent with third-party systems, but it is improving. For example, AWS is already further strengthening its WAF capabilities. The first AWS WAF had no signatures, but now it is building a signature database. In addition, Amazon's WAF is also relatively cheap: you only pay for what you use, and AWS WAF is priced based on the number of rules you deploy and the number of web requests your web application receives.
Experts predict that as time goes by, more and more workloads will be moved to the cloud, and people's demand for security will become stronger. The market will establish rankings for cloud IaaS providers based on how they improve their WAFs. First of all, Cloud LaaS providers that improve their WAF will have an absolute competitive advantage in the market. Although their WAF service is far from being as good as third-party solutions, their outstanding advantage is that the cost is much lower.
As major providers such as Microsoft and Amazon begin to explore and deploy the WAF space, existing vendors are also beginning to focus on adding more capabilities to their existing tools. Imperva recently launched Attack Analytics, which is designed to automate the process of correlating and analyzing attack events and prioritizing the most severe threats. Threat data can be pulled from the application locally or in the cloud.