How to deploy a Web application firewall (WAF)

Expert Michael Cobb reviews the steps involved when implementing a Web application firewall.

Congratulations. You've selected and installed a Web application firewall that features all of the must-have compliance capabilities. That, however, doesn't mean that you're compliant yet. Proper positioning, configuration, administration and monitoring are essential.

The four-step security lifecycle is critical during firewall installation: secure, monitor, test and improve. This is a continuous process that loops back on itself in a persistent cycle of protection. Before any device is connected to your network, make sure that you have documented the network infrastructure and hardened the device or the box it will run on. This means applying patches as well as taking the time to configure the device for increased security.

The business rules that you've set in your security policy, such as allowed character sets, will determine how the firewall is configured. If you approach WAF configuration this way, the rules and filters will define themselves. Web application firewalls can expose technical problems within a network or application, such as false positive alerts or a traffic bottleneck.

Careful testing is essential, particularly if your site makes use of unusual headers, URLs or cookies, or specific content that does not conform to Web standards. Additional testing time should be allowed for if you are running multi-language versions of an application, since it may have to handle different character sets.

The testing should match the "live" application environment as closely as possible. This approach will help expose any system integration issues the Web application firewall may cause prior to deployment. Stress testing the WAF using tools such as Microsoft's Web Application Stress and Capacity Analysis Tools or AppPerfect Load Tester will also help reveal any bottlenecks caused by the positioning of the WAF.

  For more on Web application firewall selection and deployment
    Understanding your Web application firewall (WAF) product options
    Comparing Web application firewall (WAF) security features
    Web application firewall implementation: Software vs. hardware
    How to deploy a Web application firewall (WAF)
    Web application firewall (WAF) management


This was first published in April 2009



Enjoy the benefits of CW+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: