What Is a Next-Generation WAF?

Key Features to Prioritize in a next generation WAF

Given the spectrum of NG-WAF toolings out there, it can be intimidating to assess the different capabilities on offer. Here are some components that are vital to any efficient and well-structured NG-WAF.

The Right Kind of Behavioral Analysis

Blacklisting and whitelisting security technologies block a considerable number of threats, but their effectiveness depends on the lists they reference – they can only detect known exploits.

To combat this, many WAFs have already begun using behavior-based threat detection.

This compares user or application activities against expected patterns. The underlying issue with this is that any behavior falling outside of a WAF’s predefined profile – essentially any activity the WAF has not encountered before – will trigger an alert and potentially automated request denial.

This leads to an excessively high rate of false positives, leaving analysts in the same situation as before.

NG-WAFs get around by adding another layer of analysis on top of the initial behavioral profiling. When anything falls outside this baseline, it becomes the focal point of ongoing comparison against known and potential threat vectors. Each request is then assigned a risk score, based on the likelihood of its involvement in a wider attack.

This precision brings with it almost zero false positives and allows teams to block issues without relying on signatures or rules.

雲端原生

While firewall hardware is vital to its underlying performance, cloud services are now deep-rooted within enterprise architecture. This means that firewalls now need to secure complex architectures and ephemeral workloads. Application security goes beyond just protecting the application layer – it starts with a shared responsibility model.

Depending on the service model, the division of security responsibilities between the cloud customer and provider can vary. In IaaS, the provider handles securing the infrastructure, such as:

• Hosts
• 作業系統
• Networks

The customer is responsible for securing the operations that occur on top like:

• 驗證
• 存取權限管控
• Data governance

Since NG-WAFs are increasingly able to cover multi-cloud assets and services, it’s worth looking at the extent of your organization’s cloud usage before choosing. This also applies to their licensing structure, for WAF as a Service offerings. Same for individual services like APIs – if your DevOps team relies on a large quantity of them, your NG-WAF needs to include:

• API discovery that looks at the schema
• Real-time usage to detect API misconfiguration and abuse

The final component of a cloud-native WAF is its scalability: given that a WAF routes all traffic through its central analysis platform, it needs to be able to keep up with spikes and dips in usage.

To address this, look for a next generation WAF provider that integrates WAF, CDN and DDoS protection within the solution. As the WAF is deployed on multiple points of presence around the world, this CDN integration also allows for improved latency thanks to local caching, alongside higher resilience.

How Check Point’s Next-Generation WAF Delivers Zero-False-Positive Protection

Check Point CloudGuard provides next-gen WAF protection from code creation to cloud deployment.

Powered by the Check Point Infinity platform, CloudGuard WAF delivers the most precise security in the market with the highest threat detection rate and lowest false positive, enabling organizations to block attacks effectively and lower their overall risk profile with advanced AI-driven technology. It offers telemetry-based situational awareness, allowing admin teams to visualize complete attack chains instead of isolated alerts.

With a single click, admins can apply the WAF’s recommended fixes to respond to a threat in real-time.

Its intuitive, context-rich visualizations, paired with natural language querying, make it easy to understand and respond to emerging risks. Have a look for yourself with a demo.