This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
A Solid Foundation
A Web app firewall will ideally sit behind your Inter-net-facing firewalls, acting as the sole ingress path for all of your Web traffic. Use a hardened Unix or Linux platform, such as OpenBSD, with its stack protection, minimal installation and aggressive source code auditing. Bastille is also an excellent hardening tool available for most Linux distributions.
Since the firewall will parse all Web traffic, the load will be substantially higher than a typical proxy. You'll need as much CPU as you can afford, and a lot of RAM. You can build several redundant gateways and use an HTTP load balancer in front of multiple security gateways.
However, sizing a solution like this can be complex. As with a network IDS or IPS deployment, the number of rules in your configuration, the amount of traffic to your sites, and the complexity of your rewriting and parsing operations will all affect performance.
Still, a good rule of thumb is to size your Web app firewall as large as your busiest Web server. Since performance will vary based on the types of applications you use in your organization, be prepared to tune, test and benchmark prior to any move to production.
Knowledge to Build On
a Web app firewall mason, you will need a strong Unix/Linux background and a solid understanding of Web applications, Web attacks, and the HTTP protocol. Some of this will feel a bit like Web development: You will need to test and ensure that the filtering does not affect any Web applications, and run Web-scanning tools like Nikto (www.cirt.net) to compare the original and proxied content.
You should know your way around a command line, and be familiar with Apache configuration syntax to load the modules required and create security rules and filtering expressions. You will find that a good comfort level working with regular expressions (which are often used in Snort rules) will also come in handy.
Now, let's look at some open-source components you can use to construct a Web app firewall.
This was first published in September 2006