Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

3 Best Practices for Optimal WAF Management

I recently spent time with some of the top web application firewall (WAF) experts at Trustwave to get ideas on how people can more effectively manage this important technology. I wrote about the top 10 they relayed to me in a new white paper that I encourage you to download. To give you a sense of what's included, here are a few highlights:

Before deployment: Document your organization's security risk tolerance

Your organization's risk tolerance should impact how you set up your WAF policies. For example, if your organization is a large e-commerce operation, you might have a high tolerance for risk. You don't want any legitimate traffic to be blocked, as the revenue you get from your e-commerce business outweighs the risk of being successfully attacked. On the other hand, if you support a prestigious law firm, you might have a very low risk tolerance. You're willing to let some legitimate user activity be blocked as a tradeoff for avoiding an attack and the bad publicity that could come with it.

WAFs have options for monitoring and/or blocking web application traffic. You can choose the monitoring and blocking options that best support your risk tolerance.

From a technical perspective, use data logging and masking

Your WAF, like other security devices, will generate a log (or logs) of data on system activity, WAF activity, web traffic, events, and more. As a technical best practice, you should log some WAF data while at the same time, mask data types that you don't need to keep in your WAF environment like passwords, user login details, and credit card numbers.
Much of the data the WAF generates is useful and should be logged. For example, if you capture HTTP transactional logs when web applications generate error conditions, you can use that data to determine if the errors are caused by an actual attack or by another type of error like communication issues between applications.

From an admin perspective, develop a habit of monitoring web traffic

Whether you can get web traffic information from your WAF or other sources like your network team, get into the habit of checking web traffic on a regular basis. Depending on the nature of your website and web applications, you'll soon see the trend for how much traffic you typically receive and when.
Variations from the norm will quickly highlight potential issues. When a new CVE comes out for a serious new web application vulnerability, you might see spikes in web traffic from scanners looking for a specific port or service that could lead them to it. The quick visibility into changing web traffic behavior can give you a warning to look for and mitigate/fix the vulnerability, should it affect your organization.

Interested in more best practices?

To learn more about these and other best practice ideas, download the white paper now. I would love you to share any additional ideas in the comments below.
Diane Garey is a product marketing manager at Trustwave.