Unlike most security technologies that attempt to identify a broad range of bad traffic by means of traditional detection methods, a web application firewall (WAF) is like a finely honed sword designed for a singular purpose: monitoring HTTP traffic between clients and web-servers. The payment card industry (PCI) accelerated the development of the WAF market since it provided a tangibly financial application of this technology. This made WAF a must-have in the arsenal of weapons for many of today’s security administrators.
Often tuned and developed based on the web application itself, a WAF is measured on its ability to prevent malicious attacks aimed at web services and the pages that support them (e.g., SQL injection, cross-site scripting) as well as its ability to scale to enterprise-grade levels of connected users (thousands in most cases). WAF products have explicit rules and controls that specify precisely the HTTP data that is permitted for the protected application. False positives are particularly critical in WAF implementations and as such factor heavily in any purchasing decision.
The NSS Labs WAF group test reveals that many solutions in the marketplace are reasonably effective at their roles, though there are degrees of efficacy. In the NSS Labs Security Value Map™ (SVM) for WAF, each vendor is represented by two dots. The upper dot reflects the product’s optimum security configuration and capability when properly tuned and deployed for the environment and applications. The lower is when protections are disabled in order to eliminate false-positives, which reduces the effective security of the device.
However, false positives in WAFs are not the same as false positives in other deep inspection security devices such as NGFW or IPS. Oftentimes, WAF false positives are caused by a web application being insecure and by an attacker creating an attack that misfires (and is unable to compromise the target web app). Such an attack would look like a legitimate attack but actually would be ineffective. In such cases, a WAF false positive should be eliminated by altering the web application and closing the known security hole, and not by reducing protection.
Follow me on Twitter (@mikespanbauer) to keep informed as new research is released.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.