Web App Firewalls: How to Evaluate, Buy, Implement

While some traditional firewalls provide a degree of application awareness, it's not with the granularity and specificity that WAFs provide, says Diana Kelley, founder of consultancy Security Curve. For instance, the WAF can detect whether an application is not behaving the way it was designed to, and it enables you to write specific rules to prevent that kind of attack from reoccurring.

WAFs also differ from intrusion prevention systems. "It's a very different technology--it's not signature-based, it's behavioral, and it protects against vulnerabilities you [inadvertently] create yourself," says Greg Young, an analyst at Gartner.

One of the primary drivers for WAFs today is the Payment Card Industry Data Security Standard (PCI DSS), which identifies two ways of being in compliance: WAFs and code review. (See .) But another driver is simply the growing recognition that attacks are moving from the network to applications. In a study by WhiteHat Security, which assessed 877 websites from January 2006 to December 2008, 82 percent had at least one issue of high, critical or urgent severity.

The web application firewall market is still undefined, with many dissimilar products falling under the WAF umbrella. "Many products provide functionality above and beyond what one would consider a firewall," says Ramon Krikken, research analyst at Burton Group. "This makes products hard to evaluate and compare." In addition, new vendors are entering the market, by expanding existing non-WAF products into the integrated segment.