NSS Labs defines web application firewalls (WAFs) as stand-alone or virtual appliances, or as self-contained software designed specifically to secure web-based traffic. WAFs employ a wide range of functions to work in conjunction with perimeter firewalls and intrusion prevention system (IPS) technologies and provide protections specifically for web applications. WAFs should include HTTP/HTTPS protocol enforcement and native signature detection along with other protection mechanisms, such as URL normalization and scanning; positive or negative security enforcement model functionality (or both) that enforces proper application operation and page logic flow; and adaptive learning modules for automated policy updates. WAFs block attacks masked by HTTPS encryption by inspecting SSL sessions using a web server’s private key; they also detect policy violations and reset offending connections. These sessions are either passively decrypted and inspected or actively terminated and re-encrypted. WAFs should be able to identify and police the use of specific web application elements and functions, such as web objects, form fields, and, most importantly, application session logic.

This Test Methodology describes how NSS will evaluate WAF products to provide an objective and fair assessment of the technology. Individual tests have been developed that represent real-world use cases of the WAF to protect web applications and other mission-critical applications sitting at the edge of an enterprise network.