After twenty years of commercial WAF products, it is time to acknowledge a hard truth: On today’s Internet, a traditional WAF no longer provides adequate protection.
Popularity can be deceptive
WAFs are very popular. Numerous vendors still offer WAF appliances (both physical and virtual) in many configurations and featuresets. But despite this ubiquity, there are few if any organizations today which should still be using a stand-alone WAF as their primary means of web security.
Up until a few years ago, a WAF was enough. Web threats were less common and less sophisticated. Hostile bots were crude and straightforward to detect. Botnets were smaller, and were throttled by the typically low bandwidths available to the zombie machines. Cybercrime marketplaces in Russia and elsewhere (which today offer everything from hacking services to rentable botnets to Malware as a Service) were still in their infancy.
Nor was security itself very challenging. Web applications were less common; most business sites tended to be static content. Security requirements were usually minimal, and could be provided by the hosting provider. And for most organizations, direct revenue from their sites was less important to their bottom line.
Today, all that has changed. Modern WAFs must protect against a much larger variety of complicated and challenging threats. When they fail, the potential costs are much higher: financial loss, damaged reputation in the marketplace, possible regulatory penalties, and more.
And in today’s threat environment, WAF appliances have inherent disadvantages. Here are a few.
Technical debt: Web standards are evolving quickly, which increases the complexity of what WAFs must do. Trends such as the growing adoption of HTTP/2 and the increased use of JSON payloads have left most WAF vendors scrambling to keep up. The market expects solution providers to be constantly innovating: instead, many WAF solutions (like AWS WAF) are growing increasingly fragile.
Hardware as a bottleneck: The above problem is exacerbated for hardware WAF products, which have longer and more involved design and test cycles than software solutions. Some providers have tried to mitigate this by shifting to a software appliance model, but this creates new problems for them. Vendors which formerly enjoyed substantial margins from their expensive hardware products, and who then start offering WAFs that run on generic servers, can no longer justify their high prices.
Complexity: Full-featured WAFs are complicated. They require substantial operator skill to configure and keep current as the threat environment evolves.
Inflexibility: Most WAF products do not quickly accommodate new web applications. Nor can they easily adapt to modifications of the web applications they are already protecting. These problems hinder organizational use of agile methodologies and DevOps.
Cloud-unfriendly: WAF appliances are designed for traditional architectures, not for cloud hosting.
Lack of scalability: A need for network scaling exacerbates some of the problems described above. Deploying clusters of appliances is very challenging. Maintaining them is equally difficult. Agile methodologies and DevOps require constant re-tuning and re-configuring of the clusters, which can strain a security team’s resources.
Lack of API support: WAF appliances are designed to protect data centers. It is difficult for them to protect mobile applications or other uses of a public API.
Lack of context: A stand-alone WAF (such as AWS WAF) is only as effective as its most recent patch. It cannot improve by self-learning from global or even regional traffic patterns, because it only receives traffic for the network it’s protecting. As new web threats arise, a stand-alone WAF remains unprepared to defeat them until its vendor issues an update and organizational staff install it.
Competitive disadvantage: Cloud hosting, frequent application deployments and updates, autoscaling, public APIs, and other modern trends all provide numerous advantages to the organizations which use them. When WAF appliances hinder or even prevent organizations from using these things, the organizations will lag behind their competitors.
Needed: WAF benefits and more
The WAF in its traditional form (a physical or virtual appliance) is obsolete. But obviously, organizations still need the benefits that a WAF is designed to provide.
These benefits can, and should, be provided in a different form than appliances. Cloud security platforms can provide all the advantages of a strong WAF (and many more besides), without the drawbacks listed above. For example:
Comprehensive protection: A cloud security solution can include much more than a traditional WAF. It can, and should, also include DoS/DDoS protection, bot management, CDN integration, and more.
Technical innovation: Some cloud security solutions are pioneering new approaches to web security. Not only are they keeping up with advancing web standards, they are also leveraging new technologies like performant data warehousing and Machine Learning. This allows these platforms to self-learn and always be adapting to evolving threat environments.
Cloud-native, instant deployment, and continuous updates: Cloud-native software platforms can be deployed from scratch in minutes. They can also be kept up-to-date against new web threats, and receive continual upgrades to their capabilities and features.
Operator skill is optional: The leading cloud platforms are fully managed. Clients can administer them if they wish, but this is optional.
Flexibility: The best providers use cloud-native security and DevOps/DevSecOps for CI/CD of their own platforms. They encourage their clients to do the same, and have designed their platforms to support these practices.
Scalability: Cloud-native platforms can automate the rollout, management, and scaling of deployments across the world.
API protection: In addition to web application security, leading cloud providers also offer full protection for client APIs, SDKs for mobile applications, and more.
Global context: Some cloud-security platforms leverage their international deployments to maintain a comprehensive view of global traffic trends. They monitor and analyze all traffic received by all deployments, worldwide. Once a new web threat is encountered in one location, all deployments globally can be updated and hardened against it, even before most of them have encountered it locally.
Competitive advantage: The leading platforms provide robust web security to their clients, even while those clients are accelerating the delivery of new products and services (and improvements to existing ones), deploying it all continuously and securely on a global scale.
Goodbye, WAF. Hello, WAAP.
Reblaze offers all the above advantages, and many more. In fact, a platform such as Reblaze is so far ahead of a traditional WAF that some industry analysts are starting to describe it differently.
Instead of focusing on individual security applications (such as WAF, DDoS protection, bot management, etc.), these analysts acknowledge the need for all of these capabilities in a comprehensive cloud-hosted platform, known as WAAP (Web Application and API Protection).
You might not have heard of this term — it’s still rather uncommon. For now, it’s more common for people to say that their organization needs a next-generation WAF (which Reblaze also includes).
However, WAAP is the more relevant term. Presumably, it will become more popular as people realize that WAAP describes not just a NXGN-WAF, but also other capabilities, all of which are necessary for a full-featured web security solution.
Regardless of the terminology that’s used, many organizations are rapidly outgrowing the capabilities of traditional WAF appliances. To get a demo of Reblaze (a full-featured WAAP platform), or just to learn more about its features and benefits, feel free to get in touch with us.
image credit: Robinraj Premchand