|
Help is on hand
Plan on devoting plenty of time to fully evaluate WAF products. Once you have narrowed down your choices to those that meet your basic requirements, how do you compare the different options?
The Web Application Security Consortium (WASC) [Link: http://www.webappsec.org/] creates and advocates standards for Web application security. They have developed the Web Application Firewall Evaluation Criteria (WAFEC) [Link: http://www.webappsec.org/projects/wafec/] for comparisons. Their testing methodology can be used by any reasonably skilled technician to independently assess the quality of a WAF solution.
Use their criteria as part of your evaluation process. Follow WASC's recommendation to pay close attention to the deployment architecture used, support for HTTP, HTML and XML, detection and protection techniques employed, logging and reporting capabilities, and management and performance.
WAF Deployment
Congratulations. You've chosen, purchased and installed a WAF with the necessary compliance capabilities. But that doesn't mean that you're compliant. Proper positioning, configuration, administration and monitoring are essential.
Installation needs to follow the four-step security lifecycle: Secure, monitor, test and improve. This is a continuous process that loops back on itself in...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
a persistent cycle of protection. Before any device is connected to your network, you need to ensure that you have documented the network infrastructure and hardened the device or the box it will run on. This means applying patches as well as taking the time to configure the device for increased security.
Configuration will stem directly from the business rules that you've established in your security policy (such as allowed character sets). If you approach firewall configuration this way, the rules and filters will define themselves. WAFs can expose technical problems within a network or application, such as false positive alerts or traffic bottlenecks.
Careful testing is essential, particularly if your site makes use of unusual headers, URLs or cookies, or specific content that does not conform to Web standards. Extra testing time should be allowed if you are running multi-language versions of your application, as it may have to handle different character sets.
The testing should match the "live" application environment as closely as possible. This will help expose any system integration issues the WAF may cause prior to deployment. Stress testing the WAF using tools with Microsoft's Web Application Stress and Capacity Analysis Tools or AppPerfect Load Tester will also help reveal any bottlenecks caused by the positioning of the WAF.
|
