Back to blog

Follow and Subscribe

Delivering a better WAF faster

David King

Product Marketing Manager, Security, Fastly

At Fastly, we’re in the business of reimagining the web application firewall, and while our main focus is clear: proactive protection of applications in production against known and unknown threats, that’s just the beginning. Fastly’s Next-Gen WAF leverages the progress made by legacy vendors while overcoming their pitfalls - especially those perceived early in adoption. 

As far as legacy WAF perceptions go, prospective users typically fall into one of two camps: those who are dead set against using a WAF because of past challenges with long setup times coupled with constant care and feeding, which require teams of resources and rule sets. The other camp has a WAF but faces barriers when looking at scaling to other apps and architectures like hybrid and multi-cloud, which all require complicated setup and rule tuning.

We lived this experience firsthand as the founders of our Next-Gen WAF were practitioners running security, engineering, and product teams at Etsy. They set out to address the challenge of defending both modern and legacy applications by developing a technology that didn’t suffer from the pitfalls of existing WAF approaches:

  • Months-long efforts to install a product

  • Broken legitimate web transactions in the form of false positives

  • Buried data analytics and a lack of insights failed to inform operations and engineering on issues

To overcome the disillusionment with WAF, our founders’ primary goal for new customers was to enable four key benefits they saw missing from legacy solutions:

  1. Start fast and scale with ease

  2. Uncover efficacy early

  3. Empower cross-functional teams

  4. Increase visibility

Start fast and scale with ease

Installing other WAFs can require months of effort from cross-functional teams, significantly delaying utilization. Between deployment complexities, building out regular expression rulesets, and tuning, getting started quickly isn’t a phrase other WAFs declare because, in reality, it’s quite the opposite. For many legacy providers, their solutions have been around for decades, and as you can imagine, keeping up with the pace of innovation doesn’t always happen.

Your installation is the first step in your customer journey, and it’s one we’ve made quick and easy. In fact, it’s become something of a sport at Fastly to see how quickly new prospects bring their first agents online. The current record is under a minute; the average is just over an hour. You can easily automate installation and updates using packages, public repositories, and configuration management tools like Terraform, Chef, Puppet, Ansible, and Salt.

Uncover efficacy early

Once your WAF is installed, the next step is operationalizing it and validating its efficacy, but for legacy WAFs, this hasn’t always been straightforward: enter sandbox testing. Sandboxing can be a quick and efficient way to kick the tires on a new technology, but it doesn’t mimic production traffic accurately and therefore is a poor indicator of how effective your WAF will work on production websites. When you’re talking about common appliance-based WAF solutions, the sandbox doesn’t alert you to the complexities ahead of SSL certs, DNS changes, and rule tuning for false positives. 

To validate your WAF, a proof of concept (PoC) using production traffic offers real insights into how your deployment is impacting traffic and protecting your applications. The Next-Gen WAF makes moving into blocking mode an easy decision that your analytics validates is increasing protection without creating false positives. Almost 90% of Fastly’s Next-Gen WAF customers are in full-blocking mode, a testament to how it's breaking the perception to help you realize value sooner.

Empower cross-functional teams

WAFs are a tool designed for security practitioners, but their impact is felt throughout operations organizations. Teams like DevOps and site reliability engineers (SREs) are often left outside of the scope of analytics insights in legacy WAFs, leading to questions about their impact on traffic (and for good reason): Amazon highlights that a delay of just 100ms impacted as much as 1% of sales, and Google notes that in more extreme situations, after 3 seconds as much as 53% of sessions are abandoned. The stakes are high, and every millisecond counts.

Without question, there will be an impact on latency when a WAF is deployed - the question is how much and how do you know. While WAFs have typically been perceived as bottlenecks and a cause for pronounced latency, the next generation offers insights and minimal latency exchange for protection. Fastly’s Next-Gen WAF, for example, averages just milliseconds added in latency when configured as a RASP while also offering insights into the impacted systems including CPU, memory usage, response times, response sizes, and much more. The added visibility calms impact concerns while easing efficacy discussions.

Increase visibility

Fast deployment is only valuable if you get meaningful insights right away (I mean, you can install almost anything quickly without it doing anything). Most practitioners with WAF experience complain about two things regarding the quality of WAF data: 

  1. Learning mode - prevents teams from getting data right away, as the WAF tries to predict traffic patterns, and the teams are required to tune out false positives. (This process repeats every time a change is made to the app). 

  2. Lack of visibility for blocking decisions - the lack of information and visibility around blocking decisions creates distrust among the tool operators, with the teams triaging the root cause of an error without having any explanation from the tool that surfaced it.

The key to easing these complaints is transparency. By sharing request payloads that went into any given decision to flag an IP as malicious via the tools they already use (Slack, Jira, Datadog, PagerDuty, Splunk, etc.), next-generation WAFs provide self-service security data to all teams. Accessing the data themselves gives them the confidence to move from learning mode to full-blocking mode, which is where the WAFs value is realized (See our Customers page to read about this from their perspectives). 

On time, under budget, and ahead of schedule: the Fastly Next-Gen WAF reality

For often overstretched security teams, a fast POC with easy installation and a short time to value is a big win enabled by the next generation of WAFs. Your environment becomes more secure on day one – not months in the future – with active blocking, clear insights, and actionable intelligence, allowing you to focus on other critical areas. Because if there’s one thing we know for sure in security – there is never a shortage of things to protect! Reach out to us if you’re interested in learning more – and perhaps you’ll be the next to lower the record on installation time!