How to deploy a Web application firewall (WAF)
Congratulations. You've selected and installed a Web application firewall that features all of the must-have compliance capabilities. That, however, doesn't mean that you're compliant yet. Proper positioning, configuration, administration and monitoring are essential.

The four-step security lifecycle is critical during firewall installation: secure, monitor, test and improve. This is a continuous process that loops back on itself in a persistent cycle of protection. Before any device is connected to your network, make sure that you have documented the network infrastructure and hardened the device or the box it will run on. This means applying patches as well as taking the time to configure the device for increased security.

The business rules that you've set in your security policy, such as allowed character sets, will determine how the firewall is configured. If you approach WAF configuration this way, the rules and filters will define themselves. Web application firewalls can expose technical problems within a network or application, such as false positive alerts or a traffic bottleneck.

Careful testing is essential, particularly if your site makes use of unusual headers, URLs or cookies, or specific content that does not conform to Web standards. Additional testing time should be allowed for if you are running multi-language versions of an application, since it may have to handle different character sets.

The testing should match the "live" application environment

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

as closely as possible. This approach will help expose any system integration issues the Web application firewall may cause prior to deployment. Stress testing the WAF using tools such as Microsoft's Web Application Stress and Capacity Analysis Tools or AppPerfect Load Tester will also help reveal any bottlenecks caused by the positioning of the WAF.

For more on Web application firewall selection and deployment
  Understanding your Web application firewall (WAF) product options
  Comparing Web application firewall (WAF) security features
  Web application firewall implementation: Software vs. hardware
  How to deploy a Web application firewall (WAF)
  Web application firewall (WAF) management

This was first published in April 2009

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top