Cloud WAF vs. On-premises WAF: Which Option to Choose?
Using a set of provided rules, a WAF solution filters, monitors, and blocks any malicious traffic from entering your web application and prevents sensitive data from leaving it. Think of WAF as a virtual airlock, denying access to potentially fraudulent web browser requests.
Not all web traffic is legitimate. In fact, nearly half (47.4%) of all global internet traffic is generated by bots. A bot is a software application (a script), deployed to perform an automated task. Good bots, for example, index websites for search engineers or monitor site performance. Bad bots, in turn, perform malicious activity such as unauthorized data scraping, DDoS attacks, or credential stuffing.
Cybercriminals can send suspicious links, files, or connection requests to your web application to gain access. Last year, 45.127 billion web application attacks were registered, with the volume of API-targeted attacks exceeding 50%. In other words, hackers are exploiting every possible avenue at their disposal. Therefore, having up-to-date, properly configured WAF solutions isn’t optional.
As of 2022, 61% of organizations already use web application firewalls for application and data security. Yet, many companies are also questioning the efficacy and cost-effectiveness of their legacy appliances, operated on-premises.
At the same time, new cloud WAF systems offer an attractive starting price point and flexible deployment scenarios. Does it make sense to adopt cloud-based WAF or continue operating an on-premises setup? Here’s a take from our cybersecurity team.
Cloud WAF vs. On-premises WAF Solutions: Considerations for Adoption
Traditional WAF solutions are specialized hardware devices with a respective usage license, placed on a network in an on-premises data center. It can be accessed through LAN and VPN when outside the local area network. On-premises WAF requires specialized technical staff for its effective configuration and ongoing maintenance.
Cloud-based WAF solutions provide on-demand access to virtual resources to filter web traffic. It can be deployed either in-line or as an API-based, out-of-path (OOP) service. The latter deployment option allows you to use the same cloud WAF service for multi-cloud and hybrid environments.
To select the optimal WAF solution for your business, take the following factors into account.
Application Hosting Destination
If your aim is to protect a cloud-native application, an on-premises WAF is hardly the best solution. On the other hand, if you are seeking protection for on-premises applications, several scenarios are possible.
On-premises WAF is the logical choice if the compliance requirements in your industry do not allow data processing in the cloud (e.g., in the financial services sector). Likewise, local WAF installation may be a better option when there is no regional data cloud center available nearby. In such cases, all traffic filtering requests will have to go through several other locations, which can increase latency and create operational risks. For example, if the main channel gets disrupted, your application will be cut off from cloud WAF service and thus, left unprotected.
If the above is not a major concern for your business, using a cloud WAF service even for locally hosted applications can make sense.
Desired Levels of Controls
WAF solutions are powered by rules — a set of configurations the system relies on to recognize legitimate traffic from malicious access attempts. WAF rules are designed to protect against popular types of threats, known vulnerabilities, and attack patterns.
Both on-premises and cloud WAF solutions come with two types of rules:
- Pre-defined rules, provided by the vendor. These are designed to address the most prevailing cyber threats (e.g., OWASP Top 10 security risks) and known Common Vulnerabilities and Exposures (CVEs). Many vendors also provide pre-defined rules for different types of web technologies (e.g., popular content management systems or ecommerce platforms).
- Custom rules are programmed by your team to address unique known vulnerabilities in your product (e.g., using the findings from a recent pentest).
The main difference between cloud and on-premises WAF is the degree of control you have over rule configurations.
Cloud WAF providers like AWS WAF provide a range of out-of-the-box rulebooks and configurations for protection against common threats (e.g., botnet attacks). You can choose to enable or disable the provided set of rules to achieve the desired levels of protection.
AWS WAF rules can include special conditions for execution. For example, a rate limit for the maximum number of requests from the same IP address in any five-minute period. You can create custom rules with simple logic using Rule Visual Editor and use Rule JSON editor for use cases, requiring rules with a combination of AND, OR, or NOT logic. However, not all cloud WAF providers offer the same degree of rule customization.
Important caveat: AWS WAF, as well as other cloud WAF providers, bill per the total number of implemented rules, access-control list (ACL), and inspected requests. This means more rigorous traffic monitoring will be more expensive — and so will operations during the peak application usage periods.
On-premises WAF vendors, in contrast, provide fewer pre-defined rules but allow users to add any number of custom rules to enable granular controls. You can (and should) also continuously fine-tune existing configurations to address emerging threats or newly discovered app vulnerabilities.
The downside of on-premises WAF is that all customizations have to be made manually by qualified staff. Similarly, you will have to ensure timely WAF software updates and web application updates, which can affect the previously implemented custom controls. In addition, some vendors also limit the total number of traffic analysis requests per purchased license. So, you must also pay attention to the total number of rules implemented to avoid performance issues.
A major selling point of cloud WAF is instant scalability. Whenever you are deploying a new web application or expect a seasonal surge in traffic, you do not need to purchase additional WAF hardware (which is expensive).
Similarly, cloud WAF solutions require less load balancing. With on-premises systems, you need to constantly allocate the optimal amount of resources to different applications. When facing too many requests, some on-premises WAF systems can automatically switch to bypass mode (i.e., stop filtering traffic). Such downtime is a security threat in itself.
Cloud WAF systems have virtually limitless throughput. The only constraint is the operating cost, which increases proportionally to the number of analyzed requests.
With on-premises WAF, businesses shoulder more upfront hardware and licensing costs. Reliable WAF hardware is expensive, plus not always immediately available due to ongoing supply chain issues. In addition, you have to regularly purchase applicable licenses, with the pricing often dictated by the maximum throughput threshold. Finally, factor in the labor costs. On-premises WAF needs to be managed and maintained by specialized professionals.
Common maintenance tasks include both physical configurations (correct hardware installation and operations), as well as software-related tasks — patching, updates, rule configuration, etc. These must be executed by a professional who understands the WAF system and the type of application(s) it protects. The common concern among organizations is that when such people leave, replacing them is increasingly hard.
The possible solution is handing over WAF maintenance to a managed security services provider, whose main job will be to ensure that the current setup works well at all times.
In comparison, cloud-based WAF requires less maintenance since you do not have to service physical hardware. Cloud solutions also provide more controls for automating common maintenance tasks like updates, patching, and rules re-configuration, meaning you can operate the system with fewer people.
During updates, load balancing happens automatically. There is no planned downtime unlike with on-premises WAF, where you have to manually switch users between devices while performing its fine-tuning.
Such levels of convenience, however, come at a cost. Cloud-based WAF solutions can end up costing as much or more than on-premises deployment over their usage lifespan, especially when deployed for high-traffic applications.
Cloud WAF providers entice users with value-added services, available with the subscription. These features include:
- Content delivery networks (CDNs)
- Integrated load balancing
- Traffic management optimization
For an on-premises WAF scenario, such solutions have to be either purchased as a separate license or configured manually using open-source technologies. In either case, that translates to more work for your cybersecurity team.
Cloud WAF systems automatically direct the incoming request from the nearest data center region to the user, meaning you can ensure high uptime. Because you can access multiple instances at a time, your WAF will remain operational even in case of any regional disruptions.
Although it is possible to implement a scaled network of on-premises WAF systems (e.g., in case your business has several data center locations globally), it would still not be comparable to the network of any major cloud services provider (CSP). On the other hand, if your region is not well served by popular CSPs, a local WAF deployment may be more advantageous as it helps you avoid any latency issues with service delivery.
Both on-premises and cloud WAF deployment scenarios have their upsides and downsides. For that reason, many companies opt for a hybrid solution: that is using both local and cloud-based WAF systems to protect different types of applications.
A hybrid scenario is often more cost-effective, provides greater scalability, and helps achieve comprehensive protection for all assets.