Top 10 Web Application Firewall Best Practices

Basic CMYKThe headlines are constantly bombarding us with the latest breaches like Ashley Madison, OPM, LastPass, and many others. According to this year’s Verizon Data Breach Investigation Report, there were over 79,000 security incidents in 2014. For the first time ever, the report names organized crime as the most prevalent threat actor for web application attacks. These attacks resulted in the 2nd most common attack category after crimeware.

In the next part of this article we will discuss the Top 10 Web Application Firewall (WAF) Best Practices. These methods are designed to assist organizations in understanding how to maximize the value from investments in web application firewalls and how GuidePoint Security is helping organizations to realize these benefits.

Top 10 WAF Best Practices

  1. Reasonable Expectations for WAF

Organizations should have reasonable expectations as to what attacks WAFs are effective at mitigating. Attacks such as Reflected Cross-Site Scripting (XSS) and SQL injection are trivial for most WAFs to detect. More abstract attacks such as abuse of business logic within an application are harder to detect using default policies and require in-depth understanding of the application in order to create policies to detect. 

  1. Deployment Architecture

There are multiple ways to deploy a WAF. In the cloud, reverse proxy, transparent bridge, sniffing, and on-host embedded deployments are all supported by many of the major WAF vendors. It is important to understand the trade-offs for the various deployment models.

  1. Failure Modes

There may be instances where the WAF fails, but how it fails is as important to understand as preventing the failure in the first place. If and when the WAF fails, what happens? Does it fail open and continue to allow traffic to the web server or does it become a failure point impacting availability? There is no right or wrong answer here, as the organization must understand the risks associated with an unprotected application remaining up versus an interruption of service.

  1. Application Profiling

WAF is not one size fits all. In other words, a single protection profile is probably not sufficient to protect all of an organization’s applications. Applications should be grouped into similar codebases for profiling, and policies should be constructed on an application-by-application basis.

  1. Security Models

Web Application Firewalls use the concept of positive and negative security models. The easiest way to explain this concept is to think of a positive model as a whitelist of allowed requests or responses and a negative model being the blacklist of disallowed values. A WAF can typically be configured with one or the other, or both, but frequently only negative security models are utilized, as they are far easier to implement. The best practice is to use both models when possible, or Positive models only if the WAF does not support both.

  1. Policy Tuning

Policies need to be tuned on a constant basis, and the violations and logged events should be driving this activity. This tuning activity is important to not only prevent detected attacks and upgrade a suspicious event to a blocked event, but also to reduce the noise generated by false positives.

  1. Team Integration

The team that owns your WAF may differ from organization to organization, but especially for Application Delivery Controller (ADC) based WAFs, they are commonly owned and managed by the Network team along with other load balancer technologies. It is important that Network, Security, and Application subject matter experts collaborate on WAF configurations in order to ensure that business, operational, and security requirements are met with minimal impact to the business or to customers. 

  1. Vulnerability Scanning

Vulnerability scanning for applications is an important activity that many WAFs support through automated policy creation based on scan outputs. It is important to make the distinction that scanning through the WAF tests the WAF, while scanning behind the WAF more accurately tests the application. A separate scan through the WAF should be conducted for any WAF tuning activities.

  1. User Training

Any security technology is only as useful as the capabilities of the team managing it. That is why it is so important to have the WAF managing team trained on application security best practices, web attacks, and incident response, as well as the specifics of the WAF technology they have deployed.

  1. Other Use Cases

Virtual patching, which the Open Web Application Security Project (OWASP) defines as “A security policy enforcement layer which prevents the exploitation of a known vulnerability” is the most commonly thought of use case for deployment of a WAF, with the possible exception of Compliance drivers such as PCI DSS. Other use cases that organizations should be considering include:

  • Logging – WAFs commonly employ more robust logging than what may be configured on web servers including full headers, body, and response codes.
  • Content Rewriting – This is an excellent security benefit supporting data leak prevention and cookie anti-tampering measure. However, it may also support business objectives such as use of stream policies to change content returned to a web visitor based on geography, site requested, site redirects, or other required scenarios.
  • SSL Termination/Offload – Most WAFs have the ability to terminate and offload SSL activities, which may reduce load on web servers, but also allows an organization to support different encryption options at the perimeter than what is negotiated by the actual web server.
  • Application Metrics – Since the WAF inspects all of the traffic destined for web applications, it can also provide substantial benefits for the business as well as security for identifying trends, usage statistics, geographic user sources, and other data useful for identifying the success of marketing campaigns or identification of key demographic data.
  • Application Understanding – It is common for organizations to experience turnover or shifting responsibilities. As such, it is not unusual that disparate teams need to understand how applications function but do not have access to the subject matter experts to convey this information. WAFs provide this key capability to help security and the business take a look under the hood and understand how applications actually work.

GuidePoint Security Web Application Firewall Health Check

 With these best practices as driving principles, GuidePoint Security has developed a Health Check offering for Web Application Firewalls. The Web Application Firewall (WAF) Health Check service helps our clients optimize their WAF environment to meet a set of constantly growing security, operational, and compliance needs.   This service examines their needs, evaluates their current WAF environment, and makes a series of recommendations to get the most from their WAF solution, including the use of application specific profile and policy assessment and custom requirements gap analysis.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: