Get a free application, infrastructure and malware scan report - Scan Your Website Now

5 Cloud Web Application Firewalls (WAF) Features

Posted DateMay 23, 2018
Posted Time 7   min Read

Everything you’d want to look for in a Web Application Firewall (cloud WAF).

Did you know that it can take up to 5 months to patch even the most critical vulnerabilities? The Web Application Security Statistics Report states that most companies fix critical vulnerabilities in 146 days on average.

Fix Critical Vulnerabilities

Would hackers wait for your developers to patch code? Even if they have time on hand, wouldn’t you want that time to be spent on more critical business functions? That’s why you need an effective and cost-efficient cloud WAF.

Cloud WAF

According to the Open Web Application Security Project (OWASP), WAF applies a set of rules to an HTTP conversation to block common attacks. It means that a Web Application Firewall (WAF) is designed to patch application weaknesses. It stops attacks exploiting cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection without development/code changes in the application.

Access to Application

Sounds easy, right? However, with dozens of WAF vendors and a lack of relevant technical guides, companies often struggle with finding the right product. Our security analysts along with industry experts have come up with this guide specifically for companies comparing different WAF products. Here are the features that should be at the top of your checklist.

1. Cloud Availability

(with hybrid deployment model)

In 2008, Arizona State University published a revolutionary article on the future of cloud computing. They compared SaaS models with electricity.

When you plug in a toaster, you do not have to think how far the electrons traveled from the source (coal/nuclear/hydro powered station) in order to power your home. You know that the power is there, and you can pay for the usage every month. You probably will never wonder what the costs of setting up such a power plant would be.

Web application firewall (and the entire SaaS industry) has evolved in a similar fashion. Earlier, when you had to invest in on-premise WAFs, only multimillion-dollar organizations could afford it.

Cloud Availability

As the online businesses flourished, security concerns and requirements grew too. Not every online company would want to spend such huge sums on the installed device that would also require software upgrades. It’s slow, costly, and unnecessary.

Today, WAFs are the top choice for exponentially-growing online businesses who desire ease of deployment and lower monthly costs.

  • Monthly security subscriptions without huge upfront payments
  • Bandwidth flexibility
  • Automatic updates to patch zero-day vulnerabilities
  • Quick custom-rule deployment
  • Cost-effective PCI compliance

Additionally, it is also important to support a hybrid deployment model in order to enable your transition towards the cloud (if required) and it cannot happen overnight.  You simply cannot delay security choices during the migration to the cloud nor can you make an investment in an on-premise deployment if it does not support the transition to the cloud at no additional cost.

One of the main barriers of cloud WAF adoption is the concern that there could be an impact on the performance and response time of the website due to an additional hop. This is a valid concern but can be easily mitigated based on certain capabilities the cloud WF can enable.  Most cloud WAF providers should provide an option to enable a CDN along with the WAF service at no additional cost. This ensures that you can actually get a boost in website performance along with security as most of the sites (even the dynamic ones) have more than 75% static content that can be served automatically from the closest edge from where the user is browsing.  Also check if the cloud WAF infrastructure is hosted and built on existing public cloud architectures such as AWS or Azure, as it ensures they can and will automatically be able to enable multiple region support quickly to ensure the entire content including the dynamic ones is served in the most optimal manner to end-user and thereby providing a no trade-off website security offering.

Ensure that across all these deployment models there is a centralized console for management and visibility of the application security provided to the customers.

2. DDoS Protection

Distributed denial of service (DDoS) attacks make an online service unavailable. Such attacks exploit numerous zombie/compromised/hacked systems or other network resources. By definition, every website is vulnerable to DDoS attacks.

DDoS Protection

DDoS attacks cost up to $100, 000 per hour and if you are planning on comparing a web application firewall, it’s desirable to have some kind of DDoS protection from these attacks.

Modern, intelligent WAFs monitor your traffic continuously to protect against Layer 3, 4, and 7 attacks. Their global threat database feeds attack history and threat intelligence to your WAF for protection.

  • Real-time traffic visibility
  • Instant Layer 3, 4 and 7 protection
  • No downtime
  • Instant rules to block traffic from certain countries, IPs
  • Global threat database

3. Custom Rules

(based on application risks with quick, managed protection)

Suppose there is an exclusive vulnerability in your application (OWASP calls it Business Logic Flaws) and you want the WAF to cover it. How difficult would that be?

There are several web application firewall vendors that charge for creating custom rules on a per request basis. That would be frustrating and costly if you have a complex website requiring several rules. Also, make sure the guarantee provided by the vendor will check for false positives.  The responsibility of testing and putting them in block mode should not rest solely with the customer but also with the vendor providing those rules and security policy updates.  Look for vendors who back their custom rule services with a Zero False-positive assurance backed with a Service Level Agreement (SLA).

Ideally, the web application firewall should allow you to request custom rules from the portal without creating a fuss about it or charging you for each request. Ensure that you compare this feature from different WAF vendors before paying.

WAF Example

  • No charges for creating extra protection rules
  • Easy rule request
  • Rules created by security analysts eliminating false positives

Enabling WAF policies without an understanding of your application vulnerabilities may put your application at high risk.  It is important that the WAF provides an integrated offering to include security testing of your application and an integrated offering to instantly protect against those risks, along with the option to request custom rules.

Also, the WAF must come with default policies that can be deployed in BLOCK mode from day-1 so that most of the common attacks can be blocked instantly.

4. Block-Log- Challenge Switch

Security intelligence is an unparalleled asset.

It helps you build stronger web applications that can guard requests, protecting critical data. WAF logs are critical to building a central security intelligence repository.

Block-Log- Challenge Switch

While a basic web application firewall act as robots blocking requests based on prewritten rules, intelligent WAFs give you the power of decision-making.

  • Block- Block the request completely. The user/attacker will not bypass the request (for critical assets and requests)
  • Log- Flag the request to study user behavior. Enable block or challenge after reviewing the logs
  • Challenge- Throw a CAPTCHA request to allow access
  • Use each of the above incidences as foundation units of intelligence to learn and update policies in order to further enhance the defense posture and prevent future attacks

5. Free, Full Feature Trial

It’s a no-brainer. You wouldn’t want to purchase a critical tool such as a web application firewall without a trial. After all, you will only gauge potential benefits and/or product compatibility issues after the onboarding.

Access Denied

Ensure that the cloud WAFs that you compare have a full feature trial option without “money-back” or “we need a card for authentication” prerequisites. You wouldn’t want to enter a credit card for 3 different subscriptions for trial and end up being charged for them.

Ideally, a full-feature WAF trial should include everything that it has to offer for testing, but you can also settle for the following:

      • Protection from OWASP top 10 and SANS 25 issues
      • Zero-day vulnerability Protection
      • One-touch Country/IP Blacklisting
      • Full Access to the dashboard including reports
      • Anti-DDoS
      • Chat/Email/Phone Support for questions during the trial
      • At least 30 GB of bandwidth
      • Security assessment of your application with security scans
      • Customs rules and virtual patching
      • Clear visibility into security risks in correlation to attacks happening

End Notes

Whether you are a startup, a small business, or a booming giant,  web application firewalls have become a modern online business necessity. Irrespective of your company’s patching capabilities, you cannot afford risks with customer data, financial transactions, and asset availability.

Also, the WAF has to facilitate the customer journey into cloud adoption by allowing hybrid deployment models but with the cloud benefit of a centralized pane for visibility of security posture across all web application independent of where the firewall is deployed

According to Gartner, using a SaaS-based managed web application firewall such as AppTrana is a good alternative for enterprises that do not want to procure new hardware and have time to hire and train staff to manage it.

Get Instant Protection, Continuous Management & Zero False-positive WAF.  Start a Free Trial

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Cloud WAF Pricing
Cloud WAF Pricing: All You Need to Know

Explore Cloud WAF pricing and different options and factors to find the perfect fit for your web application security requirements.

Read More
Managed Cloud WAF
Managed WAF: A Must-Have to Stop Website Attacks

A Managed WAF is a comprehensive cybersecurity service offered by specialized providers to oversee, optimize, and maintain the security of web applications

Read More
cloud based firewall vs on premise
16 Ways Cloud WAFs are Better than On-Premise WAFs

Cloud WAFs outperform On-Premise WAFs in multiple ways – find out how in our breakdown of 16 key advantages.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!