What to look for in a WAF

Web application firewalls (WAFs) are specialized security solutions that secure web applications and APIs. With so many different capabilities and WAF offerings, it can be difficult to know what to look for.  We’ll go into more detail on each of the following characteristics of a ‘good’ WAF solution:

  • Basic capabilities

  • Security

  • Usability

  • Flexibility and speed

  • Scalability and performance

  • Accuracy

Basic capabilities to look for in a WAF

A basic ‘bare minimum’ capability of a WAF should be OWASP Top 10 identification and coverage.  If a WAF can’t identify and block the OWASP Top 10, it leaves you vulnerable to the most dangerous threats. 

Other essential WAF features include support for IP/CIDRs, GEO, and ASN allow/block lists. These features let you take broad strokes against malicious traffic by allowing or blocking traffic based on IP addresses, geographic locations, or Autonomous System Numbers (ASNs). This reduces the burden on your security team by minimizing the need for a multitude of complex, granular WAF rules

You should still have the ability to do granular policy enforcement; A WAF should allow you to define rules with varying levels of detail, applicable globally, for groups of domains, or for individual domains. This ensures a balance between efficiency and customization for different applications or regions.

A WAF should deliver robust security capabilities

A comprehensive solution offers a layered defense against various web applications and API security threats. Some vendors have adopted the term web application and API protection (WAAP) to refer to their solution. Most WAAP platforms begin with a WAF and other capabilities are either included or provided as add-on components. Depending on your organization’s needs, you may need all of these capabilities or a subset. 

Basic security offerings should include:

Bot mitigation 

WAFs should help protect against automated bots that can scrape data, launch denial-of-service attacks, or engage in credential stuffing while allowing good bots and human traffic. Bot mitigation employs various techniques like CAPTCHA and JavaScript challenges, client fingerprinting, and IP reputation checks to identify and block automated bot traffic. Bot mitigation solutions should have the granularity to differentiate between good bots (e.g., search engine bots) and bad bots (e.g., scraper bots). 

DDoS protection 

DDoS protection helps to safeguard your applications and APIs from Distributed Denial-of-Service (DDoS) attacks that overwhelm systems with traffic, causing outages. WAF solutions can mitigate DDoS attacks by filtering malicious traffic, absorbing attack traffic volume, and maintaining application availability. Attacks can come at different layers in your network, so a solution that offers Layer 3/4 and Layer 7 DDoS protection will provide greater protection than just a Layer 7 solution.

API security 

Many modern applications rely heavily on APIs to connect and exchange data. WAF solutions should offer specific security controls to protect APIs, including authentication, authorization, and API traffic monitoring. With API security, you’ll want to ensure the WAF supports your API formats (REST, GraphQL, gRPC, etc). 

Threat Intelligence 

Threat intelligence is a valuable addition to a WAF solution. It provides real-time insights into evolving cyber threats and attack methods with the goal of allowing security teams to be proactive in their defense. First-party IP reputation intelligence feeds, updated daily, offer more accurate and stronger security. This prevents yesterday’s malicious activities from affecting today’s legitimate traffic, especially from shared IPs. 

Usability

A modern WAF solution is designed on the understanding that the future of security is controlled by software developers: tooling should enable innovation and never slow developers (or anyone else) down, fitting into existing toolchains and workflows. 

Key usability capabilities to consider include

Visibility, insights, and faster decisioning 

Getting all your WAF data in a “single pane of glass” without having to tie different platforms together or constantly do data exports and merges is invaluable. WAFs should provide an “at-a-glance” utility with intuitive, customizable dashboards and reports that offer real-time insights into ongoing attacks and potential security incidents across all deployments. “Black boxes” and a lack of visibility are common complaints with WAF solutions - users struggle to analyze and mitigate threats because data is not presented in a straightforward way. 

Many WAFs cannot provide real-time, granular, and useful visibility into their decisioning activities. Also, many organizations deploy multiple WAFs across their footprint because they haven’t found one that covers all their environments. This results in poor and disjointed visibility as their WAF data is partitioned across different tools and dashboards, and teams lose time when switching between different consoles. Getting all your WAF data in a single location, without having to tie different platforms together or constantly do data exports and merges is invaluable. 

Pre-built integrations for DevOps and security toolchains 

WAFs should fit into existing workflows, rather than forcing teams to adapt or alter flows that are already working. WAFs should therefore come with pre-built integrations with DevOps and security toolchains. Teams should be able to instantly take advantage of the new and better data from the WAF - within the tools and CI/CD workflows that they already use to keep daily operations efficient and make scaling easier without security bottlenecks. 

Examples include getting real-time alerts in Slack so teams can respond quickly, sending logs to SIEM solutions for further analysis and correlation, and automating rule updates using Infrastructure as Code (IaC) to minimize manual work. Ultimately, a user-friendly WAF translates to faster implementation, reduced operational costs, improved team efficiency, and enhanced security visibility for your organization.

Deployment flexibility and speed

WAFs should help protect against automated bots that can scrape data, launch denial-of-service attacks, or engage in credential stuffing while allowing good bots and human traffic. Bot mitigation employs various techniques like CAPTCHA and JavaScript challenges, client fingerprinting, and IP reputation checks to identify and block automated bot traffic. Bot mitigation solutions should have the granularity to differentiate between good bots (e.g., search engine bots) and bad bots (e.g., scraper bots). 

Modern WAFs help remove the burden of lengthy building, managing and rule building, instead allowing security to be as simple as the flip of a switch. 

Deployment flexibility and speed 

Choosing a WAF with various deployment options future-proofs the simplicity and cost-effectiveness of your security posture. Consider not just the ease and speed of deployment, but also the coverage of available deployment options. 

Faster time to value through rapid deployment 

A WAF should be easily and quickly deployed - lost time spent in lengthy or burdensome deployments translates to negative security and financial implications. A good WAF solution should be deployed in minutes or days - not weeks or months. 

Automated deployment through Infrastructure as Code (IaC) 

It can be helpful to select a WAF that enables the automation of deployments with infrastructure as code (IaC), like Terraform. This helps reduce lead time for provisioning and security changes while allowing for more trust in the application developers by empowering them with deployment automation. 

Scalability and performance

WAF solutions with an edge deployment capability provide protection and acceleration closer to the user, enhancing performance and enabling scalability. 

Application traffic can fluctuate significantly, depending on the day; sudden spikes in traffic can overwhelm traditional WAFs, leading to slowdowns, outages, and lost revenue. It’s important to therefore investigate the underlying network, architecture, and platform a WAF is built on. 

A good WAF will scale resources to meet demand, offer a globally distributed network with low latency, and deliver high-throughput processing without sacrificing security effectiveness. This ensures a smooth user experience, robust security, and improved business continuity for your critical applications.

A globally distributed edge network will handle protection closer to end users no matter where they are, making their experiences as fast as possible. An architecture like this will also make rule propagation much faster throughout the network, ensuring newly added security measures take effect across the entire network immediately.

How Fastly can help

When choosing a WAF provider, it is essential to select one with global coverage, powerful detection, and integration capabilities tailored to modern infrastructure. 

Fastly's Next-Gen WAF is designed from the ground up with these features in mind. As the world's largest global edge cloud platform, it sits within milliseconds of users worldwide.

This strategic positioning allows Fastly to protect websites and applications faster than traditional WAFs. Inspecting traffic close to end users quickly limits the level threats can penetrate, helping to block attacks before they ever reach the origin servers.

Among its key benefits, Fastly's Next-Gen WAF provides:

  • Comprehensive protection: Fastly detects and blocks the OWASP Top 10 web application vulnerabilities and custom threats you define through simple rules.

  • Rapid response times: With its global network of POPs, Fastly's Next-Gen WAF ensures ultra-low latency inspection for exceptional user experience, even during attacks.

  • Flexible configuration: You can customize rules, response pages, and more via Fastly's user-friendly interface without relying on lengthy change windows.

  • Real-time analytics: Thanks to Fastly's dashboard and API for proactive issue identification, you benefit from valuable insights into traffic and security events.

  • Seamless integration: Fastly's Next-Gen WAF works transparently with its CDN and edge computing services for unified security, performance, and delivery capabilities.

Learn more about how the Fastly Next-Gen WAF can provide advanced protection for your applications, APIs, and microservices with flexible deployment options and cutting-edge detection capabilities.  

Learn about Fastly Next-Gen WAF

デモをリクエスト