Business Security Information

Web Application Firewalls

Web Application Firewalls are a market that is still hard to define, meaning what one vendors says is a web application firewall may not be what another defines as such.  For right now, many products fall under the web application firewall term.  For a business such as yours, this makes it hard to evaluate and compare products.  To overcome this confusion, first look at what your security needs are, the structure of your network, and the applications that are you using.  Then, look at what is available that fits your criteria.  Just by doing this first, you will narrow your search down from many to probably a few products that you are interested in researching and maybe testing further.  A few requirements for a web application firewall include:

• The web application firewall must be able to look at and fully analyze HTTP traffic.  If it can’t do this well, then it is not worth looking further at the product.
• It should only allow web traffic that is valid and block all other traffic.  I would also want to have capabilities of changing and modifying what traffic or actions are blocked, etc., so you can fit it to your own needs and situation.
• The web application firewall should be backed up with signature-based rules, but they will need to be fairly generic so they can detect most variants of attacks to the many variety of web applications that you may use.
• It must offer good session-based protection since HTTP does not have great session-based protection.
• Lastly, the web application firewall should be able to be finely tuned. You should be able to make detailed changes to just small parts of the firewall so that you don’t open up more security holes than you are trying to protect.  Management capabilities for any security device are very important.  You want to be able to change things as you see the need which is one reason I use open source software so much.

Another great source of information regarding web application firewalls and additional criteria for web application firewalls is the Open Web Application Security Project.

PCI Standard and Web Application Firewalls

As I mentioned earlier in this article, the PCI standard requires the use of either code review for the web application you are using or the use of a web application firewall.  Also, one of the basic security principles all businesses should follow is that of a layered approach to security (see the four basic principles of security in this article.  This approach means that I would look at implementing both the code review and web application firewall depending on your security situation.

For example, a business may be implementing a new web application for your site which will  handle all your e-commerce transactions in-house versus having it redirected through a third party site that handles your shopping cart and payment system.  If it was my business, I would first have the web application software reviewed by an experienced third-party code review company.  This will be fairly expensive but is well worth it when you will be handling sensitive customer data such as credit card, debit card, and /or e-check information.  Also, your business reputation is at stake, not just the financial issues related to a data breach.  The code review should identify some of the biggest security holes in the code so they can be corrected before going live with the application.  This should cut down the number and type of security issues with the application and  may cut down the number of false positives and other technical issues with the implementation of a web application firewall.  I would then look at implementing a web application firewall solution to handle the situations that cannot be changed in the code or for those issues that may not have been identified.  No matter how good the programming of the application, there are usually a few flaws or bugs which is why I would depend on the web application firewall to protect my website and sensitive data.

UTM and Web Application Firewalls

As I discussed in a previous article “Unified Threat Management – Do I Need It?‘, small businesses may benefit from the use of UTM.  If your business is hosting their own website or uses a dedicated server at a webhost company, you may want to use a UTM device instead of using a variety of security technology which have different interfaces to protect your site or network.  If you are using or considering using UTM, then talk to your vendor and potential vendors about current or future  web application firewall capabilities of the their UTM device.  You can find a list of potential UTM vendors in this article on this site.

Well, that gives you a lot to think about and I hope it simplifies some of the issues regarding web application firewalls.  Remember, security is a process, and you can never just implement it and let it go.  Security requires continuous management and review to be done adequately.  Also, especially when dealing with technical security issues, you must customize your security to fit your environment and needs.

If you have not read the first part of this article, you can read it here.

Related posts:

1. Understanding Web Application Firewalls – Part One!
2. Unified Threat Management–Do I Need It?
3. Open Source Tools Assisting With PCI Compliance?