The Firewall Is Dead, Long Live the Firewall
This week The New Stack saw a great deal of discussion around a concept we haven’t heard about in a while, Web Application Firewalls (WAFs). A WAF provides a shield between an internet-facing application and the internet. The cloud native computing community we cover is slowly coalescing around an idea that is almost diametrically opposite of firewalls, namely that of Zero Trust Computing. Zero Trust gets rid of the firewall boundary itself, assuming the internal network is already compromised, and moves the burden of authentication and access control to end-user devices and the applications (to their sidecars if they are service mesh-enabled). Zero Trust means you just don’t trust the network, even the private one.
A popular post on The New Stack this week, contributed by Check Point’s Head of Security TJ Gonen, pointed out that the WAF is totally unsuited for today’s DevOps environments: “It’s the worst-kept industry secret that WAFs aren’t all that they’re cracked up to be in the modern world of agile development. A WAF cannot keep up with application updates, which happen regularly, and maintaining a WAF has become labor-intensive and complex.”
Ouch! Others, however, are not so sure to body bag WAF. This week also saw the debut of Palo Alto Network (PANW)’s Web Application Firewall for its Prisma Cloud security platform. To be fair, PANW is no stranger to the fast DevOps environments that Gonen invokes: Prisma is literally made for dynamic cloud native environments. Also, Prisma’s WAF is not exactly your father’s WAF (assuming your father is a security professional).
“In PANW’s new-look web application firewall, several different functions are combined to protect your cloud services. Its WAF combines application programming interface (API) security, runtime protection, and a bot defense platform into a strong defense for cloud native applications,” writes TNS security reporter Steven J. Vaughan-Nichols, in a sponsored report on the new technology.
“The word ‘firewall’ is a bit dated, but as you will see, the concepts that we are presenting here are completely new and are for completely new-and-modern environments,” further explained Ory Segal, PANW senior distinguished research engineer in The New Stack Makers podcast hosted by TNS founder and Publisher Alex Williams.
The traditional firewall doesn’t work in cloud native environments, Segal agreed. But in addition to the usual firewall duties, such as API protection, access control, file upload control, detection of unprotected web applications, the Prisma WAF offers dynamic features such as a “penalty box” for attackers, one which can “ban” attackers’ access on an as-needed basis.
“Then it doesn’t matter if then they pull out the big gun or big trick or the sophisticated attack, since those will be automatically and categorically blocked, because they’re in the penalty box, which again, is a very good defense against such attacks,” Segal said.