What Is a Next-Generation WAF?

A Next-Generation Web Application Firewall (NGWAF) is an evolution of traditional Web Application Firewalls (WAFs). It incorporates advanced techniques to provide significantly improved protection against modern web application threats.

Traditional WAF separates normal from malicious traffic in a very specific way: by issuing blocks or allow lists that control the flow of traffic into a network. Traditional WAFs base each allow decision off a list of predefined rules, put in place by the admin team.

Next Generation WAFs (NG-WAFs) expand on this by monitoring and controlling traffic across different network levels, rather just on a packet-by-packet basis.

This allows it to incorporate AI to analyze all network behavior, letting them detect and block attacks preemptively.

Get a Personal Demo En savoir plus

Key Features to Prioritize in a next generation WAF

Given the spectrum of NG-WAF toolings out there, it can be intimidating to assess the different capabilities on offer. Here are some components that are vital to any efficient and well-structured NG-WAF.

The Right Kind of Behavioral Analysis

Blacklisting and whitelisting security technologies block a considerable number of threats, but their effectiveness depends on the lists they reference – they can only detect known exploits.

To combat this, many WAFs have already begun using behavior-based threat detection.

This compares user or application activities against expected patterns. The underlying issue with this is that any behavior falling outside of a WAF’s predefined profile – essentially any activity the WAF has not encountered before – will trigger an alert and potentially automated request denial.

This leads to an excessively high rate of false positives, leaving analysts in the same situation as before.

NG-WAFs get around by adding another layer of analysis on top of the initial behavioral profiling. When anything falls outside this baseline, it becomes the focal point of ongoing comparison against known and potential threat vectors. Each request is then assigned a risk score, based on the likelihood of its involvement in a wider attack.

This precision brings with it almost zero false positives and allows teams to block issues without relying on signatures or rules.

cloud Natif

While firewall hardware is vital to its underlying performance, cloud services are now deep-rooted within enterprise architecture. This means that firewalls now need to secure complex architectures and ephemeral workloads. Application security goes beyond just protecting the application layer – it starts with a shared responsibility model.

Depending on the service model, the division of security responsibilities between the cloud customer and provider can vary. In IaaS, the provider handles securing the infrastructure, such as:

  • Hosts
  • SYSTÈMES D’EXPLOITATION
  • Réseaux

The customer is responsible for securing the operations that occur on top like:

  • Authentification
  • Contrôle d’accès
  • Data governance

Since NG-WAFs are increasingly able to cover multi-cloud assets and services, it’s worth looking at the extent of your organization’s cloud usage before choosing. This also applies to their licensing structure, for WAF as a Service offerings. Same for individual services like APIs – if your DevOps team relies on a large quantity of them, your NG-WAF needs to include:

  • API discovery that looks at the schema
  • Real-time usage to detect API misconfiguration and abuse

The final component of a cloud-native WAF is its scalability: given that a WAF routes all traffic through its central analysis platform, it needs to be able to keep up with spikes and dips in usage.

To address this, look for a next generation WAF provider that integrates WAF, CDN and DDoS protection within the solution. As the WAF is deployed on multiple points of presence around the world, this CDN integration also allows for improved latency thanks to local caching, alongside higher resilience.

WAF vs. Next Generation WAF: What’s the Difference?

Traditional web application firewalls focus on controlling the flow of traffic between networks, allowing or blocking data based on source, destination, port, or protocol. They are excellent for stopping broad network-based attacks, but they don’t look inside the data itself or understand the context of the web application traffic.

A next-generation WAF, on the other hand, looks at the context of these requests, inspecting them for signs of malicious intent, while also developing a background understanding of the normal behavior of the web application.

Real-Life Example: XSS Attack

To delve into the differences, let’s examine how the two different solutions address a threat like cross-site scripting (XSS). XSS attacks manipulate how browser applications handle site scripts, to let attackers execute malicious JavaScript on other users’ devices.

When this malicious code is executed, the attacker is free to steal information being transferred by the user.

Both types of WAF sit at the entry point to a network, inspecting incoming traffic before it’s allowed to access the web application.

  • Traditional WAFs assess traffic legitimacy by monitoring certain static components – in the case of XSS, this can be the existence of script elements in a user input space, like a login field. While effective immediately, attackers were able to quickly adjust their approaches: rather than a HTML script tag, for instance, they simply switched it to a <body> tag with onload attributes.

More recent battles for users’ data have seen a heavy focus on JavaScript and script encoding.

Legacy WAFs combated each individual attack vector by issuing static attack pattern templates. In this model, every individual attack needs its own detection rule to be added to the WAF tool ahead of time.

This makes it incredibly challenging to maintain, as administrators need to constantly keep up.

  • Next generation WAF’s ML engine has been trained on an industry’s worth of attack data, allowing it to pick up on novel attack strains and identify malicious intent even if it doesn’t match known patterns.

This means NG-WAFs are able to identify malicious code insertion seen in XSS attacks protecting sensitive data and resources from unauthorized access.

How Check Point’s Next-Generation WAF Delivers Zero-False-Positive Protection

Check Point CloudGuard provides next-gen WAF protection from code creation to cloud deployment.

Powered by the Check Point Infinity platform, CloudGuard WAF delivers the most precise security in the market with the highest threat detection rate and lowest false positive, enabling organizations to block attacks effectively and lower their overall risk profile with advanced AI-driven technology. It offers telemetry-based situational awareness, allowing admin teams to visualize complete attack chains instead of isolated alerts.

With a single click, admins can apply the WAF’s recommended fixes to respond to a threat in real-time.

Its intuitive, context-rich visualizations, paired with natural language querying, make it easy to understand and respond to emerging risks. Have a look for yourself with a demo.

×
  Commentaires
Ce site web utilise des cookies pour sa fonctionnalité et à des fins d'analyse et de marketing. En continuant à utiliser ce site web, vous acceptez l'utilisation de cookies. Pour plus d'informations, veuillez lire notre avis sur les cookies.
OK