Wednesday, April 7, 2010

WAF Confusion Continues

By Ryan Barnett 04/07/2010

Frost&Sullivan recently held an Analyst briefing entitled "Analyst Briefing: Web Application Firewall: A Critical Defense For an Information Centric World" in which they provided an overview of the WAF market in the Asia Pacific region. Slides 5 and 6 of the presentation showed that there are still misconceptions about WAFs where organizations don't fully understand what they are and when they need them. There were two questions asked in the survey about WAF understanding.

The first question was "What is the first function that comes to mind when I mention the term "Web Application Firewall?" The top 6 responses are shown in the graphic on the right. As you can see, the two most telling responses were that 19.3% of respondents thought about Network Security. I attribute this response to two main factors:
  1. A lack of understanding of the threat. Many organization don't understand that professional criminals' #1 targets are web applications.
  2. An unfortunate side-effect of the name WAF. Having the term "firewall" in the name understandably leads people to think of network security devices.
The other interesting response was that 13% thought about IDS/IPS. This also leads to two thoughts:
  1. Many people are using a WAF as only an HTTP-Aware IDS/IPS and utilizing only a negative security model.
  2. Some of these respondents may not know that a WAF has other protection mechanisms beyond typical IDS/IPS capabilities. Items such as positive security, automated learning and session based protections are what really differentiates WAFs from other security devices.
The second question in the survey was "Agreement Towards Statements Concerning Web Application Firewalls." They asked 6 questions and the responses to two of them again shows a lack of understanding of when/how WAFs can help.

Having a powerful network firewall is sufficient to make up for a lack of a WAF
55% of respondents agreed with this statement. I believe that this viewpoint is somewhat related to the previous responses about a WAF being an HTTP-Aware IDS/IPS. Network Firewall vendors are promoting the concept of Deep Packet Inspection capabilities which allows them to view application layer data however there are some real-world limitations that often crop up with regards to web traffic.
  • Access to SSL traffic - in order to decrypt the SSL streams to view the HTTP payloads, any security device must be able to import the SSL cert and private key of the destination app server. Many network firewalls do not have the capability so the web-based protection is only for clear-text port 80 traffic.
  • Only negative security/signatures - the protections are based only on known/public vulnerabilities and use signatures.
  • Performance impact - network firewalls have to service many other protocols and the performance overhead of Deep Packet Inspection usually adds too much latency for real-world use.
WAF is only required if a company wants to be PCI-DSS compliant
48.3% of respondents agreed with this comment which to me implies two things:
  1. Organizations don't understand the true value of WAFs which extend beyond the "Signature-Based, HTTP-Aware IDS/IPS". This narrow use case excludes capabilities such as Application Defect Identification and Performance Events (such as identifying Application Layer DoS).
  2. This view echoes the comments made by Ofer Shezaf in his "The Curse of PCI for WAFs" blog post. It seems like a bit of a Catch-22 with PCI and WAFs in that on the one hand, PCI has raised the awareness of WAFs in general, however on the other hand now people are starting to associate WAFs as a need only if you have comply with PCI.
The end result of this survey shows that there is still much WAF awareness and education that needs to be done in the marketplace. Hopefully my blog posts are helping in this regard.

No comments: