Understanding your Web application firewall (WAF) product options

Michael Cobb lays out your Web application firewall choices.

The PCI Data Security Standard, particularly the code review section of Requirement 6, has made many companies consider purchasing a Web application firewall.

But if you're rushing to find a WAF for your compliance needs, how do you know which features are critical? Companies need to consider multiple factors before making a purchase or they will risk making an expensive error. In this series of tips, we'll show you how to pick an application firewall that best suits your organization.

A Web application firewall or application-layer firewall, placed between a Web client and a Web server, analyzes application-layer communications and looks for actions that violate a pre-set security policy. By doing so, the device defends Web apps from attacks and prevents potential data leaks. The functions of WAFs should not be confused with network firewalls and intrusion detection and prevention systems, which protect the network perimeter.

But before purchasing a Web application firewall, remember that compliance requires more than just throwing a WAF product in front of your Web servers. And, besides, you actually want to improve your investment to enhance corporate security, right? To help you make the right decision for your organization, we'll guide you through the key points in evaluating products. Since buying the right product is just the start, you'll also learn something about properly deploying and managing your WAF so that your company is actually compliant and (somewhat) secure.

What to know about Web application firewall projects
Whenever new security requirements or legislation are introduced, those tasked with ensuring compliance often tend to rush the decision-making process. Many system administrators base their decision on which product to deploy based solely on a single vendor's sales pitch or a particular requirement or feature they've picked up on.

The result will more than likely be the inappropriate or less than optimal security measures. Even a tight deadline doesn't absolve you of due diligence. To choose a security device like a Web application firewall (WAF), you need to answer the following questions:


  • What does it need to do based on your security policy objectives and legislative requirements?
  • What additional services would be valuable?
  • How will it fit into your existing network – do you have the in-house skills to use it correctly and affectively?
  • How will it affect existing services and users and at what cost?

New compliance requirements such as PCI DSS require you to update or at least review your security policy before you can answer the first question. A good security policy defines your objectives and requirements for securing data. That foundation allows you to define what security devices are appropriate to meet your requirements. Since each Web application is unique, security must be custom-tailored to protect against the potential threats identified during the threat modeling of your secure lifecycle development program. Review which of these threats the WAFs under consideration safeguard against, such as analyzing parameters passed via cookies or URLs and providing defenses against all of the OWASP Top Ten application vulnerabilities, as well as any additional requirements mandated for compliance.

For more on Web application firewall selection and deployment
    Understanding your Web application firewall (WAF) product options
    Comparing Web application firewall (WAF) security features
    Web application firewall implementation: Software vs. hardware
    How to deploy a Web application firewall (WAF)
    Web application firewall (WAF) management


This was first published in April 2009



Enjoy the benefits of CW+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: