Web Application Firewall: What’s In A Name?

In my recent review of KEMP’s new LoadMaster software, which includes Web Application Firewall capabilities, Ofer Shezaf (from breach.com) had this to say in the comments section:

Systems supporting only snort rules and lacking a positive security model are not usually not considered a web application firewall, but rather an intrusion prevention system.

Which is an interesting question: What is a Web Application Firewall exactly? How does that differ from an IPS (Intrusion Prevention System), and is there any meaningful distinction between the two?

Amazingly, Wikipedia doesn’t have an exact definition for Web Application Firewall (just Application Firewalls, but that’s something a bit different).  But here’s the definition of “Web Application Firewall” according to OWASP:

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked.

I think the KEMP box qualifies, but the range of devices that qualify are vast.  While the KEMP box has WAF capabilities, it’s clearly an entry level box ($2,500) while the Breach box is higher end.  It’s like the difference between the KEMP LoadMaster and F5′s LTM/BIG-IP: They’re both Application Delivery Controllers, but they’re clearly not in the same league or market.  And that’s fine, if all we had were high-end load balancers, the SMB would be squeezed out.  I’ve not tested a Breach box, but I wouldn’t doubt that they offer superior protection.  It’s just a matter of whether the customer can afford it.  The world needs BMWs as well as Camrys.

What do you think?