How much work will a Web application firewall do? How much attention does it need to keep it in sync with applications that are continuously improving?
Rather than asking how much work your Web application firewall can do for you, start by asking how much you want to do for your WAF. This is an important question to ask before you embark on deploying a WAF, especially one that is going to be guarding an application or applications with a fast development cycle. Web app firewalls can provide excellent protection against certain types of threats and certain types of attacks, but many organizations embark on deployments without a full understanding of the investment required to achieve the desired results.
Start by asking how much you want to do for your WAF.
Most commercial WAFs have two important capabilities: training and customization. If you are looking to deploy a WAF to detect and block application attacks, certain characteristics of your application are going to determine how effective the detection and blocking will be and how much work will be required to maintain custom protections.
For applications that are frequently changed, protection thresholds may need to be relaxed in order to avoid false blocks, as the training capabilities may fail to keep pace with an accelerated deployment schedule. In addition, complex applications or ones with unique requirements will likely require rule customization to shape how the WAF's detection and blocking algorithms view traffic sent to the application.
Added customization can make WAFs more effective in detecting and blocking, but these customizations take time and have to be maintained as applications evolve. A failure to maintain rule sets can result in degraded protection over time, as well as requests that are blocked unnecessarily.
Many organizations look at Web app firewalls as protection technologies that are deployed to detect and stop attacks before they can result in some sort of loss or compromise. This is certainly desirable, but, as previously discussed, actually achieving these results can be challenging and involve hidden or unplanned costs. An alternate way to look at a WAF deployment is to consider it a way to gain intelligence about the application's usage and attack patterns.
In intelligence-gathering deployments, blocking rules are eliminated or scaled back, and the focus is instead on gathering log data about traffic patterns, suspicious requests over time and so on. This can provide a picture of reconnaissance activities and also potentially provide forensic value in case of an incident. These types of deployments might not live up to the hype surrounding so-called magic WAFs that are deployed, instantly learn about the application and are then successful blocking all attacks, but they might be more realistic, given an organization's level of resources and commitment to ongoing investment in its WAF deployment.
In the end, an organization should embark on a WAF deployment only if it has a thought-out set of goals for the deployment, other than, "Please make my auditor leave me alone." An organization also needs to have realistic expectations about the level of protection it will receive, as well as the amount of investment that will be required to achieve that protection.
This was first published in February 2014