Radware is a long-established cybersecurity company and the AppWall is one of its main products. Radware AppWall gets very good user reviews so the people who opt for this web application firewall are very happy with the service. However, the market for web application firewalls is very crowded and major rivals to AppWall are provided by big, well-known brands with big marketing budgets.
Radware AppWall isn’t one of the well-known application firewalls, and it doesn’t have very strong visibility.
The workings of a web application firewall are ideal for combination with other services such as an application delivery network, a content delivery network, a load balancer, or data loss protection.
Radware provides these other functions, so customers can get a really good deal by combining these complimentary services.
How a web application firewall works
A Web Application Firewall (WAF) sits in front of a web server. It filters out incoming requests for web services, looking for malicious code and malformed connection requests that indicate a DDoS attack. A firewall is a category of network protection that is known as an edge service.
The concept of an edge service is ideal for web application firewalls. The DNS records for a website hosted by the webserver are altered to point at the WAF server instead. The WAF is a proxy and links through to the web server through a secure VPN.
An edge business that hopes to serve many clients and protect many web servers is going to plan a lot of capacity. The majority of this capacity is only needed in times of attacks, so by statistical methods, the WAF provider can judge its hardware and software capacity requirements so that it is way more than any single web server would ever need. They correctly assume that only one of their customers will be under attack at any one time.
Companies that don’t trust third-party services to sufficiently protect their networks prefer to opt for an appliance WAF. This combines software, network services, memory, and processors to channel all of the web traffic. A private WAF ensures privacy for the user because it doesn’t risk all of its traffic running through the servers of another company. However, there is a risk of not having sufficient capacity to absorb a very large attack.
Web application firewalls use a range of techniques to block malicious traffic. They do practice the straightforward policy of blacklisting IP addresses. However, this is not their only weapon and the blacklisting strategy requires other methods in order to detect the sources of damaging traffic.
As the name suggests, a web application firewall needs to operate at the Application Layer and it specifically seeks to examine the key application of the World Wide Web — HTTP. Fortunately, HTTP is a plain-text system, so there aren’t any complications from the content being protected because WAFs don’t read the data payload.
The WAF can’t defend against all forms of attack, so it needs to be combined with on-server checks. This is the motivation behind the third type of WAF, which is host-based and integrates into other security checks that are easier to perform once an encrypted packet gets unbundled and before it is passed through to the web application.
Each type of WAF configuration has advantages and disadvantages. A host-based solution requires a lot of server capacity, and a network appliance is very expensive. Cloud-based services are very good at absorbing heavy volume attacks and they are the most affordable but they aren’t as good at integrating with other protection systems.
Radware is part of the Rad Group. This holding company owns four companies that are each listed on the NASDAQ Stock Exchange while keeping other divisions private. Rad Group itself is not listed. Radware is one of those listed companies and has a market capitalization of $1.2 billion.
Radware was founded in 1997 and it is still led by its founder, Roy Zisapel. After starting out as a software house that developed its own products organically, Radware switched strategy to one of expansion through acquisition.
A key division of Radware provides cloud-based WAF, DDoS protection, site acceleration, and bot management. Other divisions offer network services, such as malware defense and threat hunting, load balancing, and system monitoring.
The company is based in Mahwah, New Jersey, and has an international head office in Tel Aviv, Israel.
Radware AppWall overview
Radware AppWall uses positive and negative security systems to blend strategies and provide a flexible methodology to protect a web application server. There are many different types of attack and a single methodology is not sufficient to block all of them.
Positive web security systems
A positive web security system relies on a whitelist. This is enforced by a series of rules because allowing traffic through doesn’t just rely on checking the source IP address of the incoming packet. A positive strategy blocks everything except for traffic patterns that have been specifically stated as allowed.
Negative web security systems
A negative web security system is based on blacklisting. In this model, everything is allowed through except traffic that meets a list of criteria. Negative security strategies are more common than positive systems. This is how anti-malware software operates.
Combined security strategies
The problem with positive web security strategies is that they will block everything until a comprehensive list of allowed traffic patterns has been built up. So, traffic can get blocked simply because the developer didn’t know about that type of traffic because it didn’t exist at the time.
A new application added to a website would change site delivery and usage patterns and all of that innovative activity would be blocked until someone rewrote all of the firewall rules.
Negative firewall strategies rely on the existence of authentication systems to work out who is allowed in and who isn’t. The blacklisting system relies on a set of rules that will need to be updated as new hacker strategies are discovered.
A hybrid security strategy that combines both whitelisting and blacklisting aims to exploit the strengths of a positive model, while using a blacklist as a second filter to close up gaps in the whitelisting rule base. Positive security is much stronger than negative systems. However, a positive security WAF can end up blocking a lot of legitimate traffic.
Setting up catch-all rules that allow traffic through solves the problem of welcomed users being blocked but effectively disable the natural advantages of the WAF. A second, blacklist-based security process allows the controls applied by the positive system to be loosened up.
Radware AppWall details
Traffic filters implemented in Radware AppWall are signature-based. Although signature-based methods are considered out-of-date in the general cybersecurity industry, AppWall is confident that its combination of negative and positive strategies gets around the weaknesses of this approach.
Signature-based services need to have their threat databases updated constantly to account for new attack strategies. Firewalls and endpoint protection systems that label themselves “next-gen” use anomaly-based detection strategies instead. This is because this method is better at spotting an attack-type that has never happened before – which is called a zero-day attack.
A signature-based service isn’t able to identify an attack until at least one business has been hit by it and information about the attack has been analyzed by the protection service’s labs and distributed as a signature. However, Radware claims that its signature-based service is able to detect and combat zero-day attacks.
The Radware AppWall system is able to examine responses sent by the user as input text to fields in a protected Web page. This gives the site protection against cross-site scripting or SQL injection attack. Simple hacker responses that slip through input validation checks can also be blocked.
An attempt on a site provokes a response from the WAF without the transaction being sent to the web application server. This lightens the processing load on the webserver and also ensures that web pages are fully protected without having to constantly update rules in the server application.
It is possible that a genuine customer accidentally typed in a string that just happens to be a classic hacker ploy. So, AppWall doesn’t automatically block users that seem to be testing the system. Instead, it sends a warning to the user as an overlay message on the protected screen. If another hacker trick is then entered by the same user or device, that source goes onto the AppWall blacklist. This one-free-slip-up policy is a great way to deal with the possibility of accidental actions by legitimate users.
Radware AppWall doesn’t record the IP addresses of attacks in its blacklist because it knows that hackers spoof their addresses and frequently channel their traffic through zombie devices that can be switched automatically. Instead, it uses a fingerprinting algorithm to identify the origin of the attack regardless of IP address.
Data standard compliance
The Radware AppWall system also checks all outgoing traffic, searching for sensitive information, such as credit card numbers and social security numbers; this makes it a suitable tool to enforce the PCI DSS standards.
Radware AppWall configuration options
Radware AppWall can be implemented in combination with other Radware products, such as the company’s application delivery network. It can be delivered on a device, called the AppWall OnDemand Switch. The firmware of the switch can also be run on a virtual machine operating on an on-premises server.
There is also a Hybrid Cloud WAF service available. This is a managed security service. However, it doesn’t fulfill the network protection system entirely. As the “hybrid” part of the service’s name explains, there still needs to be an on-premises element to this solution. This would be in the form of an OnDemand switch or the AppWall software running on a VM.
Alternatives to Radware AppWall
As it is an appliance-based system, Radware doesn’t offer a free trial of its WAF. If you would prefer to try before you buy, you might be better off looking at some other web application firewall options.
There are a lot of factors to be taken into account when selecting a new web application firewall. To get some information on these factors, take a look at the Buyer’s Guide to the best WAFs. If you don’t want to read through another article in order to get recommendations for a WAF, you can just rely on the list we provide below.
Here is our list of the ten best Radware AppWall alternatives:
- AppTrana Managed Web Application Firewall A managed WAF service provided by Indusface. This a web services package that includes an application scanner, a CDN, and managed custom security rules with Zero WAF False-positive assurance backed with SLA and 24×7 support.
- StackPath Web Application Firewall A Cloud-based firewall that is part of an edge service package. Other elements in the bundle are a DNS server, a CDN, and a performance monitor.
- Sucuri Website Firewall A full edge service for websites that is delivered from the cloud and includes a WAF. Other elements are a system monitor and a web acceleration service.
- Fortinet FortiWeb An appliance that combines a number of web application services including a web application firewall, an SSL off-loader, and a load balancer.
- BIG-IP iSeries Platform – An appliance the implements the F5 Advanced Web Application Firewall.
- F5 Essential App Protect – A cloud-based web application firewall that is an online version of the appliance-based F5 Web Application Firewall.
- MS Azure Web Application Firewall This WAF isn’t just for sites hosted on Azure servers, it is a separate application that will monitor any site and is charged for by data throughput.
- Imperva SecureSphere An appliance firewall that is suitable for small businesses and can be upgraded with a download by those who hit its capacity limits.
- Barracuda Web Application Firewall An appliance that combines a WAF with DDoS protection, caching, and web acceleration.
- Citrix Netscaler Application Firewall It is delivered either as an appliance or as a cloud service and it includes a load balancer.