When it comes to selecting a Web application firewall that suits your compliance needs, you can choose from the full range of WAFs on the market. The PCI Information Supplement states that a WAF can be implemented in software on a standard server running a common operating system or an appliance. It may be a stand-alone device or integrated into other network components.
Software WAFs are usually cheaper and more flexible. Appliances, however, are typically easier to install and configure, partly because their operating system has already been hardened. A Web application firewall won't protect you against vulnerabilities in your servers.or poor configurations, so a software firewall will require you to harden it.
If you opt for a software-based product, choose one that works on a platform that your IT staff is familiar with. Either way, check out what type of training and support is provided by the firewall vendor -- and at what cost.
There are, naturally, open source software WAFs, such as ModSecurity and AQTRONIX WebKnight. Although these types of Web application firewalls may meet your requirements and greatly reduce your costs, you will still need staff to learn, install, configure and maintain it. Many open source projects have excellent support forums, but unlike a purchased product, you won't be able to call a help desk in an emergency.
It is also important to consider scalability and performance when evaluating hardware or software options. Some devices may be limited as to how many transactions per hour they can handle. Other appliances may have restricted bandwidths. If you're planning on increased Web activity or adding applications in the near future, a scalable and flexible firewall is crucial.
Software products often provide an easier upgrade path than appliances, but hardware WAFs are better suited for high-volume sites, which require high throughput.
If you are using a large-scale application, which requires more than one WAF, then it'll be important for the device to have centralized management features so that firewall policies can be deployed and managed from a single location.
Don't get hung up on whether the WAF is hardware or software, as long as it meets your needs and can be configured and managed easily in-house.
Web application firewall (WAF) help is on hand
As you can see, you need to devote plenty of time to fully evaluate WAF products. So how do you compare the different options once you have narrowed down your selection to those that meet your basic requirements?
For more on Web application firewall selection and deployment
Understanding your Web application firewall (WAF) product options
Comparing Web application firewall (WAF) security features
Web application firewall implementation: Software vs. hardware
How to deploy a Web application firewall (WAF)
Web application firewall (WAF) management
You're not alone. The Web Application Security Consortium (WASC) creates and advocates standards for Web application security. The group has developed the Web Application Firewall Evaluation Criteria (WAFEC) for comparisons, and any reasonably skilled technician can use their testing methodology to independently assess the quality of a WAF product.
These tests can be used as part of your evaluation process. Follow WASC's recommendation that you pay close attention to the deployment architecture used, support for HTTP, HTML and XML, detection and protection techniques employed, logging and reporting capabilities, and management and performance.