Web Application Firewalls (WAFs) are becoming increasingly common in enterprise environments, protecting websites against threats that slide past traditional network firewalls. The biggest advantage of WAFs is that they can implement virtual patches to vulnerable web applications.
Though the WAF market is still in its formative stages, I expect WAFs to become as commonplace as traditional network firewalls in server environments. I arrived at this theory by drawing parallels between the current state of WAFs and the way in which network firewalls got their start.
Reasons for Traditional Network Firewalls
In a 1990 paper The Design of a Secure Internet Gateway, Bill Cheswick described a system that separated the corporate network from the Internet, allowing only traffic for certain services to cross the boundary it enforced. To goal of the gateway was to protect weakly-configured corporate systems from being attacked by outsiders. Bill explained:
“With workstations sitting on many desks, system administration is often decentralized and neglected. Passwords are weak or missing. A professor or researcher often may install the operating system and forget it, leaving well-known security holes uncorrected.”
In a 1992 paper A Network Firewall, Marcus Ranum emphasized the need for a secure gateway acting as a firewall between the Internet and the corporate network “to prevent miscreants and unwelcome visitors from accessing hosts on the private network.” Marcus explained that the benefit of this setup is that:
“It is only necessary to ensure that one system is as secure as possible. If a security hole is identified in the mailer software, patching it immediately in one place will secure the entire network, whereas in a completely connected Internet site, it is necessary to patch the hole in every system on the network separately.”
The designers of traditional network firewalls recognized that the realities of maintaining most corporate systems made it very difficult to configure them securely. In the often-quoted words of Bill Cheswick, the firewalls created “a sort of crunchy shell around a soft, chewy center.”
Reasons for Web Application Firewalls
In late 1990’s web applications were playing an increasingly critical role in businesses, yet were ridden with vulnerabilities. Considering that addressing the core problem of the flaws at the code level proved impractical in many situations, companies began turning to WAFs.
A 1999 article described AppShield, a tool created by Eran Reshef. It was an HTTP filter that sat in front of the web application. It kept “crooks out by refusing to process any bogus character inputs, such as long Common Gateway Interface buffer overflows, that can hijack the server.”
In a paper published in 1999, Eran described Internet application security products that “automatically secure e-Business applications ‘on the fly’ by deducing the application-level security policy during run-time and enforcing it on each and every incoming request.” One of the goals was to allow applications to be secured immediately “even when security was not taken into account during design and implementation phases.”
WAFs Now and in The Future
Why the history lesson? Because WAFs seem to be following an adoption trajectory similar to that of traditional network firewalls, and are being used for similar reasons. Network firewalls caught on because they mitigated the risk of companies not being able to secure individual systems and services. Similarly, WAFs are hot because they allow companies to protect applications that are very difficult to secure at the code level. As Jeremiah Grossman wrote in a 2007 blog post We Need Web Application Firewalls to Work:
“Web application security problem has simply gotten WAY too big to be fixable in the code without the help of WAF’s.”
WAF technologies are maturing. Organizations are becoming aware of the benefits of WAFs. More commercial and free WAF tools are appearing on the market. Soon enough, WAFs in server environments will be as common-place as traditional network firewalls. As the market matures, I suspect WAF features will increasingly be integrated into network perimeter security devices. And eventually, WAFs might be built into the applications they protect, much like modern computer systems often come with host-level firewalls.