Back to blog

Follow and Subscribe

Legacy vs next-gen WAF: the differences matter

Brendon Macaraeg

Senior Director of Product Marketing, Fastly

For many companies, application footprints are growing more complex and varied with faster development cycles, more APIs, and shifts to cloud, whether hybrid or public. In fact, more than half of the respondents in “Reaching the Tipping Point of Web Application and API Security,” a report we produced in partnership with Enterprise Strategy Group (ESG) Research, say most or all of their applications will use APIs in the next two years. And while these applications provide new and engaging experiences for end users, they also mean more data to protect. 

Having a unified view for web defense across this kind of mix-and-match application environment is critical to driving your business forward. However, most companies are still relying on legacy rules-based web application firewalls (WAFs) that can make scaling difficult and, in some cases, cause more problems than they solve with things like false positives.

The truth is that a next-gen approach is needed. Let’s compare legacy versus next-gen WAFs to see what truly sets them apart.

Legacy WAF

Legacy WAFs have been traditionally deployed as part of a perimeter-based security strategy to enforce policy, but they make it practically impossible to see what’s getting through to the origin or application behavior. WAFs can also be limited by the CDN technologies they’re connected to, as different CDN choices require management of separate WAF products. 

CDN WAFs can’t be used to detect attacks on internal applications since they’re deployed at the edge. They’re also a single point of failure to your application and can add latency to the request, impacting the user’s experience.

Next-Gen WAFs

The best next-gen WAFs contain lightweight software modules that run directly in your web servers or application code. They also have the flexibility to deploy anywhere in your technology stack, whether in containers, on-prem, or in the cloud. Our next-gen WAF (formerly Signal Sciences) uses a patented, fail-open architecture to communicate with a local agent, which means your site stays up and running fast. 

Custom rules can slow you down

Legacy WAFs often use custom rules that are costly to write and maintain. In “Reaching the Tipping Point of Web Application and API Security,” 30% of respondents indicated that ruleset customization and testing hinder their ability to keep up. And with 68% of respondents saying their organization develops new rules for deployed controls at least monthly, with efficacy testing typically lasting at least a week, we can see how timely this process becomes. 

What’s more, once triggered, legacy WAFs often don’t show request details, so few ever make it to blocking mode. In fact, our research tells us that many block harmless business traffic, waste money and resources, and cause 91% of respondents in our report to run tools in log or monitoring mode or shut them off entirely.

A good next-gen approach relies on detection that looks at intent, not just action. With our WAF, agents collect and send detection data asynchronously to our proprietary cloud decision engine to look at data across your applications and send down decisions with details explaining why a block was made. This token-based approach to attack detection is more accurate than rules or signatures and requires no tuning or maintenance. As a result, more than 90% of customers deploy our next-gen WAF in blocking mode in production. 

Integration with DevOps tools is key

Legacy WAFs become difficult to manage as instances are difficult to stand up when applications and services scale. Many don’t support integration capabilities with DevOps tools, limiting visibility for teams to access security data. APIs, if available, are hard to parse and consume. 

In comparison, a next-gen WAF tightly integrates security with all teams through easy-to-install software that supports any application without impacting performance to protect against any attack. A next-gen WAF via an easy-to-use management console provides a unified view across your entire footprint for unparalleled reporting to the entire organization. A next-gen WAF also integrates with DevOps tooling for cross-team visibility. 

With our next-gen WAF, operations staff can easily deploy and scale our software with metrics on how it’s performing, typically with fewer than 3 milliseconds of latency. Pushing this security data to tools used by developers, operations, and security teams allows teams to self-service data and fix issues faster, together. Plus, robust APIs allow SOC teams to pull data into SIEM tools to visualize trends over time and better prioritize resources.

What now?

If this information makes you question your web app and API security tools, you’re not alone. In fact, 93% of respondents to the survey that drove our research said they are interested in or planning to deploy a consolidated web application and API security solution to improve security efficacy, provide consistent protection across disparate application architectures and environments, and reduce costs.

Although finding and switching to new solutions can seem daunting, there are ways you can get started now on updating and consolidating your processes and security stacks. And for more information on this pressing topic, download “Reaching the Tipping Point of Web Application and API Security” today.