At Alert Logic, we frequently hear from people who believe that tuning an inline WAF, so that it effectively protects their web applications without blocking legitimate traffic, is challenging.
While a WAF does bring some unique challenges, if you understand the issues and work to overcome them, the faster you’ll be able to use your WAF as intended – to protect your valuable web applications and data. Here are a few thoughts and suggestions.
Being a WAF expert requires a unique set of skills. You need to have a deep understanding of your web applications and security and your WAF. Breaking it down a bit further, it means you should understand the application stack, know about security challenges like spoofing, fraud, DOS attacks and more, and have the knowledge and skill for writing policies for your WAF that protect your applications. It’s not easy to find all those skills in a single person, so you should plan to give your WAF specialist time to become an expert or augment your specialist with help to at least get started.
WAFs require constant tuning. In the world of WAFs, two things are always changing: your web applications and the threat landscape. That means you need to be constantly tuning your WAF to address both situations. One suggestion for dealing with web application changes is to run your WAF in your pre-production test environment. Run your WAF in learning mode there so it can understand your application’s changing behavior and when you’re ready to flip to production, your WAF should already be well-tuned. In terms of keeping up with emerging threats, there are many websites and sources for information.
A WAF brings development and security teams together. And those teams often have conflicting priorities. Development teams are typically pressured to deliver product to market with as many features as possible as fast as possible. Security teams, on the other hand, are pressured to ensure the IT environment and the business is safe. The best advice here is the same as what works in many team situations … the more awareness each team has about the other, their mandates, and why their mandates are important to the business, the easier it often is for the teams to figure out ways to effectively work together.
A good source for more information about WAF tuning and management is a white paper written by our friends at Securosis: Pragmatic WAF Management: Giving Web Apps a Fighting Chance. In it, they provide more details on the challenges listed above, plus a host of other useful ideas. Or if you’re interested in WAFs but would like to hand off the tuning and management to an expert, check out our ActiveWatch service for Alert Logic Web Security Manager.