The four-step security lifecycle is critical during firewall installation: secure, monitor, test and improve. This is a continuous process that loops back on itself in a persistent cycle of protection. Before any device is connected to your network, make sure that you have documented the network infrastructure and hardened the device or the box it will run on. This means applying patches as well as taking the time to configure the device for increased security.
The business rules that you've set in your security policy, such as allowed character sets, will determine how the firewall is configured. If you approach WAF configuration this way, the rules and filters will define themselves. Web application firewalls can expose technical problems within a network or application, such as false positive alerts or a traffic bottleneck.
Careful testing is essential, particularly if your site makes use of unusual headers, URLs or cookies, or specific content that does not conform to Web standards. Additional testing time should be allowed for if you are running multi-language versions of an application, since it may have to handle different character sets.
The testing should match the "live" application environment
For more on Web application firewall selection and deployment
Understanding your Web application firewall (WAF) product options
Comparing Web application firewall (WAF) security features
Web application firewall implementation: Software vs. hardware
How to deploy a Web application firewall (WAF)
Web application firewall (WAF) management
This was first published in April 2009