Protecting your network and web apps requires a comprehensive approach. Here’s what you need to know about network firewalls and WAFs.
As hackers find more opportunities to infiltrate web-based applications, organizations struggle to keep ahead of them. The 2020 Verizon Data Breach Investigations report found that 43% of breaches involved web apps, and that many hacking instances exploited web app vulnerabilities.
Keeping web apps secure isn’t a clear-cut endeavor. Given the proliferation of app development tools, requirements to function on demand and at scale, and the need to protect the data that passes through apps, it can be confusing what tool, in which piece of the security setup, is ideal to keep an app secure.
To complicate matters, according to 451 Research, only 53% of organizations have security leadership in place. That means many organizations are left without a centralized security expert who makes decisions. As well, there’s often a lack of meaningful collaboration between web app developers and IT in tracking down vulnerabilities. These gaps make it more challenging to implement and coordinate necessary security measures—leaving a patchwork of defenses ripe for exploitation.
We see some decisionmakers weighing a perceived choice between next generation firewalls (NGFWs) and web application firewalls (WAFs). But it’s not that simple. Let’s take a look at what each system does and how they work—independently and together—to help you.
Web Application Firewall vs. Next-Gen Firewall: Why It’s Confusing
A number of issues fuel the confusion surrounding NGFWs and WAFs. First, since both technologies are called firewalls, some people may think they’re similar. And since NGFWs are an evolution of traditional network firewalls, the terms are sometimes used interchangeably. However, while both technologies serve to inspect for and stop malicious intrusions, each one offers a different layer of protection.
Think of an NGFW as the entrance to a hotel and the WAF as the key to a hotel room.
There’s not an established industry standard that defines an NGFW, notes TrustRadius. Typically, an NGFW is a centrally managed system that can combine some network and web application firewall functionality, as well as VPN connections and other functions. Still, these firewalls are for different tasks, are situated at different places in the network, and are often managed by entirely different teams. That’s an important distinction.
Both Technologies Are Important
Given the various potential points for intrusion across both a network and a web app, in most cases it’s important to employ both technologies. Both NGFWs and WAFs are considered network functions, but they interact with traffic at different points.
Think of an NGFW as the entrance to a hotel and the WAF as the key to a hotel room. Network firewalls cover the traffic on the network; WAFs cover the app. Using an NGFW and a WAF together gives you broader coverage.
A network firewall can help stop an attack at the edge of the network by blocking incoming malicious traffic, which can benefit an application to an extent. The WAF will stop specific layer 7 attacks against the application, whether it’s an attempt to exploit vulnerable software libraries or code-level vulnerabilities like deserialization or injection attacks, or a DDoS attack that targets the compute resources of the application.
Here’s a closer look at how each technology works, where it works, and what it accomplishes.
|Where does it operate?||Close to the organization, on the network (layers 3-4)||Close to the app (layer 7)|
|How does it work?||Operates as a type of filter to safeguard against unauthorized network access||Watches the app (and sends alerts) for unusual behavior caused by things like cross-site scripting (XSS), L7 DDoS, injection, broken authentication, and other such attacks|
|What does it accomplish?||Protects the internal network and its users||Protects the data moving across the app transom|
Who’s Using WAFs vs. NGFWs?
Coordinating different technologies raises the issue of manageability—and who the stakeholders are. A WAF typically will be of more interest to anyone serving the app, including developers, even if they’re not experts in security. Meanwhile, IT tends to focus more on the network firewall.
Building and tuning effective WAF policies take a deep understanding of the app. And the person who wrote the code is usually a good guide for establishing how to protect it. They know the app’s strengths and weaknesses and are ideally placed to construct a WAF policy that addresses the app’s vulnerabilities. A WAF is still infrastructure, so its deployment often rests with IT security; however, it’s a great tool to include in a DevSecOps program where security is deeply integrated into the development process. So collaboration between developers and IT is crucial.
It’s also good to get developers involved in the WAF setup because they need to try out the technology to trust it. The frustration with both NGFWs and WAFs is the looming danger of false positives. Unlike an NGFW, however, a WAF can be tested within CI/CD pipelines as the applications are being developed or thereafter. A WAF shows the app, what it looks like, and what the payload looks like—so you can make sure everything matches and operates effectively.
The Bottom Line
Securing your networks and applications isn’t easy; it’s not meant to be. Hackers have the ability to gain deep knowledge of a system and its vulnerabilities—and use that knowledge to exploit it. Organizations need to be smarter than hackers to stay ahead of them, and that means getting the right stakeholders involved to set up strategic NGFW and WAF controls to protect the business.
Speak to an F5 Security Expert
Ready to talk more about your protection needs? Contact F5 today to learn more or start a trial.