Why You Need a Web Application Firewall (WAF)

Posted on

A web application firewall (WAF): do you need one? What exactly does a WAF do? What’s the big idea?

Let’s cut to the chase and address those questions.

Do You Need a Web Application Firewall?

Question: Do you have a website or web service that’s open to the public internet?

Then yes, you need a WAF. The extra layer of defense provided by a WAF will help prevent your website from being low-hanging fruit for attackers.

You’ll likely want to invite the world into your website or web service. After all, more views mean more clicks and better business. At the same time, you want to reduce the risks of being easily accessible, as any potential customer could be a potential attacker. Deploying a WAF greatly assists in managing these threats.

Question: Do you have a mission-critical web application, exposed externally or internally?

Yes, you need a WAF. If a web application is too important to fail, then it should be afforded the protection of a WAF. Attacks can happen internally, too, especially if an internal device should ever be compromised. (See also: zero trust networking.)

Question: Do you have an internal-only, low-priority web app?

You can rest easy! It sounds like you don’t need a WAF, but deploying one will help make your web apps more robust and secure. It can even be a good learning experience to start by increasing security for a low-priority app before moving on to key business applications and services.

To Briefly Recap: What Is a Web Application Firewall and What Is Its Purpose?

A WAF is a device that filters and blocks web traffic (HTTP traffic).

In the realm of information security, when we have a valuable asset worth protecting (like a web service), we apply the concept of defense in depth. We protect our assets by using multiple independent layers of defense. A WAF is one layer of defense for web applications, as shown in the following image.

If one or more defense layers are compromised, you still have other layers of security in place to provide protection. A WAF is a critical layer of security because it filters and helps block malicious web traffic before it reaches the application server. This is especially important for web applications that handle personal and confidential information, where security failure could bring disastrous consequences.

Progress Kemp LoadMaster WAF functionality is based on industry-standard technology from the OWASP Foundation. It detects and mitigates the most common kinds of attacks facing web applications today, including the attack vectors described by the OWASP Top 10. This provides peace of mind and allows you to focus more on the complex areas of security and compliance.

You Might Already Have Access to a Web Application Firewall

Did you know that if you’re a LoadMaster Enterprise Plus customer, you already have access to the fully featured WAF built into LoadMaster? We strongly encourage you to take advantage of this extra layer of security if you’re not already using it.

Protecting a virtual service with a WAF is one click away. The WAF is enabled with a sensible default configuration that will work out of the box with most web traffic. The WAF configuration can be refined and tuned over time to work with your specific flavor of web traffic, with the help of LoadMaster support when needed. As your confidence in the WAF solution grows over time, you can set the WAF to be more aggressive, giving it sharper teeth to catch attackers while allowing legitimate user traffic to flow undisturbed.

If your web services are important enough to require load balancing and high availability, are they also important enough to warrant the protection of a WAF?

If You Don’t Have WAF Functionality, It’s Easy to Get It

It's easy to upgrade to an Enterprise Plus subscription to gain full access to the LoadMaster WAF functionality. Contact your Progress sales representative for further discussion or if you have any questions contact us online.

In addition to providing a fully featured WAF, LoadMaster Enterprise Plus also provides Global Server Load Balancing (GSLB), which may be useful for building WAF-protected services with multi-site redundancy and resilience.

For full information on all features included, reference the LoadMaster subscriptions page.

LoadMaster 360 Enhanced WAF: “WAF on Easy Mode”

The final puzzle piece is LoadMaster 360 and its new “enhanced WAF” capabilities. These build upon the core WAF functionality provided by LoadMaster and provide two new key benefits:

  1. Dashboarding for at-a-glance statistics and feedback
  2. Automatic WAF event filtering and WAF configuration

Linking a WAF-enabled LoadMaster to LoadMaster 360 is easy and automatically creates a dashboard (the example shown above) that visualizes vital statistics. It's now easier to receive answers to questions like, “What is the WAF doing?” “How many requests has the WAF inspected?” “How many requests has it blocked?” These tangible headline metrics are clearly presented and can be examined for different time periods.

In addition, LoadMaster 360 examines the WAF event logs and processes them through a series of smart filters. This enables LoadMaster 360 to identify the most likely candidates for false positive events: occasions when genuine, legitimate user traffic causes WAF rules to match in error.

This analysis traditionally required manual or semi-automated work through the WAF logs. LoadMaster 360 does the heavy lifting for you by processing potentially hundreds of thousands of individual WAF events and presenting a shortlist of likely false positives requiring an operator’s attention.

Finally, when an operator confirms that a false positive is legitimate, LoadMaster 360 will automatically generate the WAF configuration required to prevent the false positive from reoccurring in the future. This removes the need for an operator to learn the WAF rule language and syntax.

These new tools make using, tuning and configuring a WAF deployment easier than ever. Thanks to new visualization tools, non-security engineers can fully take advantage of the critical protection a WAF provides to a web service.

Shields Up: It’s Time to Secure Your Web Applications

The best time to deploy a WAF was yesterday; the second-best time is today! With new web application vulnerabilities and threat actors on the horizon, it’s time to boost the security of your web applications to reduce risks. A WAF is a critical layer of defense for any website or web application.

It’s easier than ever to start your WAF journey and Progress is here to support you every step of the way. Arrange a live demo with an expert and start a 30-day free trial, or get in touch with us.

Posted on

Related Posts

Andrew Howe

Andrew Howe is a web application firewall expert at Progress. Passionate about free and open-source software, he is a developer for the open-source OWASP CRS security project, which helps defend web applications around the globe. Andrew lives in Southampton, UK, and is a fan of left-field cinema, classic synth-pop/disco, and tabletop gaming.