Krikken notes that products focusing on application delivery need to perform at wire speeds and thus don't include compute-intensive capabilities such as learning engines and session awareness. "They're very much limited to black-listing and white-listing and inbound/outbound inspection," he says. Learning engines enable the WAF to learn the behavior of an application and generate policy recommendations. Session awareness enables the WAF to build dynamic, session-based rules in real time and use those to determine whether subsequent requests are valid.
For Nelson, who is using Check Point's integrated product for the company's virtual private network and external Web applications, it was important that the product handle a breadth of security components rather than an application-specific firewall. "We wanted the ability to consolidate functionality without sacrificing performance and manageability," he says.
Meanwhile, at automotive parts supplier AutoAnything.com, which is using Breach Security's stand-alone WAF to secure e-commerce, CTO Parag Patel takes the opposite approach. "It's rare that one company can do a lot of things well," he says.
DON'T consider the WAF a silver bullet. Many companies are turning to WAFs for PCI compliance. However, analysts warn against seeing a WAF as a check-off item.
"I see a lot of mistakes and bad spending going on," Young adds. "People think, 'If we buy a firewall, the auditors will go away,' but that's not good enough in this area. You have to customise your application defense to fit your environment."
DO look beyond traditional WAF functionality. While the traditional WAF customer is the security team, many products are becoming attractive to a wider audience, thanks to analysis features, single-sign-on support and integration with Web services security, Krikken says. That's why he advises that WAF evaluation should include those responsible for enterprise architecture, application delivery and software development. "This will improve confidence in the security aspects of the solution, as well as alleviate availability and performance concerns," he says.
At a global energy company, in fact, the decision to use a WAF followed the need for a security service for the company's service-oriented architecture (SOA) implementation. The chief architect at the company decided on the Reactivity XML accelerator security device, which was later bought by Cisco Systems, which turned it into the ACE WAF. When the energy company determined that it needed an Internet-facing WAF, Cisco assured it that it could double-up on the use of ACE for both its internal SOA needs, as well as for securing its Web applications. (See also SOA Security: The Basics.)
DO consider the WAF for performance monitoring. Application monitoring is one nontraditional use for WAFs that's growing in popularity, as WAFs are able to detect performance issues or whether the application is serving up error pages because of broken links.
DON'T think it's set-and-forget. While you can use out-of-the-box blacklist rules for basic security, Krikken says, be prepared to invest ongoing time and effort for all but the most simple Web applications. "Even with rule templates and learning engines, initial tuning and ongoing customisation will often be required to optimise effectiveness and reduce false positives," he says.