FortiWeb and the case for more cowbell

FortiWeb 100D appliance

To paraphrase the great (and fictional) music producer Bruce Dickinson: “I got a fever. And the only cure is, more firewall!” Okay, Mr. Dickinson was more interested in more cowbell than firewall. But we’re not shy about awkwardly inserting dated cultural references for our own purposes. So to that end, what is FortiWeb and why should you care? To help answer that question, we will use the FortiWeb 100D Web Application firewall as an example.

The fact is, there are certain things traditional firewalls aren’t that good at. Over time, the kind of threats facing your network has expanded greatly. So, too, has their sophistication. The introduction of all-around Next-Gen firewalls has addressed this fact. These are jacks-of-all-trades that do an admirable job for many organizations. There are many great ones to choose from, too. For example, Meraki MX64, MX68, FortiGate 40F, FortiGate 60F, Sophos XG115, Barracuda F180, and so on.

However, the fact remains that there is sometimes a real need for some specialization. Just as the introduction of penicillin back in the 1930s didn’t address every sort of infection, so the network firewall can’t guard against every kind of threat.

Firewall limitations

Generally speaking, firewalls have certain limitations. For one thing, firewalls are used in critical points of the network. Chokepoints, basically. Their misconfiguration can have disastrous consequences. Firewalls are often a single-point-of-failure within a network. As a result, a single mistake in either configuration or firewall code can compromise the network access policy.

For another thing, many of the modern applications are firewall-unfriendly. That’s because they are difficult to inspect properly. Subsequently, compromises in rule design and inspection depth have to be made to support such applications.

In addition to this, end-users, might find their own methods of bypassing a firewall when faced with unwanted restrictions. For example, inside users can dial out of the protected network to an Internet service provider on their own. Naturally, this opens a backdoor connection to the protected network. There is little defense against authorized users engaging in unauthorized practices in conventional firewall.

Another limitation is application security, which is really where FortiWeb comes in. Some next-gen firewalls are able to filter traffic with fine granularity, giving them control over all the data in an application session. However, configuring them to protect a custom application is practically impossible. An organization may be unable to deploy firewall rules which would shield the application from possible threats. The reason is because modern applications are so complex, and often their internal structures are not disclosed. As a result, organizations have to configure firewalls with less inspection capabilities.

Having said this, firewalls are one of the most effective tools of network access control. They will continue to be used as networks and applications become more and more complex. However, they should never be the only line of defense against a modern attacker, and their limitations must be understood.

Enter FortiWeb

Web app firewalls like the Fortinet’s FortiWeb 100D protect businesses from attacks targeted at applications. Without an application firewall, hackers could infiltrate the broader network through web application vulnerabilities. WAFs protect businesses from common web attacks such as Direct denial-of-service, SQL injection, and Cross-site scripting. Network firewalls, on the other hand, protect against unauthorized access and traffic going in and out of the network. For example, Unauthorized access, Man-in-the-middle attacks, and Privilege escalation.

Standard network firewalls and WAFs like the FortiWeb 100D protect against different types of threats. For example, a network firewall alone will not protect businesses from attacks against webpages. These are only preventable through WAF capabilities. So without an application firewall, a business’ broader network could be open to attack through web application vulnerabilities. However, a WAF cannot protect from attacks at the network layer. So, it should supplement a network firewall rather than replace it. These two firewalls don’t compete, the compliment each other.

If your organization fits the use case for an application firewall such as FortiWeb, it should have a few important features. The WAF should have a hardware accelerator, monitor traffic and block malicious attempts, and be highly available. It should also be scalable to maintain performance as the business grows.

Buying separate firewalls to protect every layer of security is expensive and cumbersome. So businesses now lean towards comprehensive solutions like next-generation firewalls. NGFWs combine the capabilities of network firewalls and WAFs into a centrally managed system. They also provide extra context to security policies. And this is vital to protect businesses from modern security threats.

What does a web application firewall like FortiWeb guard against?

Well, NGFWs are context-based systems that use information such as identity, time, and location to confirm that a user is who they say they are. This added insight enables businesses to make more informed, intelligent decisions about user access. They also include features such as antivirus, anti-malware, intrusion prevention systems, and URL filtering. This simplifies and improves the effectiveness of security policies.

And to be sure, having a comprehensive view of digital security is often easier and more cost-effective. However, it is vital to ensure an NGFW covers all the bases for network and web application protection. FortiWeb plays a specialized role in the “threat kill-chain.” They protect web applications from code injection, cookie signing, custom error pages, request forgery, and URL encryption. It can, therefore, be necessary to use an NGFW in conjunction with a dedicated web application firewall like FortiWeb.

Enter the 100D

At the heart of the FortiWeb 100D is an AI-based detection engine. It uses machine learning to identify requests that stray from normal patterns. Then, it takes action to protect applications from known and unknown zero-day threats.

Another thing the FortiWeb machine-learning feature solves is the problem of false-positives that deep inspection can entail. To be sure, web application firewalls are the best defense against attacks that target web-based applications. But WAFs can be tedious and time-consuming to fine tune to prevent unwanted false positives. FortiWeb’s AI-based machine learning employs two separate detection engines. When monitoring applications for stray, unusual activity, the first engine flags anything that gets it’s attention. Then, it send it to the second engine, which determines whether it’s a threat or not. It can even distinguish things like typos and new characters. If it’s an attack, then FortiWeb can take actions such as logging, alerting and/or blocking the request.

Of course, the FortiWeb 100D integrates with leading third-party vulnerability scanners. These include Acunetix, HP WebInspect, IBM AppScan, Qualys, IBM QRadar, and WhiteHat. They provide dynamic virtual patches to security issues in application environments. Vulnerabilities found by the scanner are quickly, automatically turned into security rules by FortiWeb. From then on, they protect the application until developers can address them in the application code.

Corporate Armor is ready to help you make the decision of whether a WAF like the FortiWeb 100D is right for your organization. So why not email us, or call 877-449-0458 and let our experts steer you in the right direction, whether that means “more cowbell” for your network or not? Thanks for reading!

Advantages of the FortiWeb 100D

Up to 20 Gbps protected WAF throughput
Visual analytics tools for advanced threat insights
Cloud sandbox
Third-party integration and virtual patching
AI-based behavioral scanning

Read FIREWALL LIMITATIONS (AND WHAT TO DO ABOUT THEM)