A Web Application Firewall (WAF) is an excellent last line of defense. Based on what I see in my testing they’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. I recommend WAFs to clients all the time. But…there’s more to the story.
Unfortunately, I’m seeing more and more people deploy application firewalls to cover up – rather than cure – their web application warts and blemishes. Some people are deploying WAFs in lieu of performing security scans and penetration tests. It’s set it and forget it. This is especially common with the compliance as a checkbox mode of operation that’s present in many businesses. WAFs are today like firewalls were 10-15 years ago. They promise the world but bad guys far and wide know that they’ll likely find a way around their controls.
WAFs aren’t going to protect you against application logic flaws. In many situations, they won’t protect against manual manipulation of input validation and session management-related flaws. What about weak passwords in your Web application? Yet another flaw that may go unguarded.
You’ve got to consider web applications that may be accessed by insiders that don’t fall into the scope of WAF protection. There’s also the issue of web applications that are accessed only via SSL/TLS. Is a WAF going to protect against attacks coming through these channels? Maybe, maybe not. It depends on your own unique situation.
A Web Application Firewall is an additional device that must be managed on your network. Are you prepared to take that on? Oh, and like routers, firewalls and related network controls, WAFs can create yet another single point of failure on your network that you’ve got to be prepared to handle. Neither of these may be a big deal but they’re certainly things you need to consider in your security monitoring, patch management, change management and incident response processes and procedures.
Whether you work for a large enterprise or a small business, just know that Web Application Firewalls are not the end-all be-all solution for your web security problems. They’re good at what they do. But like deadbolts in our homes and airbags in our automobiles, they can’t be relied on completely. To do so is short-sighted and a recipe for getting bitten when you least expect it. Layer your web controls instead. Fix Web Application Flaws at the source where you can, perform periodic scans and manual tests and, once you have your ducks in a row, let a WAF be the icing on the cake.