Comparing Wallarm WAF Module to a Generic WAF

What do you do if you need to protect your website from XSS attacks? Most people patch it and get a WAF.

This is common knowledge and there are plenty of places where you could go to get basic protection for your websites. From a free solution to solutions costing hundreds of thousands of dollars, most of them will claim they protect from OWASP Top 10 threats. So is there a real difference between WAFs?

The answer is yes. That’s good because most people are unhappy with their legacy WAF solution.

About Legacy WAF’s

Most generic and inexpensive WAF solutions are based on ModSecurity, an open-source WAF released under Apache license 2.0. ModSecurity was first developed in 2002 to monitor application traffic on the Apache HTTP Server.

To detect generic vulnerabilities, ModSecurity relies on an open-source set of rules called OWASP ModSecurity Core Rule Set. The project is part of the Open Web Application Security Project (OWASP). Granted, several other rule sets are also available.

ModSecurity takes thousands of signatures or patterns provided in the rulesets and applies simple string matching and/or regular expression checks to detect some common types of vulnerabilities, such as XSS or SQLi. Unfortunately, these thousands of regular expressions require regular and manual upkeep both when new expressions need to be added and to weed out the ones that block legitimate traffic. This often prevents users from keeping their legacy WAF in full blocking mode.

Many vendors who primarily specialize in optimizing traffic flow have recently added ModSecurity-based WAFs to their offerings in an attempt to remake themselves into one-stop-shop for the websites with simple needs. Examples of these vendors include Cloudflare CDN, Fastly edge-computing, and NGINX load balancer.

Unlike legacy WAFs, Wallarm cloud-based WAF module is built from the ground up with the express purpose to automatically protect apps and APIs against the most sophisticated types of attacks. We have many customers who use Cloudflare as a CDN network and rely on Wallarm NGWAF for security.

Comparing Specific Features of Legacy WAFs to Our Cloud-Based WAF

Signature-based approach vs non-signature

• Legacy WAF’s are based on a signature-based approach using the CRS we mentioned above or similar alternatives. It only covers known payloads and is extremely easy to bypass.
• Wallarm WAF module doesn’t use signatures, is resistant to bypasses, and protects against 0day attacks with its AI-based rules.

No visibility vs full visibility

• Many legacy WAFs do not even offer GUID, provide little or no visibility into the attacks, and give no way to debug the issues.
• Wallarm provides full visibility of every malicious request, which application endpoints are affected, and how your application responded to the attacks.

Lack of API protection vs full API protection

• Legacy WAFs lack the ability to properly parse complicated API formats such as REST/JSON/SOAP/XML. This means a lack of protection for most distributed applications.
• Wallarm performs deep HTTPS request inspection to parse all the nested formats (such as XML -> JSON -> Base64 etc.) and inspect every API field.

Protection of internal apps and microservices

• When WAF is built into a CDN or an external DDOS service, you can never protect internal and test/staging apps or microservices (defense-in-depth trend suggests that the internal network is also vulnerable to compromise).
• With Wallarm hybrid architecture the filtering node always lives in your own infrastructure. This means you can protect both public facing and internal assets and have full visibility with a single unified cloud console with Wallarm.

Passive vs active threat verification

• Legacy WAFs can analyze requests and mark those that match known malicious patterns.
• Wallarm DAST component integrates with the Wallarm cloud-based WAF component to provide Active Threat Verification which actively analyses every attack to determine whether it exposes some vulnerabilities. All the active agents trying to attack your app, whether they are actual hackers or just bounty program participants, will contribute their human intelligence help to identify issues and protect your applications.

To learn more about how Wallarm’s Automated Cloud Protection WAF works, sign up for a free demo today.

Read about the common problems with legacy WAFs and how they relate to consumer adoption and technology.