The Difference Between Next-Generation Firewalls and Web Application Firewalls
There is a lot of information on the internet about WAF (Web Application Firewall) systems, NGFW (Next-Generation Firewall) systems and many people ask the question "Well why do I need WAF when I have NGFW?", so I decided to answer this question whilst also demonstrating the Machine Learning (ML) options that F5 offers.
As I have worked with many vendors and different WAF and NGFW systems, I know that NGFW and WAF both have their roles in providing a robust level of cyber security to a company. To answer why WAF is needed for web applications, I am going to outline some features that WAF have and NGFW do not. At the end, I have mentioned some new exicting F5 Machine Learning features and F5 Distributed Cloud (XC) integrations that F5 AWAF has or will have in the future. Please note that the F5 AWAF (Advanced WAF) was called ASM in the past.
1.F5 AWAF Application learning with the F5 policy builder engine.
2.F5 AWAF signatures and threat campaign (live updates).
3.F5 AWAF DOS and Bot browser integrity checking protections.
4. F5 AWAF automatic latency and TPS DOS migrations and protections.
F5 AWAF Security Features:
Below I have detailed a description of each WAF feature:
The WAF can learn the web application allowed HTTP methods, URL, File types, parameters etc. This is something that NGFW cannot do, and it is called positive security. NGFW can understand that the protocol is HTTP and conduct basic signature and RFC compliance checks, but NGFW are streaming devices that are not full HTTP proxy devices, so they have limited capabilities to learn the application baseline objects and allow only traffic that is matching the learned HTTP model. The traffic-learning process is based on statistical web application analysis and is close to machine learning. Its purpose is to limit the attack surface that the web applications have by allowing only HTTP data that the web application uses for legitimate purposes. The F5 even learns the content types like JSON or XML, and it can ingest XML schema files from the developers or Swagger/OpenAPI files for API protection like an API Gateway.
Even for negative signature-based security, the WAF is much better for protecting web traffic than a NGFW. If there is a false positive and the signature needs to be stopped, with F5 AWAF, you stop the signature just for the parameter/URL/HTTP header/cookie or the HTTP body, and in this way you are decreasing the size of the security hole. Also, F5 AWAF has far more signatures for web traffic than a normal NGFW, as the NGFW needs to have signatures for more protocols and applications than just the web. As it is a streaming security device, it will add slowness and latency to check, for example 4000 signatures just for a web traffic request. The F5 AWAF system places new signatures or modified ones into Staging Mode for 1 week, so as not to block the good traffic. I have not seen NGFW do this for their signatures. F5 also has a feature called Threat Campaign that is updated every 15 minutes. While most NGFW systems have features like this, they are only for file scanning and not for web attacks. F5 threat campaigns is a similar feature to the F5 signatures but it is made to target 0-day attacks that are seen in specific parts of the world.
Please see this link for a map that shows the current ongoing attacks https://threatcampaignsmap.f5.com/
F5 AWAF has advanced DOS/DDOS and Bot protections based on injecting java scripts in the server response, in order to check if the traffic is coming from a bad bot. This is something that I have not seen any NGFW do as it means to manipulate the Web data and to just block or allow traffic. F5 even makes a Device fingerprint so as to block traffic without basing it on an IP address, as nowadays many users can come from the same IP address. However, with NGFW, the blocking for Internet-facing users is always based on an IP address. NGFW can block traffic based on user IDs or AD groups, but this is for Internal users, not internet clients that just use the application.
For F5 AWAF DOS and Bot protection features, F5 uses machine learning based on TPS per second or the latency in the server HTTP reply. This is used to check if there is an ongoing DOS attack and to trigger rate limiting, captcha, honey pod, or browser integrity checking that injects java scripts in the server HTTP responses to determine whether the client is a bot device, a user with a web browser, or just blocking the traffic. NGFW have DOS protection options but they are static - you often need to modify the thresholds for the DOS and usually the DOS protections are just on layer 3/4 (F5 has another module called AFM that can do Auto DOS protections on layer 3).
Please see this F5 article that I published in the F5 community regarding this: https://community.f5.com/t5/community-articles/f5-afm-edge-firewall-and-the-difference-between-edge-firewalls/ta-p/301926).
For a layer 7 HTTP protection, you can write a custom signature that will monitor the number of HTTP GET or POST requests for a URL, but again it will be with a static number and there will only be the option to block traffic, not any captcha, honey pod, or java script injections. With machine learning, the F5 AWAF can even automatically make custom signatures to block DOS traffic.
Other advanced features I have seen from the F5 AWAF that are not seen on the NGFW are:
a. Cross-site request forgery (CSRF)
b. Server-side request forgery (SSRF)
c. Brute force protection based on failed and successful login attempts, where you need to configure the URL that is used for authentication in the web application (it can also be learned by F5 AWAF application learning if this feature is enabled)
d. Session tracking and cookie protection, based on the cookies that F5 inserts in the server replies
e. F5 can block users if they generate too many violations for an automatic period of time by tracking their session based on the F5 inserted extra cookies, IP address or login page username. (There is an integration for the login pages between F5 AWAF and F5 APM, as F5 APM generates sessions after a successful login. F5 APM is a Network access control (NAC) system, advanced VPN concentrator and it provides zero trust access to applications and so much more!) From what I have seen to block users even via IP address on NGFW, if they generate too many violations, a SOAR or other API automation system is needed.
f. F5 has a Data Safe feature that is protecting the end user devices by inserting JavaScript that encrypts the usernames and passwords in the client's browser as this is the weakest link in any security - the end user and it's potentially infected device - and F5 has another module called FPS (previously called Websafe) that can even use JavaScript to detect malware on the end user machines and send an Alarm to the SOC team!
F5 AWAF & F5 Distributed Cloud (XC)
F5 AWAF now has integrations with F5 XC for more advanced BOT, client-side defense, stolen credential detections and fraud prevention detections. This is because a local device does not have the hardware capacity to do deep machine learning scanning of web traffic, but a cloud-based system does not have this limitation. The XC cloud bot protection feature is based on Shape Security’s technology which was bought by F5, as they were the leader in detecting and blocking bad bots.
You can learn more about these cloud services at https://community.f5.com/t5/technical-articles/leverage-big-ip-17-1-distributed-cloud-services-to-integrate-f5/ta-p/310464.
What’s next for F5 AWAF?
Another F5 feature that could be added in the future to the F5 AWAF is machine learning for false positives that automatically disable signatures and violations, if they are causing false positives. Starting in F5’s TMOS version 15.1, there is such a feature, however it is still based on statistics and not true machine learning.
You can read about it at https://my.f5.com/manage/s/article/K20132133. This will likely be similar to what is present in the F5 XC Distributed Cloud and is described here: https://community.f5.com/t5/technical-articles/f5-distributed-cloud-waf-ai-ml-model-to-suppress-false-positives/ta-p/299946.
The NGFW now have machine learning features, but they are targeted at scanning files that can have zero-day malware or scanning URLs when the NGFW is used as a Forward Web Proxy, but this protection is only for the internal company users and not for Internet facing clients. For internet facing client, the F5 AWAF Reverse Proxy is needed.
Other features that we can see in the future on the normal F5 AWAF or F5 AWAF on BIG-IP NEXT are the F5 XC behavioral WAF feature (similar to the current behavioral DOS detection options and DOS auto signatures generation), that detects bad users, based on machine learning.
See this article for further information: https://community.f5.com/t5/technical-articles/automation-of-malicious-user-detection-mitigation-using-f5/ta-p/305170.
In summary, when it comes to safeguarding both internal and external network traffic, F5's AWAF offers capabilities that are not only superior to traditional WAFs but also provide functionalities that NGFWs currently lack. As cybersecurity threats continue to evolve, so too will F5's AWAF, making it a strong consideration for organizatiosn looking to enhance and future-proof their security.
Relevant Links:
CSRF: https://my.f5.com/manage/s/article/K11930
SSRF: https://my.f5.com/manage/s/article/K36263043
Brute Force Protection: https://my.f5.com/manage/s/article/K18650749
F5 AWAF cookies: https://my.f5.com/manage/s/article/K6850
F5 AWAF Data safe: https://my.f5.com/manage/s/article/K02145419
F5 Session Tracking and hijacking protection:
https://my.f5.com/manage/s/article/K02212345
https://my.f5.com/manage/s/article/K40120684
Author: Nikolay Dimitrov