I’ve long had the opinion that web application firewalls (WAF) are one of those security technologies that every business should deploy. For a hacker, breaching an organization through a state of the art, next generation firewall is quite a difficult task. It’s much easier to go after naïve users by directing attacks through a web application. The best way to combat these threats is with a WAF. Given the rise of web related attacks like SQL injection and session hijacking, it would stand to reason every business would deploy one.
Why don’t all businesses deploy a WAF? The answer has less to do with technology and more to do with the fact that these products can be extremely difficult to get up and running. WAFs run in two modes: detection and enforcement. Many security administrators will only put it in detection mode as they are wary about putting it in enforcement mode, which might break web applications if the policies aren’t configured properly. In fact, many security professionals I have interviewed consider a WAF to be somewhat of a “black box” where the product is deployed with an out of the box set of policies. This certainly works but the company isn’t getting full value from their investments.
The performance requirements of a WAF in detection mode can be very taxing on appliances like application delivery controllers (ADCs) running on dedicated hardware. It’s for this reason that customers may turn certain features off, as it can bring an underpowered appliance to its knees. An interesting factoid from the 2017 ZK Research Security Survey (Disclaimer: I am the founder and principal analyst of ZK Research) found that 50 percent of companies admit to turning security features off in favor of performance. This means the company is knowingly downgrading its security posture because the hardware is under-powered.
This week, startup ADC supplier Avi Networks announced its “Intelligent Web Application Firewall” (iWAF), a software-only solution that solves the above problems with traditional, hardware-based WAFs. Avi is designed to run as a distributed fabric so it can span traditional data centers as well as public and private clouds. The scale out design, similar to leaf-spine in layer 2/3, brings massive scale advantages to layer 4-7 workloads, like WAF. Because it runs as software, there is no hardware dependency so the entire iWAF fabric can be managed from end-to-end. The use of business applications, particularly web-based ones are much more elastic and Avi’s iWAF makes the web app firewall equally elastic. Avi claims its scale out capabilities will outperform traditional ADCs by 50x a legacy appliance. I have no way to verify this, but other network technologies that have shifted to a fabric architecture have seen similar performance boosts, so it does seem reasonable.
The Avi product also includes a GUI interface to customize the policies. WAFs have been around a long time and have a fairly standardized set of rules and iWAF is no different. If offers protection from many of the common vulnerabilities such as SQL injection, cross-site scripting, session hijacking and data exfiltration but the GUI lets administrators easily customize the rule set on a per application basis without having to use a complicated command line interface.
Also, iWAF operates as a closed loop system that continually gathers telemetry information and analyzes the data to provide insight into which flows hit which rules. This ensures that as attacks evolve, the rules and policies are still being enforced. A good way to think about iWAF is that its closed loop analytics operates similarly to Cisco’s “Network Intuitive” intent based networking system. It’s fair to say that Avi’s iWAF is an “intent based web application firewall” so once the policies are set, the system will automatically adapt as the environment changes.
Avi is currently taking orders for iWAF, which will be generally available by the end of October. Its iWAF is another component in the Avi Vantage Platform, which also includes a software based load balancer and application service mesh.
More on web application firewalls: