As Jeremiah Grossman, founder of WhiteHat Security, argues on his blog, there are far too many vulnerabilities to keep up with remediating them in the code itself. He advocates that vulnerabilities found through an assessment be imported as customised rules into a WAF, providing an option to mitigate now and remediate the source of the problem later.
Gartner, on the other hand, advises customers to consider techniques for removing application vulnerabilities. "Before you spend your first dollar, consider whether you're in a position to remove vulnerabilities through a stronger system development lifecycle and by using tools such as source-code scanners," Young says. WAFs are useful for applications that are difficult or impossible to change, or those that are very dynamic, he says.
For most companies, "it's sufficient to choose one or the other approach," he says, although there is a small percentage of companies whose risk tolerance is so low that they'll want to use both.
Hardware appliance versus software. For Jack Nelson, IT director of global network services and operations at Jarden Consumer Solutions, a big reason for choosing the Check Point Software Technologies VPN-1/FireWall-1 gateway with integrated Web intelligence technology was that it was available in both configurations. Jarden has remote offices that are not staffed by IT workers, so Nelson uses the software-based version to make it simple for office managers to reconfigure any PC to become a WAF if the existing WAF goes down. "It's a lot more flexible than having to purchase a second firewall, and it's less expensive than paying for quick-response maintenance," he says. The interface is simple enough that it doesn't require a firewall expert, he says, and licensing is key-based, so you can apply it remotely.
In a couple of small offices in North America, Nelson uses the Check Point appliance because he finds it more manageable and support is more available.
Inline or out-of-band deployment. It's critical to decide up front whether you plan to deploy the WAF inline or out-of-band, as not all WAFs support both modes. "I often see short lists that consist of products with different deployment modes, or lists where none of the products would support the design being envisioned," Young says.
WAF DO's and DON'Ts
DO understand the difference between stand-alone and integrated products. It's important to understand the difference between vendors that incorporate WAF capabilities into their existing application delivery and network security products versus those that specialise in application security. Deciding which is right for you depends on many factors, including what you've got installed already, the level of security you need and whether you're more comfortable with specialised products or those with broad functionality.