What is a WAF?
It wasn’t that long ago when a premise based Firewall deployed at a branch office or data center was common place. If you think about how traffic was deployed and used prior to mobile connections, it was mostly hub and spoke. This had advantages such as control of traffic coming into a handful of locations and managing that traffic across firewalls and bandwidth seemed simpler at the time.
Fast forward to the 21st century where proximity based traffic must arrive fast and efficiently serving content to its users or lose subscribers….an imminent death if you’re a content marketing professional.
Web Application Firewalls have now burst on to the scene especially with Cloud workloads requiring some sort of protection across the internet. Most WAFs serve as a reverse proxy in front of whatever web application or service required for protection. What’s great about a WAF is the hardware, software, monitoring etc is handled by the service provider compared to you the operator maintaining all of this across the globe. WAFs also can serve as a service meaning as you need increased bandwidth, additional applications (say you have a few Amazon S3 buckets exposed) etc, you can scale up or down as required. There are some disadvantages where you really need to know where the routing and latency occurs across these WAF deployments. Why? For one, having a WAF in-line to your connection (the firewall receives your user requests first) will already add an additional routing hop and with that some sort of latency. So, if your WAF deployment is in one part of the world and your SaaS application for example is nowhere near it, you will have tremendous amount of latency and thus a poor user experience potentially.
Most WAF providers conform to the OWASP guide and often you will hear the OWASP Top 10 reference which is updated regularly.
So who are some of the WAF providers in the industry? Here’s a Gartner Peer Insights review of some of the major players for your review. You might be wondering, what is WAF in networking and how do I take advantage of it? First, it depends how your applications are deployed. For example, if you have a private MPLS WAN where applications are internal, there would not be a WAF deployed as outside access (shouldn’t) be accessible.
Ok, so if that’s a private WAF network myth busted, what is AWS WAF then and how is used. AWS is one of many options for web application firewalls and serves certain use cases. If you are looking to protect your environment within the AWS platform it’s a great option and comes with an excellent set of APIs. However, if you require a vendor agnostic mult-cloud option, you might need to explore other options as some providers will only protect within their core infrastructure topology. What is WAF security good for if you can’t transport it across platforms? For one, it does add some complexity if you have to manage multiple panes of glass between providers, however in a test/dev set of workloads, keeping applications tidy and locked down from all BOTS, (even traditional Whitelisted bots) does offer some piece of mind.
At Macronet Services, we help evaluate, design and provide benchmarking across major providers before an organization decides on the best option. Provider agnostic, cloud specific or proximity based WAFs are just some of the introductory areas we suggest to our clients. So the next time someone asks you what is a Web Application Firewall you will have a good answer to continue with the conversation.