Defense-in-Depth Strategy With WAF and VM-Series NGFW

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L2 Linker

Cyber attacks have become more sophisticated today. This new reality is motivating organizations to opt for defense-in-depth strategies across their on-prem, private, and public cloud deployments. The defense-in-depth approach implements multiple layers of security to reduce the attack surface. Together, Web Application Firewall (WAF) and VM-Series firewall provide comprehensive security, particularly for customers who want to provide a Zero Trust security method to protect not just inbound, but also outbound and east-west traffic. Read on to learn more about the capabilities of these two solutions. 


Web Application Firewalls (WAF) Capabilities in Brief


A WAF acts as an application firewall to protect an organization's web apps from online attacks. It inspects, applies policies, and performs checks for HTTP/HTTPS traffic. Typically, policies are defined to allow or block web requests based on certain parameters. 


Because of its capability to inspect at L7, WAF provides protection against attacks like Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and cookie poisoning. These are generally included in OWASP Top 10 list. WAF is available as a platform, software, or as a service. It can be deployed in the cloud as a fully-managed or self-managed service. 


In AWS, WAF comes with a preconfigured set of rules which can be deployed on Amazon CloudFront, the Application Load Balancer, Amazon API Gateway for your REST APIs, or AWS AppSync for your GraphQL APIs. You can configure WAF from the AWS firewall manager console. 





Similarly, in Azure, this is a feature available in application load-balancer, which frontends the org's application resources and can also be deployed with CDNs.





Organizations can also use a third-party load balancer like F5, which has built-in WAF capability. WAF offers a rich security stack that is very effective against application attacks, goes deep into HTTP protocol, headers and parameters, and looks at the application context to provide the right security. WAFs with Azure CDNs also provide DDoS protection. WAFs are evolving to address new application layer use-cases like API security.


VM-Series Capabilities: Harness the Full Power of NGFW


Palo Alto Networks VM-Series is a NGFW that combines advanced security capabilities and application firewall capabilities. Firewalls operate at a network layer and are the first line-of-defense against network based attacks which could be L3 to L7 for ingress, egress and east/west use cases. NGFWs include additional features such as intrusion prevention and deep packet inspection. It also provides Advanced URL Filtering capabilities, threat prevention, App-ID based policies, DNS security, and Wildfire—among many others. You can configure granular rules based on the content of the traffic stream. NGFW is evolving to provide Zero Day threat prevention using advanced ML (machine learning) and sandboxing capabilities as well. 


Why WAF is Not Enough


Most of the inbound traffic towards workload is from the internet. The workloads accept HTTPs connection from the internet. For these, WAF can provide protection against common web-based attacks. However, the exact nature of connections coming to the workload in your network may vary. It could depend on various different business operations; for example, orchestration tools like terraform and puppet need connectivity to the workloads to automate various processes. 


Developers and engineers may also need access to RDP/SSH services for the server's day-to-day activities. The unpatched application poses a greater risk of threats, whether or not it is connected to the internet. With just WAF in place, we leave a major gap for hackers to use these different avenues to break into your infrastructure. It is important to prevent malicious actors from breaking into the network via these different methods other than HTTPs.  


That's where NGFW comes into play. A NGFW is required to provide a holistic protection for inbound connections. NGFW platforms are up-to-date with threat intelligence information via cloud-delivered security services, and can block and detect any kind of malicious activity. It provides protection against known bad actors, and prevents them from successfully breaching the network. 


VM-Series and WAF Working Together


VM-Series, when deployed along with WAF, provides protection against web-based attacks for web traffic, as well as advanced security capabilities for threat prevention. The same set of VM-Series firewalls can also protect against security risks associated with inbound, outbound and east-west traffic. Granular policies can be configured to provide appropriate control and checks based on the rich context information with VM-Series firewall (for example: APP-ID, URL-based filtering, EDLs and so on).


WAFs are bringing in capabilities like bot protection to provide the first line of defense in globally distributed services delivered through CDN. Firewalls, in addition to ingress, also protect against outbound attacks across the entire stack (like IPS, URL, and web-traffic security). Trends like the adoption of SaaS are increasing the ability to protect against threats like covert channels, data exfiltration, and ransomware. Implementing east-west security measures to prevent any kind of lateral movement of attack has become a compliance requirement. When combining WAF with VM-Series firewall, you can achieve comprehensive security and fulfill your compliance requirement.


A WAF with VM-Series in AWS architecture might look like the illustration below. The first level of check can be performed by WAF running with application load balancers for inbound and outbound flow before it reaches the firewall for further inspections and checks.



Similarly, in Azure, you can enable the WAF capability on the application gateway. In tandem, WAF and VM-Series together can provide holistic security, with WAF providing protection against OWASP Top 10 and VM-Series providing advanced security capabilities up to L7. 


Do I always need WAF with VM-Series? 


WAF offers security for web applications, whereas NGFW provides granular control and measures for your entire network providing Zero Day threat prevention capabilities across multiple points in the network. Whether or not you should enable WAF depends on your organization's security strategy. Palo Alto Networks VM-Series NGFW can provide robust defense against threats for your web applications and other workloads in the cloud deployment. With the security bases covered with NGFW, it can turn out to be more cost-effective to simply adopt a VM-Series. 


For a comprehensive security solution which provides protection against all kinds of inbound, outbound and east-west traffic, customers can choose to deploy VM-Series along with WAF—this is a true defense-in-depth strategy. 


Register or Sign-in
Top Liked Authors