In an effort to help IT managers better secure their organisations, Computerworld brings you answers - provided by AusCERT's experts - on a few of the more common questions around key security technologies. Here we look at Web application firewalls (WAFs).
Q: What do organisations really need when it comes to WAFs?
The answer to this question varies by organisation, and should be based firmly on a risk assessment of the assets you're employing the WAF to protect.
Start by considering the question of your security posture, such as whether you want to allow everything and only block "known bad" data (permissive), or block everything and allow only "known good" data (restrictive).
In short, you need to consider the purpose of the web site, your risk assessment and the website’s SLA.
Q: How should organisations go about evaluating and selecting WAFs?
A Cost/Benefit analysis should be performed, both before the WAF is in place, and after the device has been functioning for some time. Configurable input and output filtering can be very important features.
Reporting is also a very important feature, many WAFs allow for ad hoc and scheduled reporting, but their granularity can vary significantly. Be sure to test several solutions before settling on preferred options.
Antivirus capabilities can also be useful - again, depending on your risk assessment.
The first thing to develop is a set of requirements you wish to have as features in your WAF, based on your assessment of exposure, this could include, SQL Injection mitigation/protection, DDoS mitigation, Cross-site scripting and cross-site request forgery mitigation/protection.
You should also consider WAFs integration into existing logging and reporting mechanisms, regular signature updates, etc. Then develop a formalised approach to measure each product against each requirement.
Your best solution may not be an all-in-one appliance. It may come from varying sources. This could be caused from budgetary constraints but then you need to look at the alternative that when you have more products to maintain you have a bigger overhead long term. A cost-benefit analysis could be used to sell an all-in-one appliance to management and the finance department.
The WAF does not necessarily need to be in the form of a single package or appliance but could be various plug-ins for your web server.
Q: What are the prime considerations for WAFs?
In no particular order:
- 1)Does the solution provide adequate protection against the risks identified for the applications being delivered?
- 2)Considering protection, what happens if the web application firewall is compromised? What measures are in place to detect against such an eventuality?
- 3)Considering (1), Is the solution the best fit for the business?
- 4)Does the solution perform ingress and egress filtering, and virus scanning?
- 5)Is the reporting and alerting sufficient for the needs of the business?
- 6)Does the solution scale appropriately for anticipated growth?
- 7)What is the rate of false positives and false negatives?
- 8)Does the vendor provide timely support and updates?
Over the page, the Hardware vs. Software considerations and WAF Do's and Don'ts.