Integrated Web App Firewalls Make Sense In High-Performance Environments

Enterprises deploying high-end application delivery systems need to consider how best to secure their apps without imposing seconds or even fractions of seconds of latency, particularly in heavy-transaction environments where time literally means money. Web application firewalls (WAFs) are becoming an increasingly important component of control and delivery platforms, screening against common attacks such as SQL injection, cross-site scripting and cookie poisoning. Regulatory requirements, particularly PCI DSS, make WAF deployment not only desirable but mandatory.

Application delivery controllers provide load balancing and application acceleration, using techniques such as advanced compression, caching and protocol optimization to deliver multi-gig performance to customers and business partners, as well as employees leveraging apps across distributed WANs and remote connections. The challenge is implementing a WAF (web application firewall) that can handle SSL encryption and decryption and traffic analysis without impeding performance, and, in the worst case, availability.

Brad Trankina, for example, saw a big performance boost when he upgraded from his first WAF to F5 Networks' BIG-IP platform and its integrated Application Security Module (ASM) WAF. "From latency standpoint had issues with international customers," says Trankina, director of network and information systems at Human Kinetics, a provider of physical activity and health information.  "The transition to F5 dramatically improved that." The HTTP compression makes a significant difference, he says.

Enterprises that are already using or planning to buy application delivery systems have the option of deploying WAF as a stand-alone appliance--from the application delivery controller vendor or third party--or as an integrated component of the app delivery platform. If you are using one vendor for both application optimization and security, the choice often depends on your network architecture preferences. The integrated approach simplifies policy management and optimizes traffic flow. An integrated WAF enables admins to set application policy for load balancing and traffic control from the same interface as security policy, saving time and effort each time a new app is introduced or an existing one is modified.

Integrated WAF also maximizes performances because traffic only has to be decrypted and re-encrypted once within a single appliance. Migration to Extended Validation certs, which requires 2048-bit encryption keys rather than 1024-bit, underscore the importance of efficient encryption processing. A single appliance architecture also means that application traffic can be processed efficiently through each function. "Instead of copying data from one process and buffering into memory cell and copying from one process to another to another, you keep it in one spot where you do all the processing," said Ken Salchow, manager of technical marketing for F5. "Having a built-in Web application firewall gives you that efficiency."Although WAFs are designed for Internet-facing Web applications, it's worth considering deploying them to include internal users in branch offices on your corporate WAN, as well as to remote users. Performance was an impediment to WAN deployment in the past. It also makes sense to simplify policy without regard to who is using the application, how and from where. A consistent, strong app security policy across the board should assume a high-risk environment. That's safer than trying to be too granular and set policy based solely on location in complex, highly mobile user environments.

PCI DSS continues to be a major driver for WAF adoption, as the credit card security standard requires WAF and/or code review for application security, but that may be changing. Trankina, for example, cited PCI as an important reason for getting Human Kinetics first WAF, but it wasn't the only reason. "We originally acquired a web application firewall for PCI," he said. "But, at same time we were switching new content management platform that made our old load balancing strategy unviable, and the new apps we were developing required additional application security."

Vendors say PCI has been and continues to be big, but it's not the only market factor by any means. "It's changed over last 9 to12 months; compliance is less and less frequently being listed as driver," said Salchow. "Security is starting to take a lead in people's minds when dealing with applications as more and more are being Internet- enabled, as there's more and more traffic, more and more mobile people, it's becoming integral to the application design process."