Learning to Love WAFs

A qualified love to be sure, but Web app firewalls do have their uses

11:10 AM -- For the last few years I've snickered and jeered at people who have bought into the concept of WAFs. I've broken past every one I've seen, and found none of them to be particularly effective at solving any major problems.

Here's why: They add a single point of failure, they can't find anything they don't know to look for, and they tend to block things without a significant amount of tuning. My opinion stayed steadfast for over a year -- that was until a few days ago.

During a routine audit of a company, it became clear that the site was in far more danger than I originally thought, with more than 1,000 attack points against its Web application. It was clear that despite having a small army at their disposal this would be a tough task even with significant resources. It's just too human intensive. Further, the site is a huge target. Time to think outside the box.

WAFs have two distinct functions that are outside of what a normal Web server has. The first is the ability to make quick changes outside of typical change-control processes put in place by large companies.

That's particularly true when thinking about seasonal change control freezes to insure stability for publicly traded companies that do a large amount of e-commerce. Being able to make quick, temporary patches to the Web application without jeopardizing the entire application is a sexy alternative.

The second function is the ability to do matching for a single malicious string across different applications using regular expressions or anomaly detection. To do this inside a Web server would be significantly more complex without modifications to the Web server itself (i.e., mod security, which technically is a WAF). So after it's all said and done, I honestly believe there is a good reason to install and use a WAF in a production environment.

For enterprises looking for a long-term strategy of short-term fixes, this is a great stop-gap. Does it protect against everything? No. Will it introduce complexity, another device to support, additional points of failure, and cost? Yes. Will I continue to recommend it? In the situation mentioned above, I'm a convert. I still have my doubts about the technology as a whole, but I'm happy to have a solution for my client.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F* Special to Dark Reading