Demystifying WAF solutions: A Web application firewall evaluation guide
scripting or forgery on your Web application. Ways to avoid such attacks include penetration-testing, source code review, or setting up WAF solutions.
Regulatory requirements such as those for the Payment Card Industry – Data Security Standard (PCI-DSS) compliance mandate protection of a Web application—either by source code review or using a WAF solution. Since source code review can be a very lengthy process, you can go in for WAF solutions to protect your web application while your developer is fixing code vulnerabilities.
Types of WAF solutions
WAF solutions mainly work through signature- and behavior-based models. In the case of the former, the firewall may detect an attack on the basis of signature (typically special characters or Unicode encoded characters). WAF tools look out for the telltale signs of SQL injection, cross-site scripting or forgery attacks.
In the case of behavior-based models, WAF solutions take into account behavioral anomaly. For example, an employee providing his personal credit card number for online purchase should not be treated as information leakage or an attack. Thus, WAF solutions need to distinguish between events and its context.
WAF solutions can either be hardware-, appliance- or software-based firewalls. While hardware-based WAF solutions sit in front of your web server or multiple Web servers (in case you run clusters), software-based WAF solutions can be fairly effective if you run on a tight budget. You can also look at open source-based WAF solutions. Since deployment of software-based WAF solutions has to be done on a per server basis, it may bring in challenges of maintaining consistent policies across multiple servers.
Hardware-based WAF solutions can be apt for companies which run multiple server clusters (as well as those with sufficient budgets), as they also offer load balancing, SSL (Secure Sockets Layer) encryption and decryption capabilities. Software-based WAF solutions can be the right choice for organizations that run only a couple of servers and have distributed Web applications. Such WAF solutions are less expensive and faster to deploy, as compared to hardware- or appliance-based types. For instance, a high end hardware-based WAF box could cost around Rs 30 lakh. Barracuda, Imperva, Citrix, Cisco, eEye Digital Security and ModSecurity (an open source offering) are some of the major WAF vendors in the market.
Selecting WAF solutions
The first step in selection of WAF solutions is to decide between hardware-, appliance- and software-based WAF solutions. You can also look for things like vulnerabilities and attacks that these WAF solutions can detect, false positive rate at POC (Proof of Concept) stage, policy customizability, strength of ‘out-of-the-box’ policies, and reporting structure (producing reports that show compliance with standards like PCI-DSS).
Check aspects like ease of administration, flexibility in terms of configuration and changing parameters, compatibility with existing infrastructure (for example, Active Directory integration), log format (whether it is readable by your existing log management solution), throughput of your Website, number of concurrent sessions supported, and so on. The learning capability of WAF solutions should also be an important criterion. You must check the WAF solution’s capability in terms of learning as well as the extent to which it can be guided. Also look for white and black listing capabilities.
Implementation and challenges
Initial configuration of WAF solutions may require external support because you will need personnel with thorough knowledge of Web applications and related attacks. Your application team has to work with the consultant to define rules and parameters for WAF solutions. Otherwise, these solutions will have a high number of false positives, resulting in a dead investment. So WAF solutions should not become a mere item in the compliance checkbox.
Always remember that WAF solutions are not plug-and-play products. These solutions require tweaking and configuration at the start. You must let WAF solutions remain in the learning and monitoring mode for a while, in order to create required rules and parameters. Your internal security team should be able to manage the firewall once it’s in place. You can probably call a consultant once a year to review the health of your WAF implementation.
About the author: KK Mookhey is the founder and principal consultant of NII Consulting, which provides services in IT audits, risk management, compliance and computer forensics.
(As told to Dhwani Pandya)