Cloud-based web application firewall (waf): why you need one and how to choose one

Pieter Dubelaar
Pieter Dubelaar
13 Aug 2021 - 5 min read

In the current multi-cloud, SaaS-driven world, you need a modern, flexible and scalable way of protecting your online assets. Websites and apps have become the core of both the brand and the business model and the risk of them being defaced, abused or taken down is no longer something companies can live with. Selecting and implementing cloud-based web application firewall (WAF) is the way forward.

In 2019, Gartner launched the term Security Access Service Edge, or SASE (pronounced ‘sassy’), describing the new security ways needed to secure complex, multi-cloud and hybrid infrastructures. To secure the growing edge, with its open exposure to the web and all its dangers, most organizations are moving towards a zero-trust approach to security. This means that every connection and interaction from a user, device or application needs to be explicitly authenticated, with no trust being implied or assumed based on prior interactions. A SASE solution will inspect all transaction content provide complete session protection, regardless of whether a user is inside or outside the corporate network.

Additionally, a SASE framework usually provides data protection policies that help prevent unauthorized access and abuse of sensitive data. All in all, SASE helps you get to better network security, but also better visibility.

no more firewall boxes

A multi-cloud strategy means adapting to a completely different security paradigm. The old firewall ‘box’, bolted to a rack in a data center somewhere in the world, monitoring traffic entering and leaving your home network, is now a performance bottleneck at best and a risk of catastrophic failure at worst. The bigger your company, and consequently your network, the bigger the problem. Even if you have a dozen of these boxes, distributed around the world, this form of firewall will never be able to keep up with multi-cloud infrastructures and Infrastructure as Code. Also, much like any other software functionality, security features like threat prevention, HTTP filtering and data loss prevention can now be implemented in the cloud, software-based instead of hardware-based.

The advantages of this are the same as the gains from moving applications or data infrastructure to the cloud: increased flexibility, better cost management, reduced complexity, infinite scalability and better performance. With corporate networks shifting towards cross-region (multi-)cloud hosting and extensive SaaS usage, swapping out the old hardware web firewall for a distributed, software-based alternative is no longer optional. 

 

WHITEPAPER CLOUD DATA STRATEGIES

waking up to reality

Yet, this necessity is not always felt by IT departments. Quite often, we talk to IT managers who are shocked to see how much of their infrastructure is visible to outsiders and therefore vulnerable to attack. They also tend to assume that their web properties are protected because their cloud providers have an impressive list of security certifications. While these are not without value, they do not keep malicious traffic off your websites. That will take a lot more effort. Waking up to this new reality, we need to start looking for solutions. One of the most important solutions is using a cloud-native Web Application Firewall.

the cloud-based web application firewall in your sase 

The task of a web application firewall (or WAF) is to filter and block or report on malicious HTTP traffic. With cybercriminals operating like commercial companies, scanning the web 24/7 for WordPress vulnerabilities, opportunities for SQL injection, broken authentication mechanisms or other vulnerabilities from the OWASP Top 10 we all know and fear, a WAF is no luxury. Especially now your websites are the core of your brand presence, and just the thought of them being defaced by hackers will have marketers, managers and IT losing sleep.

Many WAFs will also block DDoS attacks and manage bot access to your websites. Take, for example, bots that scrape booking websites for cheap airline tickets. They reserve tickets at the most favorable rates and then sell them on via third-party websites. This leaves airlines with many of their tickets blocked and unavailable to their own customers. A WAF can be used to block these bots and many other forms of website scraping.

CHOOSING THE RIGHT WAF: THINGS TO CONSIDER

So, you’ve established that you need a WAF? Now comes the hard part: selecting one. A simple Google search will reveal that calling the WAF market ‘crowded’ would be an understatement. Here at Triple, we have successfully helped multiple clients through the WAF selection process, assisting in requirements analysis, building and culling the long list and running proof of concept projects and test setups. And, of course, the final selection and implementation.

The premise of these projects is always that there is no single ‘best’ WAF solution. What the optimal solution is, completely depends on your specific requirements. This is why we always follow a predefined process and never play favorites or try to skip any steps. For a swift selection, we always make sure the client only has to test three different solutions.

Things to consider when choosing a WAF:

Operational cost model

There are many types of WAF cost models, but the main variants are paying per GB of traffic and paying per URL. If you have a limited number of web platforms to protect, the per-URL model may be your best option. If you have many, paying per GB of traffic is probably best.

Level of automation

Many companies are moving away from manual deployment and configuration, standardizing everything through Infrastructure as Code (IaC). This requires a WAF that supports a configuration API and not just GUI configuration.

Functionality

Last, but not least: which rules do you want to implement for protecting your digital assets? Most WAFs support the OWASP Top 10, but it’s probably better to choose one that supports the full OWASP Core Ruleset. Some vendors have their own tweaked rulesets, which may or may not suit your requirements. WAF solutions also differ in the options you have to turn rules on or off, add custom rules or add functions like DDoS protection, geoblocking, frequency limiting and bot management.

WHITEPAPER CLOUD DATA STRATEGIES

from websites to apis, from waf to waap 

A WAF is usually focused on protecting websites and apps. The next logical step is of course to protect API endpoints as well. Gartner refers to this as WAAP: Web Application and API Protection and many WAF vendors have expanded their products in this direction. Also, a number of CDN and ‘Network as a Service’ providers have this type of functionality in their portfolios.

rolling out your waf

Depending on your current situation, implementing a cloud-based web application firewall could be quite a drastic technical change. Just ‘turning on’ your new firewall solution is a recipe for disaster, possibly rendering your websites inaccessible and/or vulnerable to attack.

We always go through an extensive test process, before we activate a production WAF in ‘block mode’, where it actually blocks HTTP traffic based on the rules set.

  1. Review possible web application changes. Not all websites can handle a proxy between them and the client out of the box. This needs to be addressed, or web apps and sites could stop working.
  2. Third-party baseline test. Checking website speeds globally, or at least in all relevant regions, we create a performance baseline for reference.
  3. Introduce WAF in on acceptance and user acceptance environments in block mode. Traffic will be blocked according to the rules we configured, and any malfunctions caused by this will come up in acceptance testing.
  4. Introduce origin shielding. Origin shielding makes sure your WAF cannot be circumvented.
  5. Run functional tests. This guarantees full operational compatibility.
  6. Introduce WAF to production environment in monitor mode. Monitor mode does not block anything. Instead, it reports anything it would have blocked in block mode. By monitoring this for an extended period of up to three months, we develop a complete picture of what the effect of WAF deployment will be in the production environment.
  7. Activate WAF in block mode. You are now fully protected.

let's find the best solution together

Long story short: you probably need to migrate to a cloud-based web application firewall. But choosing and implementing one can present you with a steep learning curve. We’ve been down this road more than a couple of times, so we can probably help. Although we have a great many partnerships with software vendors, at our core, we are driven by the desire to provide the single best possible solution in every specific situation. This means we will help you find the best solution, independent of any preexisting vendor relationship.

Read more about our cloud managed services