There has been a lot of discussion, articles and analyst reports about WAF’s over the years (some listed below). The truth is that WAF’s aren’t perfect, but I believe that they are an essential part of a comprehensive application security defense strategy. The WAF technology has been maturing and improving over the last few years. There is even more good news in a just-released in-depth study, by Larry Suto, security consultant, where he tested six WAF’s and two IPS’s for their effectiveness at blocking application vulnerabilities.
Two of the most interesting findings in the report are:
- A properly tuned IPS can be as or more effective than WAF solutions at blocking security vulnerabilities. After seeing the results of this study, the IPS vendors have agreed that their devices can, in concert with NTOSpider/NTODefend be counted as a WAF for PCI compliance purposes.
- Automatically generated filters from dynamic application security tools (DAST) can improve vulnerability blocking effectiveness by as much as 39% for a WAF and as much as 66% on an IPS.
Why are WAF’s Essential?
For me, the bottom line is that we can’t ignore the fact that there are known vulnerabilities in production applications. Ideally, these would all be fixed in the source code, but the reality is that they can’t always be fixed immediately, they might take months to fix or they might not be able to be fixed at all in the foreseeable future. In these instances, a WAF is very practical solution as a temporary patch for the vulnerability. I mean, if someones sitting out there in public with no pants, someone please hand them a towel!
The other painful truth about WAF’s is that they take time to train and configure. Most security teams are short on time and short on resources. The people on the front lines whom I speak with tell me they would love to be able to better train their WAF’s more quickly. Here’s the good news
- With about 3.5 hours of expert tuning, most WAF’s can perform fairly well.
- When you add DAST generated custom filters, both WAF’s and IPS’s are excellent at blocking vulnerabilities
- One of the things, that makes NTODefend unique is the ability to confirm that the filters are blocking unwanted traffic and allowing desired traffic. During his study, Larry was able to play with this false positive detection functionality in NTODefend. He was pleased to see that it does in fact shows if the WAF/IPS is blocking good traffic – pardon the promotion :-)
As you would expect, a handful of other vendors (including NT OBJECTives) provided tools for Larry to use to complete the report. Anyone who has every tried to do a study knows that it takes a lot of work, and Larry does not receive any payment from any vendor to complete these studies. No study is perfect, but given his finite amount available time and resources, I believe Larry tried to implement the fairest study he could.
For more information about the study:
Good articles that discuss the use of WAF’s & IPS’s
- WAF!=Firewall (my blog :-)
- Web Applications Firewalls: Defend or Defer, Derek Brink, Aberdeen Group, October 2010
- Wither the WAF, Wendy Nather, 451 Group, September 20111
Leave a Reply