Choosing your WAF

To ensure a WAF is suitable for PCI DSS compliance purposes you should compare its capabilities with those recommended in the Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified" [Link: https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf] issued by the PCI Security Standards Council.

They must be able to inspect and handle Web page content such as HTML, Dynamic HTML (DHTML), and cascading style sheets (CSS), as well as the protocols that your application uses, such as HTTP and HTTPS.

Also, check how quickly the vendor has adopted new protocols in the past. Review their development and support policy to determine if they will support custom protocols or protect a set range of application protocols. In addition, a WAF must be able to inspect Web services messages, typically SOAP and XML. Ask the WAF vendor about their processes for auto-updating and applying dynamic signatures. Such conversations will help you assess their technical support and help services.

Lastly, ask about the additional cost of specific features. For example, some applications may require FIPS hardware key store support. A WAF vendor may support this requirement but at a dramatically higher price.

As you work through the list of requirements, take the time to understand the technical approaches and depth of treatment that each WAF uses to provide coverage of one or more security areas. Can you white list data types and ranges and create rules combining both white and black lists? How strong is the WAF against attack on itself? For example, it should run on a hardened OS, probably with components running in a non-privileged and closed runtime environment. If the product's security isn't rock solid, you should probably end the discussion right there.

TO COMBAT the ever-increasing sophistication of application attacks, the protection offered by WAFs should be integrated into application assurance platforms. This structure, promoted by vendors such as F5 and Barracuda, combines WAFs, database security, XML security gateways and application traffic management to provide more holistic security coverage.

The benefits include the ability to compare information across these devices to accurately determine if traffic is potentially malicious. This makes traffic control, analysis and reporting far more effective. Administrators can configure one set of policy rules and parameters, rather than trying to enforce each policy across several different devices, greatly reducing administrative overhead.

Looking into the future, it is essential that WAFs or whatever supercedes them gain the ability to interpret inbound data the same way as the application it is protecting. This will entail some form of script engine to remove any obfuscation, so that the security device will view the request in the same form that the browser will. This will make it far easier to assess whether or not the code is malicious. Let's hope we will see this form of dynamic analysis in the next generation of security devices.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >