Shortcut guide to Web application firewall deployment

Transcription

1 E-Guide Shortcut guide to Web application firewall deployment Before purchasing a Web application firewall (WAF), there are several factors all organizations must consider. This expert tip offers advice on how to pick a WAF that best fits your organization and lays out the steps for successful deployment. Sponsored By:

2 E-Guide Shortcut guide to Web application firewall deployment Table of Contents Understanding your web application firewall (WAF) product options How to deploy a Web application firewall (WAF) Resources from Imperva Sponsored By: Page 2 of 7

3 Understanding your Web application firewall (WAF) product options The PCI Data Security Standard, particularly the code review section of Requirement 6, has made many companies consider purchasing a Web application firewall. But if you're rushing to find a WAF for your compliance needs, how do you know which features are critical? Companies need to consider multiple factors before making a purchase or they will risk making an expensive error. In this series of tips, we'll show you how to pick an application firewall that best suits your organization. A Web application firewall or application-layer firewall, placed between a Web client and a Web server, analyzes application-layer communications and looks for actions that violate a pre-set security policy. By doing so, the device defends Web apps from attacks and prevents potential data leaks. The functions of WAFs should not be confused with network firewalls and intrusion detection and prevention systems, which protect the network perimeter. But before purchasing a Web application firewall, remember that compliance requires more than just throwing a WAF product in front of your Web servers. And, besides, you actually want to improve your investment to enhance corporate security, right? To help you make the right decision for your organization, we'll guide you through the key points in evaluating products. Since buying the right product is just the start, you'll also learn something about properly deploying and managing your WAF so that your company is actually compliant and (somewhat) secure. What to know about Web application firewall projects Whenever new security requirements or legislation are introduced, those tasked with ensuring compliance often tend to rush the decision-making process. Many system administrators base their decision on which product to deploy based solely on a single vendor's sales pitch or a particular requirement or feature they've picked up on. Sponsored By: Page 3 of 7

4 The result will more than likely be the inappropriate or less than optimal security measures. Even a tight deadline doesn't absolve you of due diligence. To choose a security device like a Web application firewall (WAF), you need to answer the following questions: What does it need to do based on your security policy objectives and legislative requirements? What additional services would be valuable? How will it fit into your existing network do you have the in-house skills to use it correctly and affectively? How will it affect existing services and users and at what cost? New compliance requirements such as PCI DSS require you to update or at least review your security policy before you can answer the first question. A good security policy defines your objectives and requirements for securing data. That foundation allows you to define what security devices are appropriate to meet your requirements. Since each Web application is unique, security must be custom-tailored to protect against the potential threats identified during the threat modeling of your secure lifecycle development program. Review which of these threats the WAFs under consideration safeguard against, such as analyzing parameters passed via cookies or URLs and providing defenses against all of the OWASP Top Ten application vulnerabilities, as well as any additional requirements mandated for compliance. Sponsored By: Page 4 of 7

5 Web Apps Attacked Every 2 Minutes Protect your Web site from automated attacks Imperva is a pioneer and leader of a new category of data security solutions for high-value business data in the data center. Imperva SecureSphere identifies and secures data across file systems, Web applications, and databases. Is your company s Web site safe? You may have heard of the hacking attacks against Sony and Citigroup but have you heard of the attacks on City Newsstand Inc or Burger Me LLC? According to a recent article in The Wall Street Journal, hackers are actively targeting small to midsize organizations. Why? In the time it takes to break into a major company, a hacker could steal data from dozens of small businesses and not get detected. Download Imperva s Web Application Attack Report to learn more about these automated attacks and how to protect your business.» Key findings» Technical reccomendations» Non-technical CEO checklist Whitepaper: Imperva s Web Application Attack Report Learn more about these automated attacks and how to protect your business Download the whitepaper here. Protecting the Data That Drives Business Toll Free (U.S. only): Copyright 2011, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva.

6 How to deploy a Web application firewall (WAF) Congratulations. You've selected and installed a Web application firewall that features all of the must-have compliance capabilities. That, however, doesn't mean that you're compliant yet. Proper positioning, configuration, administration and monitoring are essential. The four-step security lifecycle is critical during firewall installation: secure, monitor, test and improve. This is a continuous process that loops back on itself in a persistent cycle of protection. Before any device is connected to your network, make sure that you have documented the network infrastructure and hardened the device or the box it will run on. This means applying patches as well as taking the time to configure the device for increased security. The business rules that you've set in your security policy, such as allowed character sets, will determine how the firewall is configured. If you approach WAF configuration this way, the rules and filters will define themselves. Web application firewalls can expose technical problems within a network or application, such as false positive alerts or a traffic bottleneck. Careful testing is essential, particularly if your site makes use of unusual headers, URLs or cookies, or specific content that does not conform to Web standards. Additional testing time should be allowed for if you are running multi-language versions of an application, since it may have to handle different character sets. The testing should match the "live" application environment as closely as possible. This approach will help expose any system integration issues the Web application firewall may cause prior to deployment. Stress testing the WAF using tools such as Microsoft's Web Application Stress and Capacity Analysis Tools or AppPerfect Load Tester will also help reveal any bottlenecks caused by the positioning of the WAF. Sponsored By: Page 6 of 7

7 Resources from Imperva The Importance of Web Application Security Monitor and Protect Critical Web Applications Cloud Based Web Application Security About Imperva Imperva is a pioneer and leader of a new category of data security solutions for high-value business data in the data center. With more than 1,300 end-user customers and thousands of organizations protected through cloud-based deployments, Imperva's customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft from hackers and insiders. The award-winning Imperva SecureSphere identifies and secures high-value data across file systems, web applications and databases. Sponsored By: Page 7 of 7