Security Sidebar: A Point-Counterpoint Discussion On WAF Effectiveness

Web Application Firewalls (WAFs) are extremely popular today, and they provide critical protection for web applications.  But some experts have recently postulated that WAFs are not really as effective as many people think they are.  One recent article listed five ways that WAF protection fails.  Let’s do a point / counterpoint discussion with each of these five “WAF failures”.


Point #1: WAFs fail because of negligent deployment, lack of skills and different risk mitigation priorities.  Many companies simply don’t have competent technical personnel to maintain and support WAF configuration on a daily basis.

Counterpoint #1:  It’s true that most companies don’t have the technical expertise to maintain and support a WAF configuration.  But now they don’t have to.  F5 offers the Silverline cloud-based platform that provides WAF protection for your web applications.  Along with the WAF protection, Silverline also provides the technical expertise of our highly specialized F5 Security Operations Center (SOC) where teams of security professionals configure and maintain your WAF for you.  See, now you don’t really have to know about WAF configurations and support…the F5 team will do it for you!


Point #2: WAFs fail because they are deployed only for compliance purposes.  Midsize and small companies frequently install WAFs just to satisfy a compliance requirement. They don’t really care about practical security, and obviously won’t care about maintaining their WAF.

Counterpoint #2: While it’s true that some companies only deploy a WAF to satisfy certain compliance mandates (i.e. HIPAA, PCI-DSS), they can now use the WAF for the purposes it was designed for.  After all, why go through the expense and effort of buying and deploying a WAF just to say you have one?  Why not turn it on and use it to protect your web applications?  Maybe at this point in the discussion you find yourself back at point #1…at which time I would focus your attention to counterpoint #1.  Let F5 Silverline and F5 SOC do it for you!


Point #3:  WAFs fail because of the complicated diversity of constantly evolving web applications.  Today almost every company uses in-house or customized web applications, developed in different programming languages, frameworks and platforms. It’s still common to see CGI scripts from the 90s in pair with complex AJAX web applications using third-party APIs and web services in the cloud.

Counterpoint #3:  It’s true that we live in a complex web application world.  And, the crux of this “WAF failure” point is that things are just too complex and dynamic to keep up with.  But fear not!  F5 Silverline services gives you the expertise of our team of security professionals who understand the complexities of today’s web application environment.  Our team will build custom security policies that will protect your ever-changing web applications.  Whether you deploy a cloud-based WAF service or you choose to keep it on premises (or both), you can rest assured that our team will provide the expertise needed to keep your applications secure. 


Point #4: WAFs fail because business priorities dominate cybersecurity.  It’s almost unavoidable that your WAF will cause some false-positives by blocking legitimate website visitors.

Counterpoint #4:  The fact that your WAF produces a false positive is certainly not reason enough to completely turn it off.  Rather, you should fine tune and test the thing to stop producing false positives.  Of course, this gets back to point #1 where you don’t have the technical expertise to stop these pesky false positives.  And, of course, I focus your attention again on counterpoint #1 where the F5 SOC team can configure and fine tune all your security policies for you!


Point #5:  WAFs fail because of their inability to protect against advanced web attacks.  By design, a WAF cannot mitigate unknown application logic vulnerabilities, or vulnerabilities that require a thorough understanding of application's business logic. Few innovators try to use an incremental ruleset hardening in pair with IP reputation, machine learning and behavioral white-listing to defend against such vulnerabilities.

Counterpoint #5:  Advanced web attacks are certainly a serious threat for any company today.  It’s important to choose a WAF that is powerful and flexible enough to handle these advanced attacks.  The F5 Application Security Manager (ASM) allows organizations to gain the flexibility they need to deploy WAF services close to apps to protect them wherever they reside—within a virtual software-defined data center (SDDC), managed cloud service environment, public cloud, or traditional data center. 

The ASM also utilizes the power of F5’s IP Intelligence where malicious users are blocked based on their reputation score that is computed from multiple sources across the globe.  By identifying IP addresses and security categories associated with malicious activity, the IP Intelligence service can incorporate dynamic lists of threatening IP addresses into the ASM, adding context to policy decisions. The IP Intelligence service reduces risk and increases data center efficiency by eliminating the effort to process bad traffic.

ASM users also benefit from an extensive database of attack signatures, dynamic attack signature updates, DAST integration, and the flexibility of F5 iRules scripting for customization and extensibility.  The ASM also has whitelisting capabilities where known good IP addresses are always allowed access to your web applications. 



WAFs remain a critical and strategic point of control for defending your web applications.  But, as noted in the points above, WAFs must be deployed properly in order to achieve the full protection you require.  If you find yourself in a position where you need a WAF (don’t we all??) but you don’t have the expertise or resources to configure and maintain the WAF properly, take a look at F5 Silverline…it might be just the solution you need!

Published Apr 04, 2016
Version 1.0

Was this article helpful?

No CommentsBe the first to comment