Web Application Firewall (WAF) Buyer Guide: Checklist for Evaluating WAFs

A Web Application Firewall (WAF) can protect your web applications and website from the many intrusions and attacks that your network firewall cannot. Depending on its type, a WAF can protect against buffer overflows, XSS attacks, session hijacking, and SQL injection.

However, not all WAFs are equal, and definitely, they do not provide the same level of security. Here is a checklist to help you evaluate different web application software and choose one that is most suitable for your needs.

Form Factor

It’s crucial to find out how the WAF is bundled and sold to the customer. The choice you make will largely depend on what your organization is comfortable with since most WAFs have several options to choose from. Here are the most common forms:

• Software only – these WAFs require you to provide the hardware.
• Hardware – the WAF intelligence is directly embedded into the hardware.
• Appliance – the WAF software is sold in an appliance that is tuned and sized specifically for the WAF.
• Host – the WAF software is placed on the same server that the web application is running on.

WAF Detection Techniques

Once you have decided on the form factor, it’s time to find out how the WAF detects vulnerabilities. Most WAFs employ a variety of techniques to ensure the most accurate detection. Ensure you ask about the specific methods used and proof of false negative and positive rates and any third-party testing results. This will give you a clear picture of how proactive the WAF will be. Read more on the different WAF detection technologies .

High Availability and Throughput

If you need a WAF to work in a high traffic environment, it should process a substantial amount of traffic without slowing down your web application. The WAF should also work with load balancers and support failovers to prevent disruption of service when one web application or WAF red-lines or fails. If you choose a stand-alone WAF, ensure that it meets your company’s HA needs for architectural conformance and performance. To gauge the performance and throughput levels of the WAF, ask the following questions:

• How much traffic can the WAF support?
• Can the WAF work with the existing load balancing/HA devices?
• Is there any latency in the protected application?
• Can the WAF support failover with little or no loss of traffic?
• Does adding new or more complex rules decrease performance?

Logging and Reporting

At a minimum, a good WAF should log vital information about the transaction activity to and from the web application. Additionally, find out if you can generate reports on schedule, on-demand, or both. Check if there are filters that you can employ to quickly find the data that is important to your team. You might also want to consider user-friendly presentations and report distribution methods if they are essential to your company. Here is a list of questions that will guide you when gauging the logging and reporting features of a WAF:

• What format does the log use? / does your organization’s SIEM system support the WAFs log formats?
• Can you export the log off the server securely?
• Does the WAF capture all information? / How detailed are the logs?
• Is the log tamper-proof and tamper-evident?
• Does the WAF have pre-configured reports for management and compliance?
• Does the WAF maintain separate logs for potentially malicious traffic and regular traffic?
• Where are the logs stored?

SSL and Encryption

Although encryption is vital for preventing prying eyes from accessing data, it also prevents a WAF from inspecting the data without decrypting it first. You, however, have the option of providing your WAF with the encryption keys so it can decrypt the stream or terminate the SSL connection and then create a new encrypted tunnel for transferring data from the WAF to the web browser or server. Since SSL processing introduces CPU overhead, it is essential that you carefully size any WAF that tends to terminate SSL sessions. You can always consider using an accelerator board to off-load some of the processing work. Key questions to ask here include:

• Is SSL decryption supported?
• Does the WAF support in-line termination?
• Does the WAF use key sharing for passive decryption?
• Does the WAF have any acceleration options if it’s needed?

WAFs will have to terminate SSL sessions to analyze the traffic.

Integration with Web App Scanners

This tool scans a web application from the outside to emulate the kind of vulnerability that an attacker could discover. It can sometimes be used with WAFs to help find vulnerabilities that your security admins can mitigate using custom WAF rules. WAF are already able to block any patterns the scanner can throw? Here are the crucial questions to ask:

• Has the vendor partnered with any Web App Scanners?
• Do the two products integrate seamlessly?
• Is it possible to integrate rules automatically, or do you have to do it manually?

Alternatively, here at Cloudbric, we launched a WAF evaluator to test the performance of your existing WAF if you’re already using one. Determine the level of detection capabilities and accuracy of your WAF using test patterns from OWASP, Exploit DB patterns, and others.

Final Word

In addition to following this checklist for evaluating WAFs, you should also check the WAF provider’s support. A great WAF provider’s support team is crucial to your decision-making process. This is even more important when you don’t have a dedicated security team. A supportive and knowledgeable support team will help you detect abnormalities in your traffic and analyze threats. Remember to ask whether the provider updates their WAF and how often this happens because timely updates are vital to a WAF’s performance. Read more on Cloudbric’s signature-less technology that negates the need for constant WAF updates!