Web App Firewalls: How to Evaluate, Buy, Implement

Application-layer attacks bypass standard perimeter defenses. Here's how to evaluate firewalls that screen web app traffic.

Here are the attributes that a WAF should have, according to a list provided by Ofer Shezaf, founder of research and consulting firm Xiom:

* Have intimate understanding of HTTP. WAFs need to fully parse and analyse HTTP to be effective.

* Provide a positive security model. A positive security policy allows only traffic known to be valid to pass through. Sometimes called "whitelisting," this provides an external input validation shield over the application.

* Application-layer rules. Because of the high maintenance cost, a positive security model should be augmented by a signature-based system. But since Web applications are custom-coded, traditional signatures targeting known vulnerabilities are not effective. WAF rules should be generic and detect any variant of an attack, such as SQL injection.

* Session-based protection: One of the biggest downsides of HTTP is the lack of a built-in reliable session mechanism. A WAF must complement the application session management and protect it from session-based and over-time attacks.

* Allow fine-grained policy management. Exceptions should be applied to only minimal parts of the application. Otherwise, false positives force wide-open security gaps.

Web Application Firewall Selection Criteria

The Open Web Application Security Project (OWASP)--an open community focused on improving the security of application software--suggests the following selection of criteria for WAFs:

* Very few false positives (i.e., should never disallow an authorised request);

* Strength of default (out-of-the-box) defenses;

* Power and ease-of-learn mode;

* Types of vulnerabilities it can prevent;

* Ability to keep individual users constrained to exactly what they have seen in the current session;

* Ability to be configured to prevent specific problems, such as emergency patches;

* Form factor: software versus hardware (hardware generally preferred).

Prime Considerations for Web Application Firewalls

WAFs versus source-code scanning. WAFs protecting applications in real time (rather than fixing them) has ignited criticism in the past. Some vendors are wary of the term "WAF," preferring instead "application awareness" or "application-layer intelligence," Kelley says. Today, however, a growing consensus seems to be that, implemented correctly, WAFs can serve as an important part of a layered security model, as they provide protection while you repair application vulnerabilities.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags securityfirewallweb applicationsWeb application firewall

More about Breach SecurityBurton GroupCheck Point Software TechnologiesCheck Point Software TechnologiesCheck Point Software TechnologiesCiscoCiscoetworkGartnerPoint Software Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mary Brandel

Latest Videos

More videos

Blog Posts