Security demystified: Essential Web application firewall tips
- 29 September, 2009 12:11
In an effort to help IT managers better secure their organisations, Computerworld brings you answers - provided by AusCERT's experts - on a few of the more common questions around key security technologies. Here we look at Web application firewalls (WAFs).
Q: What do organisations really need when it comes to WAFs?
The answer to this question varies by organisation, and should be based firmly on a risk assessment of the assets you're employing the WAF to protect.
Start by considering the question of your security posture, such as whether you want to allow everything and only block "known bad" data (permissive), or block everything and allow only "known good" data (restrictive).
In short, you need to consider the purpose of the web site, your risk assessment and the website’s SLA.
Q: How should organisations go about evaluating and selecting WAFs?
A Cost/Benefit analysis should be performed, both before the WAF is in place, and after the device has been functioning for some time. Configurable input and output filtering can be very important features.
Reporting is also a very important feature, many WAFs allow for ad hoc and scheduled reporting, but their granularity can vary significantly. Be sure to test several solutions before settling on preferred options.
Antivirus capabilities can also be useful - again, depending on your risk assessment.
The first thing to develop is a set of requirements you wish to have as features in your WAF, based on your assessment of exposure, this could include, SQL Injection mitigation/protection, DDoS mitigation, Cross-site scripting and cross-site request forgery mitigation/protection.
You should also consider WAFs integration into existing logging and reporting mechanisms, regular signature updates, etc. Then develop a formalised approach to measure each product against each requirement.
Your best solution may not be an all-in-one appliance. It may come from varying sources. This could be caused from budgetary constraints but then you need to look at the alternative that when you have more products to maintain you have a bigger overhead long term. A cost-benefit analysis could be used to sell an all-in-one appliance to management and the finance department.
The WAF does not necessarily need to be in the form of a single package or appliance but could be various plug-ins for your web server.
Q: What are the prime considerations for WAFs?
In no particular order:
- 1)Does the solution provide adequate protection against the risks identified for the applications being delivered?
- 2)Considering protection, what happens if the web application firewall is compromised? What measures are in place to detect against such an eventuality?
- 3)Considering (1), Is the solution the best fit for the business?
- 4)Does the solution perform ingress and egress filtering, and virus scanning?
- 5)Is the reporting and alerting sufficient for the needs of the business?
- 6)Does the solution scale appropriately for anticipated growth?
- 7)What is the rate of false positives and false negatives?
- 8)Does the vendor provide timely support and updates?
Over the page, the Hardware vs. Software considerations and WAF Do's and Don'ts.
Page Break
Page 2Hardware vs. Software can come down to whether there is existing virtualisation infrastructure in place, and how the software versions perform compared to the hardware versions. One of the benefits of software WAFs is that they may allow more comprehensive change testing at lower cost than a separate hardware device. The obvious preference is to have better and more secure source code and applications. But a WAF can be used for things other than poor input and output sanitising. For example DDoS mitigation, a plug-in for Apache httpd is called mod_evasive and it could be a part of the overall solution.
A WAF does not have to be a specialised appliance or software product. It can be a collection of plug-ins that together provides the functionality and protection. This comes down to your requirements and it should be defined there on what is or isn’t acceptable; this could incorporate your corporate policy.
Q: What are the key WAF Do's and Don’ts?
- 1)Do perform a risk assessment, and select a product which meets the needs of the application and the business.
- 2)Do regularly re-assess the solution in place to ensure it continues to meet the needs of the business.
- 3)Do check for updates to the WAF and deploy as per the documented patching plan.
- 4)Don’t consider a WAF to be a complete solution, always consider them part of your defence in depth strategy.
- 5)Don’t simply deploy the product and consider the job done – logs and performance against set criteria should be assessed regularly
Email Computerworld or follow @computerworldau on Twitter.