At Alert Logic, we frequently hear from people who believe that tuning an inline web application firewall (WAF), so that it effectively protects their web applications without blocking legitimate traffic, is challenging.
While a web application firewall does bring some unique challenges, if you understand the issues and work to overcome them, the faster you’ll be able to use your WAF as intended – to protect your valuable web applications and data. Here are a few thoughts and suggestions.
Being a web application firewall expert requires a unique set of skills. You need to have a deep understanding of your web applications and security and your WAF. Breaking it down a bit further, it means you should understand the application stack, know about cyber security challenges like spoofing, fraud, DOS attacks and more, and have the knowledge and skill for writing policies for your web application firewall that protect your applications. It’s not easy to find all those skills in a single person, so you should plan to give your WAF specialist time to become an expert or augment your specialist with help to at least get started.
WAFs require constant tuning. In the world of web application firewalls, two things are always changing: your web applications and the cyber threat landscape. That means you need to be constantly tuning your WAF to address both situations. One suggestion for dealing with web application changes is to run your WAF in your pre-production test environment. Run your web application firewall in learning mode there so it can understand your web application’s changing behavior and when you’re ready to flip to production, your web application firewall should already be well-tuned. In terms of keeping up with emerging threats, there are many websites and sources for information.
A WAF brings development and security teams together. And those teams often have conflicting priorities. Development teams are typically pressured to deliver product to market with as many features as possible as fast as possible. IT Security teams, on the other hand, are pressured to ensure the IT environment and the business are safe. The best advice here is the same as what works in many team situations… The more awareness each team has about the other, their mandates, and why their mandates are important to the business, the easier it often is for the teams to figure out ways to effectively work together.
A good source for more information about WAF tuning and management is a white paper written by our friends at Securosis: Pragmatic WAF Management: Giving Web Apps a Fighting Chance. In it, they provide more details on the challenges listed above, plus a host of other useful ideas.