Akamai Diversity

The Akamai Blog

WAF. Under myth-busters' scrutiny.

Tangina Barros, the medium in the Poltergeist film series, taxes and Internet security.
These three things have in common that they scare, they intimidate and they may keep you awake at night. With regards to the first two topics, the only thing I can do is remember that Poltergeist is just a movie, seriously, just a movie (I keep saying that to convince myself, quite unsuccessfully, though) and that with the adequate online help, tax filling can be done without making mistakes (I also keep saying that, with the same purpose, and the same futile outcome). But still, I sleep with one eye open.
Truth be told, the concept of defense used to protect web sites and applications is a fascinating exercise in logic. Technical implementation is what becomes complicated, but the fundamentals of online defense are based on one simple idea: 

Specifically combat the different types of Internet attacks. I know it may sound too trivial, but this assumption is not that obvious and is key to my simplified model. I will focus on the web attacks at application layer, since they are one of the most sophisticated and harmful attacks that can occur from an external source. Unlike Distributed Denial of Service attacks (DDoS), where the attacker uses brute force with the purpose of overflow and exhaust infrastructure resources until, ultimately, they are not accessible anymore, in the Web Application Layer attacks, the attacker will try to surreptitiously sneak into the web site resources to steal, modify, alter or make any fraudulent use of data.

In a future post I will talk about the combination of Web Application Layer and DDoS attacks.

The tool that has been traditionally used to defend against Web Application attacks is a device called WAF (Web Application Firewall). And I insist on the term 'traditionally' since the historic approach has been a hardware appliance, deployed on premises, whose task is discerning the legitimate from illegitimate traffic, and filter the latter. However, the evolution within WAF technology comes from the cloud. A cloud-based WAF improves its predecessors, the hardware ones, in many aspects. The key is which factors determine the quality of a WAF:

    • Accurate protection

    • Visibility into attacks and adaptability to changing threats.

    • Adequate scale

    • Ease of management

Like I said before, they main idea of a WAF is based on an undisputable logic: distinguish legit traffic from malicious traffic, so legit traffic passes through, while the attacks are filtered.

The factors that a company has to take into account when it comes to choosing a suitable WAF to protect their digital assets may have different implications. Accuracy of the solution has to be taken into account, which means the supposition that every WAF vendor will provide this accuracy information transparently (but this is not always the case). Companies also have to consider the human investment in the WAF management. A WAF requires a constant adaption (care and feeding) and needs to be able to change as the environment, threats and applications it is protecting are also constantly changing. This is something that can't be overlooked. And last but not least, companies have to evaluate the performance, or better said in most cases, the degree of negative impact that most WAFs have over performance, especially under high traffic conditions.

I will publish new blog posts explaining more in detail every aspect that may affect the points previously mentioned and, in particular, I will compare traditional hardware-based WAF versus the newer and better-suited cloud-based WAF approach.

In the meantime, I recommend the reading of this white paper, from which I extracted part of the ideas I have expressed and will continue to express in these blog entries.