A Web Application firewall can be a pain in the A*** but maybe its essential for GDPR ?

strong man illustration

Firewalls have been around for years, but Web Application Firewalls are much newer and despite the name very different!

 

So firstly what is a WAF? What does it do and why do I need one (or not)?

Quite simply a normal firewall will open up ports to allow traffic from the outside world access to your website/web application.

A WAF will check the traffic going through these open ports to ensure its not someone hacking your site/app.

The Attack

Hacking at the web application level is now a very common form of attack. Indeed the top 10 types of web attack are listed (and updated) on this independent site called OWASP here .

All WAF’s that are worth their salt will protect against these threats.

Typically a web application server does something! Maybe accesses some useful data and presents it to the user in a nice and clever way. Whatever…

It maybe pretty obvious but data tends to be stored in databases on database servers that tend to be deeper in the network so harder to attack. It’s easier to attack a public facing web app that you know has access to the internal data you want.

Installing an Application firewall can help protect your web applications and more importantly the data that the application has access to.

In fact, not only can they help to prevent an attack, many can even help to reduce data loss should an attack become successful. (see here for example)

With GDPR looming a WAF is now an essential part of a web security architecture. (interesting enough It has been essential for PCIDSS for some time now)

So it’s a no brainer to get one right ?…No no no

Lets go out there an buy the biggest baddest WAF we can get our hand on! Not a good idea.

Many are expensive, complex and poor implementations can break the application.

Indeed after talking to a few security consultants about the markets leaders they reckon that many are configured non-blocking meaning they don’t block an attack they just observe it and just tell you have one!!  Maybe this was used to tick the right boxes before?

Why are they non-blocking. Quite simply because they are too complex and many organisations don’t have the skills to configure them. They also straddle multiple disciplines as they tend to sit between applications and networking teams.

Sometime they have them configured correctly initially, then a change to the application happens and it breaks,  so they panic and go non blocking or add loads of rules to the white list so it’s as useful as a chocolate teapot.

Lesson – Don’t buy an F1 car to drive to the shops (unless you can drive an F1 car) . You will probably crash it or not use it.

Our Pitch – Don’t buy our WAF

especially if you require the most configurable product in the market.

Don’t buy our WAF if you are a large Enterprise with big budgets and a WAF team. (BTW if you are an Enterprise please check that your WAF is set to non-blocking 😉 ) If not give us a call 🙂

But – Do consider our WAF if you require Industry leading protection in a format that you can understand, configure, manage and maintain.

Consider our WAF if you have externally available web applications that have access to customer data and you have obligations under GDPR to protect this data.

If you don’t need one don’t buy one,  but if you do, buy something that will do the job it’s required to do at a level that is manageable by the organisational time and skills available.

Next Learn About WAF

To help learn more about WAF we have setup a Full WAF test environment including an app server, a WAF and an attack simulation tool.

This test drive can be provisioned online in a few minutes – you can then have a play and if feeling brave even point it to your public facing site for testing.

  Take a test drive here

 

Find out more about our WAF jetNEXUS WAF

About Greg