Avoid common Web application firewall configuration errors

However, the security implications can be daunting. Many Web 2.0 sites use mash-ups (many different elements and functionality drawn from multiple sources) so there is no means of validating their code. Additionally, as Web 2.0 sites mature and become more dynamic, it's more difficult to identify any "normal" traffic patterns which can be used as a yardstick for setting usage policies or firewall rules, and as a result, sites are vulnerable to attack.

Web application firewalls (WAFs) were developed to counter to these threats. Unlike the traditional firewall, which protects the entire network, a WAF only secures the Web servers. Sitting between the Web client and Web server, WAFs monitor every request and response within the application layers. They look for specific "attack signatures" to identify a specific incoming attack, whilst monitoring for abnormal behaviours that don't fit with past traffic patterns.

Whilst WAFs are fundamental to the security of any Web application, they are only truly effective if configured properly. Most problems result from their poor initial configuration rather than their operation, but a few simple steps can avoid the most common problems:

Coordinating Web application firewall configuration with Web update cycle
This may seem almost too obvious to highlight, but configuring the WAF in parallel with a Web application's update cycle prevents significant problems. The optimum time to configure a WAF is when the website is being updated or patches are implemented. If the two operations don't happen at the same time, there's a strong likelihood that part -- or all -- of the application will not be protected. In this case, the WAF will identify part of the application as a rogue element and block it. The consequence can be severe for the site's users, who experience problems such as news feeds dropping out, message posts not uploading and content being inaccessible.

Check third-party code for bugs/vulnerabilities
Mash-ups, feeds and/or aggregators are the essence of Web 2.0, but if they harbour vulnerabilities, they put the whole Web infrastructure at risk from attack. Placing a WAF in front of a site will protect it, but for 100% peace of mind, a secure application vulnerability check (before you implement it) is the way forward. This kind of assessment gives detailed information about what is going to affect the site -- before it happens.

Update firewall rules -- and save money Nick Garlick explains how to tune your firewall rules and boost performance at no extra cost.

There are several assessment tools available, some proprietary and some not. Whilst they all scan for vulnerabilities, the most suitable one will probably be determined by its compatibility with the WAF that's installed. Assessment tools are available in manual and automated versions: The manual ones are conducted by external organisations or consultants and meet PCI DSS requirements, whilst automated assessments are handled by external scanning software. For real peace of mind, it's sensible to run both manual and automated testing tools. It's also worth feeding back the results of the vulnerability check to vendors; they like to know if/where they need to make changes. It costs nothing and helps everyone avoid the same pitfalls.

Use a WAF with built-in acceleration
IT departments often worry that WAFs mean latency and impact on users' experience and productivity. If this is an issue, opt for a WAF with a built-in acceleration feature, which mitigates Web latency and speeds overall traffic.

Lock the back door -- as well as the front!
By using WAFs to protect the front door, or the applications, IT departments often neglect the back door, which includes the protection of databases and back-end applications. If the WAF misses something, then the whole site is vulnerable. Securing both ends can be achieved with a database activity monitoring product, a proper Web application firewall configuration and vulnerability assessment at the outset.

It may sound costly and a bit excessive, but an all encompassing option will highlight all the issues which need to be addressed before they can cause real damage. The costs involved are negligible compared with the financial, operational and reputation costs of a major Web incident.

In the U.S., this "belt and braces" approach to Web security is widespread, which may be due to more exposure to website fraud or simply a more stringent compliance regime. Over the next couple of years, it is likely that the U.K. will follow a similar path, in no small part spurred on by news such as the recent Web Hacking Incidents Data Report, which showed a sharp rise in Web hacking incidents for social networking sites such as Twitter posts. These accounted for 19% of all Web hacking incidents from January to July 2009, and the trend looks set to continue for the foreseeable future.

The statistic is a stark indication that WAFs and wide-ranging Web security assessments need to move from the IT department's 'wish list' to being seen as necessities in a Web 2.0-dominated world.

About the author:
Nick Garlick is managing director of Nebulas Security Solutions Group. Send Nick your comments and security questions.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Tech tips Code complexity analysis: How to keep it simple How to use Windows XP Mode in Windows 7 Understand role-based access control in Microsoft Exchange 2010 SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks How to automate and apply Microsoft Windows 7 AppLocker rules How to use Microsoft Windows 7 AppLocker for whitelisting applications Should you disable IE ESC, or manage it in Windows servers? Scanning with N-Stalker offers basic Web application security assessment Microsoft Windows 7 DirectAccess pros and cons Web Application Security CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Microsoft gives Internet Explorer a major security overhaul Cybercriminals invest in social networking attacks Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.