The following guest post was provided by Ben Henderson, CISSP from Ensure Networks. Email him here. You can download the full paper here.

The foremost functionality of a WAF is to secure web applications against application layer vulnerabilities. WAFs can be hardware devices or software that is deployed to monitor and protect web traffic. WAFs have the ability to enforce default and custom configured policies for browser to server transactions. They are similar to network firewalls on in the that WAF policies generally apply to IP addresses and ports. However, WAFs inspect HTTP traffic to normalize the data in the headers and URL parameters. They employ a variety of functions and work in parallel with IPS technology to enhance the prevention of the attacks. Just as network firewalls are useful in protecting from remote exploitation, WAF performs the same function for the websites themselves. The attacks are intercepted and they are denied access from reaching the application. Securing critical and often insecure web applications is one of the major benefits of WAF.

Cracked Wall Foundation, by PJFurlong06

The three discrete components of WAF are policies, policy enforcement and policy generation. These policies are unique for each website therefore knowledge of your application is essential to a WAF deployment. WAF’s are configured to learn what a website is supposed to do by taking a form of whitelist. Whitelist policy allows only specified URLs to be served and other requests get rejected automatically. As websites are changing constantly, new policies are required with well-defined rules. This can be a very difficult task for the company to handle. This makes the policy generation and policy enforcement an important functionality in streamlining the process. WAFs are well equipped to enforce the policies for internal and external data security mechanisms such as PCI DSS (Payment Card Industry Data security Standard). It also has a variety of traffic management capabilities that are useful in improving the performance and scalability of the data center infrastructures.

WAF Best Practice

While selecting a WAF, it is very important to note whether WAF can be integrated smoothly in a virtualized approach. As far as the performance is concerned, we need to ensure that the solution supports the key performance indicators of the existing application. The key indicators of an application such as number of HTTP requests at peak loads should be examined thoroughly. Usually most of the systems have high phases of load that occur rarely.

As the WAF is being implemented, the existing security policies need not be changed. The successful use of WAF predominantly depends on the smooth interaction of WAF with other components of the application infrastructure. These include the issues such as understanding the errors and responding to them, alarm messages of WAF and modification of WAF rule set.

In implementing and operating WAF, an iterative process can be regarded as a best practice. Initially the responsibilities are to be defined on the basis of role concept. In case of in house application development this has to be integrated as soon as possible. This helps the applications that are not in production in using the main features of WAF. This also increases security and saves time and money for future applications.

First, the basic protection of blacklisting needs to be activated. Primary evaluations give the initial protection measures. This can be considered as a training process. A priority list of all the current web applications should be created at first. The importance of this priority list is to measure the web application access. Because of whitelist rule sets web applications are totally protected from the outside attack.

This has to be backed by source code reviewing and penetration testing. WAF application manager, along with specialist application manager should evaluate whether the application is fully available at all times including the time of rule set conversion.


In order to completely exploit the opportunity provided by deploying a WAF as a security service within your company, a positive collaboration with the security and application development team is essential. You must ensure that your company both dedicates resources and adjusts business and technology processes to gain the most benefit from deploying one.

This post originally appeared on

Possibly Related Posts: