Cloud based WAF Security
So you are planning to move infrastructure services to the cloud or you are already operating in the cloud and require extra security provisioning around your web application services (http/https) traffic. You have come to the conclusion you want a Web Application Firewall (WAF). This is a good start as some customers often think they are protected with only a Firewall which they are but not to the level of a dedicated Layer 7 Web Application Firewall. Then there are the customers that simply don’t know the difference between the two. Let me explain briefly:
Cloud based Firewall
Put simply a cloud based firewall (aka Firewall virtual appliance) protects a group of computers on your network against unauthorised traffic by means of using a set of policies and ensuring traffic that passes through the firewall adheres to these rules else the packets are blocked. A firewall operates on layer 4 at the packet level.
Web Application Firewall (WAF)
A WAF on the other hand is another type of virtual appliance that operates on a layer 7 level and should be deployed in front of your web applications / web sites where it inspects and monitors your http and https traffic to those backend servers. All access to your web applications will pass through your WAF where the traffic will be inspected to determine whether the traffic should be passed through or blocked according to a core rule set that’s taken from the OWASP 3.0 or 2.2.9 rule sets. OWASP is made up of a set of detection rules that protect against the top 10 common threats such as SQL injections, Remote Code Execution, Cross Site Scripting etc.
To be considered a WAF adhering to OWASP should be considered an essential.
Consider this when evaluating your vendors. There’s plenty more to consider which is further expanded on here: Comparing Cloud Web Application Firewalls
Choosing a WAF
Now we know what a WAF is it’s time to think about what is important when deciding on one.
There are approx. 3 things that differentiate a cloud based WAF from a traditional on-prem firewall. That is scalability, extensibility and availability.
- Being a cloud based virtual appliance means WAFs can scale according to business demand far greater than the traditional on-prem. This is common amongst most cloud service providers. From an enterprise perspective this scale comes into play when the bandwidth increases unlike on-prem devices that would require a device replacement to cater for the increased traffic. Traditionally if you were under a DDOS attack and the throughout from the attacker was so great that it maxed out the support levels of your WAF would still result in your backend web servers being attacked because the WAF would be crippled by the overload. this is exactly what you don’t want. It is far easier to manage this when opting for a cloud based WAF as scale is far easier to implement (behind a load balancer).
- Cloud based virtual appliances such as a WAF mean vendors can offer SLAs such as >99.99% high availability because the underlying infrastructure consists of fully redundant power, network services and backup and DR strategies particularly as the underlying services are hosted by big players such as Microsoft and Amazon cloud services for example.
- One of the fundamental benefits of hosting services in the cloud is the luxury of being able to provision your virtual appliances anywhere where you have a protected communication path. Traditionally deploying your physical on-prem WAF device would incur upfront capital expense and require both room in the datacentre and out-of-band-management access. Cost would be increased for HA of of course.