A couple weeks ago at the 2020 RSA Conference, the Avi Networks team was presenting on the state of web application security and the shortcomings of traditional Web Application Firewalls (WAFs). This blog post highlights many of the slides from the booth presentation concluding with a link to a recent Tech Field Day demo where our head of marketing and head of product show what Avi’s Intelligent Web Application Firewall (iWAF) does in production environments for many of the world’s largest companies, effectively changing the approach to web application security.
State of Web Application Security
I’ll be honest, things aren’t looking too great. Web applications are now the top target for attacks and breaches for large corporations. And getting hit with a web application security breach can cost millions.
Challenges with Traditional WAFs
So just get a WAF, right? Wouldn’t that solve the problem? Not exactly.
Traditional WAFs are deployed as hardware appliances that are difficult to use, lack visibility, and suffer from poor performance — so much so that 90% of corporations state that WAFs are too complex.
Swisslos, one of Europe’s largest lottery companies experienced these problems first hand. They used a hardware Application Delivery Controller (ADC) to provide load balancing and WAF services for their website. As the lotto pot grew, so did the traffic to their website. At peak times the performance got so bad that Swisslos had to shut down the WAF functionality to give more capacity to the load balancing service just to keep the website from going down. Yes, businesses today often have to go to the extreme of turning off web application security services during peak traffic — when they are most vulnerable — just to keep their sites in operation. The traditional WAF model is broken.
The Intelligent Approach to WAF
Avi Networks introduced the Intelligent Web Application Firewall in 2017. The software-defined WAF streamlines policy management, adds robust analytics and visibility, and provides industry-leading performance and scale as it is built on the same architecture as its multi-cloud software load balancer. This modern architecture lets you replace fleets of load balancers and WAFs and replace them with a single centralized controller that will automatically and instantly deploy, manage, and scale Service Engines that provide load balancing and WAF services — across any cloud or data center.
The Need for Improved Web Application Security Analytics
Not only does this architecture address the multi-cloud world that more and more enterprises are finding themselves in, but it provides significant enhancements to visibility and analytics. Unlike traditional WAFs where you fly blind and hope things are “OKAY” until something goes horribly wrong, Avi monitors over 700 application performance metrics in real time so you know everything you need to know about your applications, infrastructure, and end-users. The Avi Controller can react before anything goes wrong and you can finally have trust that your WAF is working as intended. After all, how can you trust what you can’t see?
These analytics power 3 core functions that deliver enhanced web application security that also reduces complexity. They are the Whitelist Engine, Positive Security Engine, and Signature Engine:
The first step of the optimized security pipeline that allows known good traffic to get admitted very quickly. For example, known internal IP addresses, images, and static content aren’t attack vectors so you don’t need to trigger WAF processing for these.
Positive Security Engine
The Positive Security Engine enforces valid application behavior. Its Learning Engine analyzes the traffic and programs rules for traffic that has a high confidence level (valid behavior). The learning is continuous and constantly uses machine learning to analyze and program more rules to reach a predefined level of confidence.
The Signature Engine is the final layer of analytics-driven security and contains two types of signatures: Application Specific Signatures and Common Attack Signatures.
- The Application Specific Signature is for securing known exploits to specific applications. There are over 5000 applications that are part of this list that are constantly kept up-to-date. All you have to do is select which applications are relevant to your organization.
- The Common Attack Signatures is based on the core rule set of the OWASP Top 10 signature protection, which includes items like Cross-Site-Scripting and SQL injection. After a request is checked here it will be admitted to the backend application.
This methodology is designed to be the most efficient form of policy management that provides the best web application security at the performance and scale of modern businesses. At each stage we are letting through as much traffic as possible as early as possible with as high confidence as possible. The end result of iWAF is reduced false positives, improved performance and scale, and protection against 0-day attacks.
Web application security is critical to the needs of most businesses. As businesses modernize their applications and infrastructure — and as cyber attacks become more of a threat — it is more important than ever to adopt a modern, Intelligent Web Application Firewall for your business.
To learn more about the history of Avi Networks and to see a demo of the load balancing and WAF capabilities, please view the recent Tech Field Day demonstration: