Web Application Firewall Criteria

Dave Piscitello, Internet Security Skeptic | 2/28/2011 | 14 comments

Dave Piscitello
In my last column, I introduced the Web application firewall and recommended that it’s time to consider adding this measure to your Web security portfolio. (See It's Time to Consider a Web App Firewall.)

In this column, I’ve prepared a checklist you can use to inquire about prospective Web application firewall (WAF) products. Since a list is just a list, I’ll try to explain why the questions I’ve chosen are important and what homework you may need to do to prepare an RFP or review a vendor proposal as well.

The Web Application Security Consortium ’s "Firewall Evaluation Criteria" provides an exhaustive list of requirements that your organization can use as the basis for evaluation. While I encourage you to review this and any other criteria you might find, these are the areas I think are important for most organizations to consider:

1. Deployment. How the inclusion of Web application firewalls affects other systems and software in your Web and network topology is critical. A poor choice can add complexity, adversely affect performance, limit functionality, or impose frustrating constraints. WAFs can be deployed using software or hardware, so when considering software solutions, check that the product is supported on the OS and hardware you use in your shop.

Similarly, when considering hardware, confirm that the appliance supports the mode of operation you’ll require to incorporate the system into your topology (e.g., bridged, routed, proxy). Ask how SSL traffic is processed. Understanding whether the WAF terminates SSL connections, passively decrypts traffic, or takes no action will help you scope the amount of change the WAF will impose on your existing environment. Confirm that the WAF supports any authentication methods you employ to validate users or customers.

2. Connection handling. WAFs differ in the way they block traffic; for example, some reset TCP connections, others drop traffic, and still others strip objectionable content. Some combine these techniques. Do some homework to decide which of these modes works best for your organization.

3. Traffic processing. Every Website is supported by a unique combination of applications, protocols, data, and dynamic content. Check that the WAF can inspect all the meta-languages, encoding types, and non-HTTP application traffic you publish from your Website (or accept as submitted data). Check that the WAF blocks protocols, URLs, and cookies that do not strictly conform to standards. Many WAFs are able to enforce validation policies at the object or parameter level. Ask what degree of policy granularity the WAF provides and whether policies can be enforced based on user, origin IP address, time of day, and so on.

4. Detection techniques. WAFs differ in the ways they detect and block the many kinds of evasion or obfuscation techniques that attackers use to slip past security measures, and they often use signatures as the bases for blocking known attack traffic patterns. Ask for a description of the vendor’s normalization techniques and signature database; ask how the database is updated, and whether an API is available to customize or extend the vendor’s detection functionality.

5. Protection techniques. Websites may be vulnerable to a wide range of threats and attacks, and vendors often include specific countermeasures to mitigate certain classes of attack. Ask about measures the WAF provides to protect against or mitigate cookie-based attacks, brute-force attacks, session or denial-of-service attacks, or any other specific countermeasures and mitigation techniques the product supports.

And don't forget to check for the essentials and basics: logging and reporting (local/remote, formats supported), event notification and delivery method, high availability, secure administration. And of course, consider vendor reputation and quality of technical support, complexity and suitability of administration tools, performance, scalability, initial cost, and recurring subscription costs.

View Comments: Newest First | Oldest First | Threaded View
Page 1 / 2   >   >>
securityskeptic   Web Application Firewall Criteria   3/2/2011 4:55:51 PM
Re: How many WAFs will I need?
We're getting deep into deployment and topology. Please read my other posts but also consider that today, many organizations use one hardware firewall with a WAN interface and multiple physical or VLAN private interfaces. Certain organizations are well past using the private interfaces merely to segment networks but use a separate interface to enforce a distinct security policy for clients, for public facing web servers, VOIP servers, DNS, mail, etc. With a WAF, you might enforce even more granular compartmentalization based on web apps.
User Ranking: Blogger
securityskeptic   Web Application Firewall Criteria   3/2/2011 4:48:23 PM
Re: WAF software
OK, that's more than one question!

The purpose of utilizing evaluation criteria from vendor neutral sources is exactly to compare solutions. Ultimately, an appliance is vendor WAF software on a vendor-hardened OS and vendor-provided hardware. Sooooo... if all WAF features you evaluate prove equal, you move on to other requirements; for example the appliance might offer some economies of scale, crypto-acceleration, unique CPU-optimization that you would not have on your server.

Bear in mind that your assessment for WAF functionality may result in you switching from a firewall appliance you have to one that does more.

Unsolicited groans come with the territory.
User Ranking: Blogger
securityskeptic   Web Application Firewall Criteria   3/2/2011 4:39:31 PM
Re: How many WAFs will I need?
Wow, a long thread of comments!

First let me apologize for being late to respond. Too much travel, too many distractions.

Now, down to the question. Whether you need one or more WAFs will depend on a number of factors including your application mix and diversity, the threats your policy seeks to mitigate, the policy you choose to enforce, *and* the ability of the WAF product you choose to implement the policy you want to enforce.

An equally important consideration is policy complexity. If you are familiar with router ACL or firewall policy configuration, you probably know the dangers inherent in bloated rule sets - complexity grows commensurately (exponentially?) with the number of rules you attempt to enforce and the extent you tinker with processing order. From a complexity management perspective, you might actually want to use multiple WAFs and *compartmentalize* your applications (compartmentalizing has other benefits, too). 
User Ranking: Blogger
Taimoor Zubair   Web Application Firewall Criteria   3/1/2011 3:43:00 PM
Re: How many WAFs will I need?
Sane, you gave a good example of a typical scenario where organizations have to support multiple firewalls. I agree with Curtis that it is a challenge for IT folks to manage and configure multiple firewalls. What could be a firewall solution which can cater to security for multiple web apps, yet the deployment and configuration exists as a single instance?
CurtisFranklin   Web Application Firewall Criteria   3/1/2011 2:45:42 PM
Re: How many WAFs will I need?
@Sane, I'm not sure I can disagree with you, though I'm trying hard not to imagine a scenario in which you have a firewall for every application. If you do, then there's going to be a serious temptation to have firewalls that are optimized for the applications, leading to multiple firewall vendors and a nightmare for management and configuration. I can hear IT heads slamming into desktops now...
SaneIT   Web Application Firewall Criteria   3/1/2011 12:49:19 PM
Re: How many WAFs will I need?
I suspect that they will be broken up by application most often, it usually starts with developers yelling already about how the firewall broke their application and how they need it opened up to allow some really off the wall connection, another group sees that connetion as a gaping hole and doesn't want it to happen so a second firewall will be installed to seperate the opposing parties.  With firewalls running multiple interfaces I don't see connections or capacity being a big issue since load balancing and multiple networks are common now on traditional firewalls.
CurtisFranklin   Web Application Firewall Criteria   3/1/2011 12:10:51 PM
Re: How many WAFs will I need?
@Sane, I agree that most large enterprises will end up with a stack of firewalls, but I think the real question is going to be how they're divided into groups: Will it be on an application basis, a connection basis, or a simple capacity basis? I can see an argument to be made for each of these, with the "secret sauce" of any of the division being the central control console that will bind them into a logical system.
SaneIT   Web Application Firewall Criteria   3/1/2011 10:57:40 AM
Re: How many WAFs will I need?
I agree that it should ideally be one  system but for larger companies geography and departmental infighting might mean you have several solutions deployed.  I've worked for companies with multiple firewalls deployed  because managing one rule set for the hundreds of public facing apps/connections/sites would have been an even bigger nightmare than breaking things down into smaller networks.  I imagine that WAF will be similar, small companies will only need one but the larger you and the more varried your apps get the better the chances are that you'll be deploying multiple WAFs.

CurtisFranklin   Web Application Firewall Criteria   3/1/2011 10:16:32 AM
Re: WAF software
...are the software alternatives generally just as good - are they as effective, and does your cost tend to be greater than for a hardware solution as time goes on because of subscription costs, and do you get that value back?

I think the big breakdown isn't over basic functionality, but over bandwidth. From what I've seen you can easily build as big a rule set as you'd like in software and run it on a white-box server, but you're going to be limited to the bandwidth that the combination of the server's network interface and CPU can handle.

The advantage of the dedicated appliance is that the code can run on custom silicon that's optimized to handle heavy data flows. The upshot is that small- to midsize-business customers should be able to deal with software-based app firewalls with no trouble. Large enterprise customers are going to need the performance of appliances.

At least, that's what I think...

sechristiansen   Web Application Firewall Criteria   2/28/2011 11:00:07 PM
Re: Web Application Firewall Criteria

This is a great post on defining the specifics of a WAF.  I have to agree with some of the previous posters that the first hardest part of WAF implementation is getting the business to understand it needs one.  A solid WAF is one of the best kept secrets of online interaction sites, yet the unfortuante part is that is should be a secret.  A WAF is not teh same as your juniper/Cisco ASA firewall.  Remember the OSI layer you learned in school, yeah it is suddenly important in understandign the difference between the two.

I really like your checklist as it does an excellent job of breaking out the specific technology points that are important when examining these (sometimes arduous) devices.

Page 1 / 2   >   >>

The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Dave Piscitello
Dave Piscitello   8/18/2011   9 comments
We've witnessed a steady stream of attacks against corporate, government, military, and controversial targets. The victims continue to conduct postmortems to assess damage and mitigate ...
Dave Piscitello   8/2/2011   8 comments
In my last blog, "Phishers Are Casting Nets for Your Domain Names & DNS," I explained that even though security experts routinely warn Internet users to watch out for email notices from ...
Dave Piscitello   7/26/2011   19 comments
We all know how traditional phishing works, where email is sent to users in an attempt to steal login or credit card information. But there is another, less known attack that is becoming ...
Dave Piscitello   5/20/2011   9 comments
Yesterday, in Top 10 Advanced Persistent Threats, Part 1, I shared the observation that attacks used by Advanced Persistent Threat (APT) intruders are not that different from those used by ...
Dave Piscitello   5/19/2011   9 comments
The cyber version of Advanced Persistent Threats (APTs) shares many of the characteristics we attribute to spy wars: continual surveillance of and intelligence gathering on a particular ...
Latest Archived Broadcast
We talk with Bernard Golden about accelerating application delivery in the cloud.
On-demand Video with Chat
Register for this video discussion to learn how tablets can provide true business usability and productivity.
E2 IT Migration Zones
IT Migration Zone - UK
Why PowerShell Is Important
Reduce the Windows 8 Footprint for VDI
Rethinking Storage Management
IT Migration Zone - FR
SQL Server : 240 To de mémoire flash pour votre data warehouse
Quand Office vient booster les revenus Cloud et Android de Microsoft
Windows Phone : Nokia veut davantage d'applications (et les utilisateurs aussi)
IT Migration Zone - DE
Cloud Computing: Warum Unternehmen trotz NSA auf die „private“ Wolke setzen sollten
Cloud Computing bleibt Wachstumsmarkt – Windows Azure ist Vorreiter
Like Us on Facebook
Twitter Feed
Enterprise Efficiency Twitter Feed
Site Moderators Wanted
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail:
[email protected]
Dell's Efficiency Modeling Tool
The major problem facing the CIO is how to measure the effectiveness of the IT department. Learn how Dell’s Efficiency Modeling Tool gives the CIO two clear, powerful numbers: Efficiency Quotient and Impact Quotient. These numbers can be transforma¬tive not only to the department, but to the entire enterprise.

Read the full report
The State of Enterprise Efficiency in the Virtual Era: Virtualization – Smart Approaches to Maximize Gains
Virtualization is a presence in nearly all enterprise data centers. But not all companies are using it to its best effect. Learn the common characteristics of success, what barriers companies face, and how to get the most from your efforts.

Read the full report
Informed CIO: Dollars & Sense: Virtual Desktop Infrastructure
Cut through the VDI hype and get the full picture -- including ROI and the impact on your Data Center -- to make an informed decision about your virtual desktop infrastructure deployments.

Read the full report
A Video Case Study – Translational Genomics Research Institute
e2 Video

On the Case
TGen IT: Where We're Going Next

7|11|12   |   08:12   |   10 comments

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
On the Case
Better Care Through Better Communications

6|6|12   |   02:24   |   11 comments

The achievements of the TGen/Dell project could improve how all people receive healthcare, because they are creating ways to improve end-to-end communication of medical data.
On the Case
TGen IT: Where We Are Now

5|15|12   |   06:58   |   6 comments

TGen is breaking new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions.
On the Case
TGen IT: Where We Were

4|27|12   |   06:45   |   10 comments

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.
On the Case
1,200% Faster

4|18|12   |   02:27   |   12 comments

Through their partnership, Dell and TGen have increased the speed of TGen’s medical research by 1,200 percent.
On the Case
IT May Improve Children's Chances of Survival

4|17|12   |   02:12   |   8 comments

IT is helping medical researchers reach breakthroughs in a way and pace never seen before.
On the Case
Medical Advances in the Cloud

4|10|12   |   1:25   |   5 comments

TGen and Dell are pushing the boundaries of computing, and harnessing the power of the cloud to improve healthcare.
On the Case
TGen: Living the Mission

4|9|12   |   2:25   |   3 comments

TGen's CIO puts the organizational mission at the heart of everything the IT staff does.
On the Case
TGen Speeding Up Biomedical Research to Save More Lives

4|5|12   |   1:59   |   6 comments

The Translational Genomics Research Institute is revamping its computing to improve speed, storage, and collaboration – and, most importantly, to save lives.
On the Case
Computing Power Helping to Save Children's Lives

3|28|12   |   2:13   |   3 comments

The Translational Genomics Institute’s partnership with Dell is enabling them to treat kids with neuroblastoma more quickly and save more lives.
Tom Nolle
The Big Reason to Use Office

3|18|14   |   02:24   |   46 comments

Office and personal productivity tools come in a first-class and coach flavor set, but what makes the difference is primarily little things that most users won't encounter. What's the big issue in using something other than Office, and can you get around it?
E2 Editors
SPONSORED: Mobile Security — A Use Case

3|4|14   |   04:27   |   16 comments

New mobile security solutions can accommodate a wide array of needs, including those of a complex university environment.
Tom Nolle
Killing Net Neutrality Might Save You Money

1|16|14   |   2:13   |   16 comments

The DC Court of Appeals voided most of the Neutrality Order, and whatever it might mean for the Internet overall, it might mean better and cheaper Internet VPNs for businesses.
Tom Nolle
The Internet of Everythinguseful

1|10|14   |   2:18   |   19 comments

We really don't want an "Internet of Everything" but even building an Internet of Everythinguseful means setting some ground rules to insure there's value in the process and that costs and risks are minimized.
Tom Nolle
Maturing Google Chrome

12|30|13   |   2.18   |   25 comments

Google's Chrome OS has a lot of potential value and a lot of recent press, but it still needs something to make it more than a thin client. It needs cloud integration, it needs extended APIs via web services, and it needs to suck it up and support a hard drive.
Sara Peters
No More Cookie-Cutter IT

12|23|13   |   03.58   |   21 comments

Creating the right combination of technology, people, and processes for your IT organization is a lot like baking Christmas cookies.
Sara Peters
Smart Wigs Not a Smart Idea

12|5|13   |   3:01   |   46 comments

Sony is seeking a patent for wigs that contain computing devices.
Tom Nolle
Cloud in the Wild

12|4|13   |   02:23   |   15 comments

On a recent African trip I saw examples of the value of the cloud in developing nations, for educational and community development programs. We could build on this, but not only in developing economies, because these same programs are often under-supported even in first-world countries.
E2 Editors
SPONSORED: Is Malware Evading Your IPS?

11|18|13   |   03:16   |   4 comments

Intrusion prevention software is supposed to detect and block malware intrusions, but clever malware authors can evade your IPS in these five main ways.
Sara Peters
Where Have All the Mentors Gone?

9|27|13   |   3:15   |   38 comments

A good professional mentor can change your life for the better... but where do you find one?
Tom Nolle
SDN Wars & You Could Win

9|17|13   |   2:10   |   5 comments

VMware's debate with Cisco on SDN might finally create a fusion between an SDN view that's all about software and another that's all about network equipment. That would be good for every enterprise considering the cloud and SDN.
Ivan Schneider
The Future of the Smart Watch

9|12|13   |   3:19   |   39 comments

Wearing a bulky, oversized watch is good training for the next phase in wristwatches: the Internet-enabled, connected watch. Why the smartphone-tethered connected watch makes sense, plus Ivan demos an entirely new concept for the "smart watch."
Tom Nolle
Cutting Your Cloud Storage Costs

9|4|13   |   2:06   |   3 comments

Cloud storage costs are determined primarily by the rate at which files are changed and the possibility of concurrent access/update. If you can structure your storage use to optimize these factors you can cut costs, perhaps to zero.
Sara Peters
Do CIOs Need an IT Background?

8|29|13   |   2:11   |   23 comments

Most of the CIOs interviewed in the How to Become a CIO series did not start their careers as IT professionals. So is an IT background essential?
Ivan Schneider
The Internet Loves Birthdays

8|27|13   |   3:25   |   69 comments

The Internet has evolved into a machine for drumming up a chorus of "Happy Birthday" messages, from family, friends, friends of friends who you added on Facebook, random people that you circled on G+, and increasingly, automated bots. Enough already.