Unlike most security technologies that attempt to identify a broad range of bad traffic by means of traditional detection methods, a web application firewall (WAF) is like a finely honed sword designed for a singular purpose: monitoring HTTP traffic between clients and web-servers. The payment card industry (PCI) accelerated the development of the WAF market since it provided a tangibly financial application of this technology. This made WAF a must-have in the arsenal of weapons for many of today’s security administrators.

Often tuned and developed based on the web application itself, a WAF is measured on its ability to prevent malicious attacks aimed at web services and the pages that support them (e.g., SQL injection, cross-site scripting) as well as its ability to scale to enterprise-grade levels of connected users (thousands in most cases). WAF products have explicit rules and controls that specify precisely the HTTP data that is permitted for the protected application. False positives are particularly critical in WAF implementations and as such factor heavily in any purchasing decision.

The NSS Labs WAF group test reveals that many solutions in the marketplace are reasonably effective at their roles, though there are degrees of efficacy. In the NSS Labs Security Value Map™ (SVM) for WAF, each vendor is represented by two dots. The upper dot reflects the product’s optimum security configuration and capability when properly tuned and deployed for the environment and applications. The lower is when protections are disabled in order to eliminate false-positives, which reduces the effective security of the device.

However, false positives in WAFs are not the same as false positives in other deep inspection security devices such as NGFW or IPS. Oftentimes, WAF false positives are caused by a web application being insecure and by an attacker creating an attack that misfires (and is unable to compromise the target web app). Such an attack would look like a legitimate attack but actually would be ineffective. In such cases, a WAF false positive should be eliminated by altering the web application and closing the known security hole, and not by reducing protection.

Key Findings:

  • Though several came close, no vendor achieved 100% security effectiveness.
  • Out of 6 vendors tested in the WAF group test, none received a Caution rating. This is a rare occurrence and reveals that the tested products are either reasonably secure, cost effective, or a combination of both.
  • Throughput is less important than sustained connections per second. Today’s consumer is increasingly less patient to access a service, and if they are forced to wait for a website function, any competitor website is merely a click away.
  • Some NGFW products now possess respectable WAF technology – an interesting option for organizations that are in the market for both technologies.
  • Cross-site scripting still remains a top challenge for the WAF industry.

To see how your preferred WAF vendor performed, download a copy of the WAF SVM graphic.