A Web Application Firewall (WAF) can protect your web applications and website from the many intrusions and attacks that your network firewall cannot. Depending on its type, a WAF can protect against buffer overflows, XSS attacks, session hijacking, and SQL injection.
However, not all WAFs are equal, and definitely, they do not provide the same level of security. Here is a checklist to help you evaluate different web application software and choose one that is most suitable for your needs.
It’s crucial to find out how the WAF is bundled and sold to the customer. The choice you make will largely depend on what your organization is comfortable with since most WAFs have several options to choose from. Here are the most common forms:
Once you have decided on the form factor, it’s time to find out how the WAF detects vulnerabilities. Most WAFs employ a variety of techniques to ensure the most accurate detection. Ensure you ask about the specific methods used and proof of false negative and positive rates and any third-party testing results. This will give you a clear picture of how proactive the WAF will be. Read more on the different WAF detection technologies .
If you need a WAF to work in a high traffic environment, it should process a substantial amount of traffic without slowing down your web application. The WAF should also work with load balancers and support failovers to prevent disruption of service when one web application or WAF red-lines or fails. If you choose a stand-alone WAF, ensure that it meets your company’s HA needs for architectural conformance and performance. To gauge the performance and throughput levels of the WAF, ask the following questions:
At a minimum, a good WAF should log vital information about the transaction activity to and from the web application. Additionally, find out if you can generate reports on schedule, on-demand, or both. Check if there are filters that you can employ to quickly find the data that is important to your team. You might also want to consider user-friendly presentations and report distribution methods if they are essential to your company. Here is a list of questions that will guide you when gauging the logging and reporting features of a WAF:
Although encryption is vital for preventing prying eyes from accessing data, it also prevents a WAF from inspecting the data without decrypting it first. You, however, have the option of providing your WAF with the encryption keys so it can decrypt the stream or terminate the SSL connection and then create a new encrypted tunnel for transferring data from the WAF to the web browser or server. Since SSL processing introduces CPU overhead, it is essential that you carefully size any WAF that tends to terminate SSL sessions. You can always consider using an accelerator board to off-load some of the processing work. Key questions to ask here include:
WAFs will have to terminate SSL sessions to analyze the traffic.
This tool scans a web application from the outside to emulate the kind of vulnerability that an attacker could discover. It can sometimes be used with WAFs to help find vulnerabilities that your security admins can mitigate using custom WAF rules. WAF are already able to block any patterns the scanner can throw? Here are the crucial questions to ask:
Alternatively, here at Cloudbric, we launched a WAF evaluator to test the performance of your existing WAF if you’re already using one. Determine the level of detection capabilities and accuracy of your WAF using test patterns from OWASP, Exploit DB patterns, and others.
In addition to following this checklist for evaluating WAFs, you should also check the WAF provider’s support. A great WAF provider’s support team is crucial to your decision-making process. This is even more important when you don’t have a dedicated security team. A supportive and knowledgeable support team will help you detect abnormalities in your traffic and analyze threats. Remember to ask whether the provider updates their WAF and how often this happens because timely updates are vital to a WAF’s performance. Read more on Cloudbric’s signature-less technology that negates the need for constant WAF updates!