In a recent blog article, we covered a few reasons why tuning a WAF is challenging, including the fact that a web application firewall (WAF) needs ongoing tuning. The two broad areas we talked about that are always changing in the world of WAFs are your web applications and the threat landscape. In this article, we want to offer a few examples of both of these and the type of tuning that’s needed on an ongoing basis to keep your web applications safe.
Web applications are like any application … They’re constantly changing
Every time your developers make a change or enhancement to your web applications, your WAF needs to understand the change. And the changes don’t have to be big to be significant. For example, if you have a shopping site that sells books, your item numbers may be numeric only and your WAF might be used to only looking for numerical values in HTTP requests. If you decide to change your item numbering to something more complex – like alphanumeric – to allow for more complex numbering schemes that support say clothing sizes in addition to quantity of items purchased, your WAF will need to know that both alpha and numeric values are now acceptable. Otherwise, it might block legitimate requests using the new numbering scheme.
Other tuning & maintenance tasks
Even though today’s WAFs are highly automated, there are many activities that the WAF administrator will need to do on a regular basis. The most common will be reviewing deny logs and WAF activity logs. Other common tasks include:
- Add exceptions from blocking – It is not uncommon to maintain a list of trusted client IPs that you want to be able to bypass WAF blocking. An example would be configuring for vulnerability scanning through the WAF as required by PCI DSS.
- Add a website – As a personal example, we recently announced Alert Logic’s expansion in Europe with a new sales office in London and soon, a Security Operations Center (SOC) in Cardiff, Wales. With our expansion into Europe, new websites will follow to enable better communications with local customers and partners. Our WAF will need to know about these new sites so it can protect them. And for every new website, the WAF learning and tuning process must start at the beginning.
- Apply updates to software and signatures – A WAF needs to be kept current to provide optimal protection. Installing software updates though should be done in a maintenance window outside of the normal web application “business hours,” which can be challenging if you run a website that accepts requests 24×7.
Dealing with a changing threat landscape
The other area for the WAF administrator that’s constantly changing is the threat landscape. While the categories of attacks remain fairly constant (the OWASP Top 10 which describes the most critical web application security flaws didn’t significantly change from its publication in 2010 to 2013), attackers are using new and more sophisticated versions of previous attacks, techniques and tools.
New vulnerabilities continue to emerge and new tools are available for attackers to leverage and even though your WAF provides protection from most zero day attacks due to the positive security model ongoing maintenance and monitoring may still be required to monitor for unusual website activity to improve your ongoing security posture.
That said, attackers aren’t afraid to use tried-and-true methods. SQL injection attacks have been one of the most dangerous security vulnerabilities for years. It doesn’t even take that much knowledge of SQL … there are many tools easily available that can be downloaded and pointed at your web site to look for and take advantage of vulnerabilities.
Ongoing tuning for ongoing security
There are many more examples of where and when WAF tuning is needed. If you’d like more information, we offer an OWASP Top 10 Defenses white paper on our website that describes how our Alert Logic Web Security Manager WAF can help you address each risk. Or if you’re interested in WAFs but would like to hand off the tuning and management to an expert, check out our ActiveWatch service for Alert Logic Web Security Manager.
What are your thoughts on WAF tuning? What’s necessary and how often? Please share your thoughts in the Comments box below.