I’ve long had the opinion that web application firewalls (WAF) are one of those security technologies that every business should deploy. For a hacker, breaching an organization through a state of the art, next generation firewall is quite a difficult task. It’s much easier to go after naïve users by directing attacks through a web application. The best way to combat these threats is with a WAF. Given the rise of web related attacks like SQL injection and session hijacking, it would stand to reason every business would deploy one.
Why don’t all businesses deploy a WAF? The answer has less to do with technology and more to do with the fact that these products can be extremely difficult to get up and running. WAFs run in two modes: detection and enforcement. Many security administrators will only put it in detection mode as they are wary about putting it in enforcement mode, which might break web applications if the policies aren’t configured properly. In fact, many security professionals I have interviewed consider a WAF to be somewhat of a “black box” where the product is deployed with an out of the box set of policies. This certainly works but the company isn’t getting full value from their investments.
The performance requirements of a WAF in detection mode can be very taxing on appliances like application delivery controllers (ADCs) running on dedicated hardware. It’s for this reason that customers may turn certain features off, as it can bring an underpowered appliance to its knees. An interesting factoid from the 2017 ZK Research Security Survey (Disclaimer: I am the founder and principal analyst of ZK Research) found that 50 percent of companies admit to turning security features off in favor of performance. This means the company is knowingly downgrading its security posture because the hardware is under-powered.
This week, startup ADC supplier Avi Networks announced its “Intelligent Web Application Firewall”…