Page 2
Hardware vs. Software can come down to whether there is existing virtualisation infrastructure in place, and how the software versions perform compared to the hardware versions. One of the benefits of software WAFs is that they may allow more comprehensive change testing at lower cost than a separate hardware device. The obvious preference is to have better and more secure source code and applications. But a WAF can be used for things other than poor input and output sanitising. For example DDoS mitigation, a plug-in for Apache httpd is called mod_evasive and it could be a part of the overall solution.
A WAF does not have to be a specialised appliance or software product. It can be a collection of plug-ins that together provides the functionality and protection. This comes down to your requirements and it should be defined there on what is or isn’t acceptable; this could incorporate your corporate policy.
Q: What are the key WAF Do's and Don’ts?
- 1)Do perform a risk assessment, and select a product which meets the needs of the application and the business.
- 2)Do regularly re-assess the solution in place to ensure it continues to meet the needs of the business.
- 3)Do check for updates to the WAF and deploy as per the documented patching plan.
- 4)Don’t consider a WAF to be a complete solution, always consider them part of your defence in depth strategy.
- 5)Don’t simply deploy the product and consider the job done – logs and performance against set criteria should be assessed regularly
Email Computerworld or follow @computerworldau on Twitter.