In today's new digital business model, consumers and employees both require immediate access to data and resources using a growing number of endpoint devices.
To meet these demands, organizations are increasingly reliant on web-based applications and agile development strategies to keep those applications updated continuously and tuned to evolving requirements. In this new paradigm, Web Application Firewalls (WAF) play an increasingly critical role in protecting users, devices, applications, and resources from threats by inspecting and safeguarding HTTP connections and preventing web-based attacks such as cross-site scripting (XSS) and SQL injection.
For every externally facing application, however, there may be dozens of associated back-end components that are unseen, but which can be equally vulnerable to these sorts of web-based attacks. Making an online purchase, for example, may trigger applications that check inventory, send a pull request, process payments, coordinate shipping, and update the customer's database file. Attacks that interrupt or hijack any of these processes can have severe consequences for a business and its customers. Because web-based applications are so widely distributed and can traverse a such a wide variety of back-end network environments, protecting them requires WAF solutions with a similarly extended span of control.
Gartner’s Web Application Firewall MQ for 2018
In Gartner’s latest Magic Quadrant for Web Application Firewall MQ report for 2018, Fortinet has been placed in the Challenger quadrant, while also showing continued movement in ability to execute, closer to the Leader quadrant. Fortinet believes that a key differentiator of FortiWeb is that it does not operate in isolation. In fact, FortiWeb is deeply integrated with other security solutions, making it a uniquely integral part of a broader, more holistic security fabric strategy.
Today's sophisticated threats rarely occur in isolation. Instead, they are often part of an intricate attack strategy that relies on things like misdirection, multi-vector exploits, and hiding malware applications and traffic to evade detection. While an isolated WAF solution may pick up on one critical component of such a strategy—the compromise of a web-based application or the insertion of web-based malware—it is rarely able to identify the entire attack chain and intervene holistically.
A Broader Approach
This is why, in addition to our strong commitment to continuing to improve FortiWeb’s overall performance and security effectiveness, such as the introduction of AI-based machine learning, development resources are also heavily focused on deeper integration through seamless cross-functionality with the Fortinet Security Fabric and Fabric-Ready Partner community. While this sort of integrated approach is fundamental to securing today’s interconnected network environments, it is a functionality that Gartner, unfortunately, does not currently evaluate.
This is one reason why we also participate in a variety of other third-party testing and evaluations. NSS Labs, for example, has validated the FortiWeb solution with their coveted “Recommended” rating with top marks in the areas of performance, security effectiveness, value, and total cost of ownership.
Considerations When Evaluating a WAF Solution
Evaluating a Web Application Firewall solution for your organization, or any security solution for that matter requires examining a wide variety of considerations in two specific ways.
This first is to determine if it performs all the required tasks. The core functionalities of a WAF solution includes such things as malware protection, IT-reputation checks, and protocol validation. You also want to evaluate its ability to detect and prevent unknown threats with a high degree of accuracy and low incidence of false positives. In that regard, AI-based machine learning is a critical feature to look for, as it leverages the most advanced techniques available for protecting your organization from the growing number of new, unknown threats targeting the web applications your digital business relies on.
The second evaluation requirement is determining how well this solution will interoperate with and augment your existing security infrastructure.
Deep integration with your broader security architecture is crucial for not only for ease of management and policy orchestration but also for critical event correlation and coordinating a comprehensive response to an attack.
Throughput is also essential. Few organizations can afford for their web applications to slow down while a WAF solution checks traffic against behavioral profiles.
As the volume of web application traffic continues to increase, scalability is another critical consideration that needs to be carefully evaluated.
Given the growing cyber skills gap, ease of use also extremely important. Not only should a solution be easy to manage, but deploying, configuring, and the fine-tuning threat-response rules should also be seamless and straightforward. And as much as possible, management and orchestration ought to also be able to be integrated into existing management consoles to reduce administrative overhead and total cost of ownership.
Finally, reporting needs to not only provide relevant information on the historical aspects of the solution but should also comply with regulatory requirements, such as NIST 800 security controls and PCI-DSS security standards.
Summary
Evaluating WAF alternatives takes time, and the resources provided by such tools as Gartner’s Magic Quadrant for Web Application Firewalls report and NSS Labs certifications are extremely valuable. However, any WAF solution you ultimately choose needs to also fit seamlessly into your existing security architecture and augment your existing security profile. Issues like compatibility, integration, and performance are equally crucial and can mean the difference between a successful implementation or a logistical nightmare. But the potential to protect your growing reliance on web applications is worth the time and effort.