Next Generation Firewalls and Web Applications Firewall Q&A
If I ask to an average skilled information security professional what a firewall is, I am pretty sure that he will be able to answer my question and describe with great detail concepts as packet filter, application proxy and stateful inspection.
I am afraid that the situation would be completely (and dramatically) different in case I would decide to ask him what a Next Generation Firewall (abbreviated as NGF and sometime also referred as Application Firewall) is, and most of all what a Web Application Firewall (abbreviated as WAF) is and how it is different from a traditional UTM or Firewall or also from a Next Generation Girewall.
Although NGF and WAF are becoming quite familiar for information security professionals (their presence is constantly growing in parallel with the growing skill of the average user, more and more aggressive in circumventing the traditional security bastions, and in parallel with the growing sophistication of Web threats and the consequent influence of compliance -think for instance to PCI-DSS– into the design process of a security infrastructure), the confusion reigns and, for my experience, I can state with no fear, that too many professional and end-users confuse and overlap Next Generation and Web Application Firewall.
In case of an Application (AKA Next Generation) and Web Application Firewall, a noun adjective (Web) is a little thing, but it makes a huge difference. I will try to explain why with this quick Q&A
Q: What is a next generation firewall?
A: A Next Generation Firewall (aka Application Firewall) is a security device, evolution of a stateful firewall, that is application aware, i.e. capable to recognize and block applications according to specific patterns and fingerprints peculiar of the application itself. Its security paradigm is to prevent users from bypassing the layer of defense by mean of consolidated methods such as mapping the malicious application on standard ports known to be accepted, or using anonymous proxies (such as the well known TOR). Unlike a traditional firewall, which enforces the access control by mean of the “IP Address – Port/Protocol“ paradigm, a Next Generation Firewall enforces the “user – application” paradigm: in a traditional firewall security model, policies allow or deny specific protocols for specific IP addresses, in an application firewall security model, policies allow or deny specific applications for specific users authenticated in external repositories (Active Directory, LDAP or Radius). Of course Single-Sign-On is also possible (for instance with Active Directory).
Q: What is a web application firewall?
A: A Web Application Firewall is a security device whose main task is to protect web portals and web application by inspecting the XML/SOAP semantics of the flowing traffic and also inspecting HTTP/HTTPS for typical attacks at layer 7 such as SQL Injections, Buffer Overflow, Cross Site Scripting (XSS), File Inclusion, Cookie Poisoning, Schema Poisoning, Defacements, etc. Web application firewalls also provide protection against DDoS but do not enforce access control in the traditional meaning of the term. They only protect the server farm behind them, adopting signature based or anomaly detection algorithms but, unlike a network IPS they focus on HTTP/HTTPS. They act like proxy and, because of their ability to inspect HTTPS traffic (by importing the original certificate of the target server), they may perform also other functions such as SSL offloading and server load balancing. Also important: a web application firewall do not inspect (and should not allow) other traffic than HTTP/HTTPS.
Q: What is the difference between a NGF and a WAF?
A: This is a million dollar question: a NGF is a user and application oriented firewall, a WAF is a server and HTTP/HTTP oriented security equipment (no I cannot call it a firewall). They are very different as far as their role and deployment are concerned: usually the best deployment for a NGF is to protect outgoing traffic from misuse by users; the only deployment for a WAF is in front of the target server farm to protect incoming HTTP/HTTPS traffic. Typical location for a WAF is in a dedicated DMZ and obligatorily behind a traditional traffic that should deny other traffic than HTTP/HTTPS).
Q: I want to deploy a NGF, do I need to deploy it in conjunction with a traditional firewall?
A: It depends, although the original NGFs were conceived as dedicated devices, preferably deployed in conjunction with a “traditional” stateful firewall, the current technology trend is to bring the application control features on top of stateful inspection (and UTM) functions, so definitively nearly all the security vendors are now able to provide application control as native functions or with additional licenses. On the other hand application control corresponds to a stateful inspection brought to layer 7 of the ISO/OSI Model (At this link an interesting comparison of the different implemenations).
Q: I want to deploy a WAF, do I need to deploy it in conjunction with a traditional firewall?
A: Absolutely yes. A WAF does not provide access control neither is capable to check other protocols than HTTP/HTTPS (by default not even to forward them);
Q: I have an IPS, do I need a WAF as well?
A: A traditional Network IPS scans all the traffic on the network so it cannot have the same granularity and depth for HTTP/HTTPS threats than a WAF. An optimal comparison is done in this article by SANS, which states, among the other things: where IPSs interrogate traffic against signatures and anomalies, WAFs interrogate the behavior and logic of what is requested and returned. A WAF acts as a reverse proxy (although, like an IPS, several WAF technologies may also active in passive mode), instead an IPS typically listens to traffic in transparent mode.
Q: So definitively when do I need to deploy a NGF and when do I need to deploy a WAF?
A: Deploy a NGF when you want to protect your network from misuse by users avoiding bandwith hogging and usage of insecure applications which could bring malware inside the organization. Deploy a WAF, in conjunction with traditional Firewall, IPS or UTM, when you have to protect your web applications (and partially also the back-end databases) from HTTP/HTTPS threats.
So, at the end, if you will need to enhance your security level you will not have to chooes between a WAF and NGF, but simply to decide which is the best device according to your needs. In this case the following table may be helpful!