As the name implies, a next-gen (or “nxgen”) WAF is the newest and most powerful form of a web application firewall.
WAFs have evolved considerably in the last two decades. They have gained substantial power in a number of different categories, as discussed below.
Early WAFs were software applications, deployed on commodity hardware. Later, dedicated hardware products came on the market.
WAFs can still be found in both forms today; each has offsetting advantages and disadvantages. For example, software WAFs and commodity hardware are usually less expensive than dedicated hardware appliances, but the appliances are usually more powerful.
However, both forms share a major disadvantage: they are deployed upstream from the incoming Internet pipe. Therefore, they cannot provide full protection against certain types of attacks, such as volumetric DDoS. A sufficiently large DDoS can saturate and overwhelm the pipe, before the upstream WAF can scrub the traffic.
A few years ago, a new form of WAF became practical. Today, it is possible to deploy a WAF service in the cloud, which can provide the advantages of earlier form factors without their disadvantages. A cloud WAF can be inexpensive and powerful, and by running in the cloud, it can process and filter massive volumes of traffic before it arrives at the destination network.
A traditional WAF filters individual requests. For example, it blocks dual-encoded requests, requests containing code injection attempts, and requests originating from IP addresses known to be hostile. (Many of these threats are found in the OWASP Top 10 Web Application Security Risks.)
A nxgen WAF does this and much more. It considers not only the content and format of each request, but also the broader context of what the requestor is doing. For example, a DoS or DDoS attack usually consists of requests which, when individually considered, appear innocuous; the attack is a result of request volume, not request content.
A modern WAF does much more than filter traffic on a request-by-request basis. It tracks and analyzes the overall activity of each requestor, considering all of the traffic that it generates in order to discern the requestor’s intent (whether it’s legitimate or malicious). By doing this, it protects against a broad spectrum of web threats.
Software WAFs and hardware appliances are complex products, and as the Internet threat environment evolves, their complexity rises over time. Therefore, they are difficult to administer and manage correctly. Plus, they require frequent patching and updating.
For next-generation WAFs, this is no longer a problem. Cloud WAFs can be managed and kept up-to-date remotely by the provider. A current security posture is vital for robust web application security.
Early WAFs were based on a negative security model. Later products also included a positive security model. Today, a next-generation WAF includes both models, along with more advanced capabilities. For more information, see How does a WAF work?
Threat Identification Paradigms
Traditional WAFs have two basic ways to identify hostile traffic: signature detection, and geolocation.
Signature detection refers to the inspection of incoming requests, and comparing them to a database of threat signatures. If a request matches a hostile pattern, it is blocked. Otherwise, it is allowed.
Geolocation-based filtering blocks requests if they originate from a traffic source that is known to be malicious. The database of malicious sources is usually a combination of third-party lists (such as Spamhaus EDROP), static internal lists, and dynamic internal lists.
These two paradigms worked well for years. But today, they are inadequate; they cannot detect all forms of attack. Modern threat actors have become proficient at masking their activities; often, the requests do not match known threat signatures. In fact, some forms of malicious web activity (e.g., site scraping) are based on requests that are fully legitimate. As for geolocation-based filtering, this can be defeated by switching IP addresses. Modern attackers often abuse cellular gateways and use other methods to access thousands or even millions of IPs.
A next-generation WAF solves these problems by not relying solely on these two paradigms. Signature detection and geolocation are still useful, because they can quickly identify and block less-sophisticated attacks. However, a next-gen WAF also uses requestor identity and behavior to recognize threats.
Requestor identity allows the WAF to track traffic sources even as they rotate IPs, switch client devices, and so on. Behavior analysis allows the WAF to compare the current requestor’s behavior to that of previous users.
A true next-generation WAF (such as AWS WAF) takes advantage of Machine Learning and other technologies to build sophisticated behavioral profiles of legitimate clients. As each requestor attempts to use a web application, all of the analytics for its interaction (device statistics, UI events, timing, session metrics, etc.) are analyzed and compared to these profiles. By definition, every hostile user must eventually depart from legitimate behavior. As soon as a requestor does this, a nxgen WAF will block it from further network access.
Support for modern development practices
Traditional WAFs were static applications or devices. They had to be manually configured and administered. This makes them incompatible with modern practices such as DevOps, DevSecOps, immutable infrastructure, and so on.
A next-generation WAF (such as AWS WAF) runs in the cloud, and can be deployed, configured, and controlled programmatically. It can easily support CI/CD workflows, along with serverless, containerized architectures, and so on. It will also be dynamic and adaptive; it will recognize changes in the traffic stream that it is processing (for example, new calls to an API), and can offer appropriate ruleset changes to its administrators.
There is no official definition for the term “next-generation WAF.” As a result, many security vendors are applying it to their products, even when it’s not really deserved.
The list above describes some of the characteristics that separate WAFs that are truly nxgen from those that are not.