A “Web Application Firewall” is not a “Firewall”!
Why are “Web Application Firewall’s” (WAF’s) called “Firewalls”? I think the term firewall was initially used by vendors because it was something already allocated in their potential customers’ budgets and WAF vendors wanted to avoid association with what they truly are – Intrusion Prevention System (IPS) for HTTP/WebApps.
“a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.”
A firewall is clear and focused. It blocks traffic according to very clear and concise rules and does not really understand the content. It just decides if traffic from Computer_A/PortX should be allowed to communicate with Computer_B/PortY.
“network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.”
This more accurately describes what so called WAF’s really do. A WAF is simply an HTTP specific IPS. They should be more accurately named one of the following:
- WAIPS: Web Application Intrusion Prevention System
- WIPS: Web Intrusion Prevention System
- HIPS: Http Intrusion Prevention System
- AIPS: Application Intrusion Prevention System
- HAIPS: Http Application Intrusion Prevention System
Over the last few decades, Firewalls have become a trusted solution to improve security, for the layer its used to protect. IPS’s on the other-hand have a long history of being viewed with some skepticism. I think the modern high quality IPS’s solutions have overcome most of the false positive/negative issues of the past, and tend to be very good and when organizations implement them. However, due to their history, customers have a clearer understanding of what it is they are actually implementing and what to expect, as understand the need to maintenance and tuning.
All too often, I see that the years of trust built up in Firewall’s ability to be installed, configured and then forgotten has transferred to WAF’s, and people are implementing them with the same faith that they would a traditional Firewall – not with open eyes to the fact that WAF’s require care and feeding like they do when implementing an IPS.
Please don’t get me wrong, I am not criticizing the value of implementing a WAF in your organization. On the contrary, I believe they actually can be a very important and effective part of your Layered Security & Defense in Depth strategy especially when trained to understand the malicious traffic.
When we work with our customers on their application security strategy, we try to help them understand what their WAF is and what it isn’t so that they have reasonable expectations and can build an effective application security strategy.
I would love to hear some of your opinions… Is a WAF a firewall?