Tip

Web application firewall implementation: Software vs. hardware

When it comes to selecting a Web application firewall that suits your compliance needs, you can choose from the full range of WAFs on the market. The PCI Information Supplement states that a WAF can be implemented in software on a standard server running a common operating system or an appliance. It may be a stand-alone device or integrated into other network components.

Software WAFs are usually cheaper and more flexible. Appliances, however, are typically easier to install and configure, partly because their operating system has already been hardened. A Web application firewall won't protect you against vulnerabilities in your servers.or poor configurations, so a software firewall will require you to harden it.

If you opt for a software-based product, choose one that works on a platform that your IT staff is familiar with. Either way, check out what type of training and support is provided by the firewall vendor -- and at what cost.

There are, naturally, open source software WAFs, such as

    Requires Free Membership to View

ModSecurity and AQTRONIX WebKnight. Although these types of Web application firewalls may meet your requirements and greatly reduce your costs, you will still need staff to learn, install, configure and maintain it. Many open source projects have excellent support forums, but unlike a purchased product, you won't be able to call a help desk in an emergency.

It is also important to consider scalability and performance when evaluating hardware or software options. Some devices may be limited as to how many transactions per hour they can handle. Other appliances may have restricted bandwidths. If you're planning on increased Web activity or adding applications in the near future, a scalable and flexible firewall is crucial.

Software products often provide an easier upgrade path than appliances, but hardware WAFs are better suited for high-volume sites, which require high throughput.

If you are using a large-scale application, which requires more than one WAF, then it'll be important for the device to have centralized management features so that firewall policies can be deployed and managed from a single location.

Don't get hung up on whether the WAF is hardware or software, as long as it meets your needs and can be configured and managed easily in-house.

Web application firewall (WAF) help is on hand
As you can see, you need to devote plenty of time to fully evaluate WAF products. So how do you compare the different options once you have narrowed down your selection to those that meet your basic requirements?

You're not alone. The Web Application Security Consortium (WASC) creates and advocates standards for Web application security. The group has developed the Web Application Firewall Evaluation Criteria (WAFEC) for comparisons, and any reasonably skilled technician can use their testing methodology to independently assess the quality of a WAF product.

These tests can be used as part of your evaluation process. Follow WASC's recommendation that you pay close attention to the deployment architecture used, support for HTTP, HTML and XML, detection and protection techniques employed, logging and reporting capabilities, and management and performance.


For more on Web application firewall selection and deployment
  Understanding your Web application firewall (WAF) product options
  Comparing Web application firewall (WAF) security features
  Web application firewall implementation: Software vs. hardware
  How to deploy a Web application firewall (WAF)
  Web application firewall (WAF) management

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in April 2009

 

COMMENTS powered by Disqus  //  Commenting policy

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.