WAF Best Practices
As a core principle, every single web application should be as secure as possible throughout development. However, vulnerabilities aren’t a static landscape:
- Post-deployment vulnerabilities can pop up without warning, especially for apps that rely on open-source components.
And when application code is discovered to be insecure, it can be too costly or demand too much downtime to bring it offline and fix the core source code issues.
Here is how WAFs can help maintain web application security despite potential risks.
#1: Integrate with Central, Pre-Existing Infrastructure
To ensure security, WAFs need to integrate smoothly into your existing infrastructure. WAFs should be flexible, and easily fit around and offer protection for your applications and users, without requiring sweeping changes.
This doesn’t mean WAFs should be installed without careful oversight.
Hub-And-Spoke Model
For instance, if your enterprise relies on a hub-and-spoke model, and many users and databases are being managed from one place, there is only really one place to install the WAF. It needs to be installed on a stable, central piece of infrastructure, like a hardware appliance.
This provides a foundation of performance reliability, that security rules can then fit around.
Decentralized or Fast-Growing Infrastructure
In contrast, if your organization has a decentralized or fast-growing infrastructure, like that seen with an online eCommerce store, a distributed WAF would be a better fit.
Just because a WAF product is deployed across multiple applications doesn’t mean it has to be complex to manage – modern security tools like Check Point CloudGuard WAF let you manage everything from a central platform, keeping things simple.
#2: Have Performance Criteria in Place
Keeping track of WAF performance is vital to its long-term management, and this is best to establish early on in your WAF’s lifetime.
In regards to technical throughput, this can be as basic as the WAF’s real-term throughput: keep an eye on:
- The number of simultaneous users of the application
- The amount of HTTP requests per time unit on average and at peak load times
To support this, enable logging within your WAF and connect it to a central log management system (read on for integration best practices). With these metrics giving you a real-time understanding of rule performance, you’re set up for WAF success.
#3: Introduce WAF-Specific Roles
WAF’s ability to protect applications stems almost entirely from correct implementation, and the ongoing maintenance of its rules – so, it’s important to clarify whose responsibility this is. If you bring in a contractor responsible for the one-off commissioning of a new WAF, their own understanding of WAF capabilities needs to match your own infrastructural requirements.
For the long-term maintenance of WAF rulesets, clarify by whom and how often these will be reviewed. To help this, it’s important to establish the links between WAF and the wider mechanisms of your enterprise.
On the security side of things, your wider SOC needs to have a:
- Set workflow for managing alerts
- Suitable KPIs for alert management timescales
On the application development side, your rules need to be developed in tandem with the protocols and requirements of the specific application – a collaboration between the WAF team and DevOps is essential.
If your application documentation includes service owners, this process becomes far faster.
#4: Tune Your WAF’s Rulesets
Secure WAF tools come with pre-configured lists that can quickly get up and running. You’re also free to choose your type of ruleset – blacklisting relies on identifying and blocking only malicious traffic. Whitelisting blocks everything except verifiably secure traffic.
Whitelisting is the more secure approach, but isn’t necessarily suitable for the exact deployment of your WAF.
Tuning your WAF’s ruleset to your own specific application deployments is essential for preventing false positives and reducing rule complexity. To achieve this, it’s possible to:
- Go into the WAF tool
- Define exceptions via the dashboard
But, make note of how your WAF provider handles these rules when it comes to installing updates.
Usually, if you defined your WAF rule exclusions as code via PowerShell or the CLI, rule tuning can be maintained even after updating the rulesets.
#5: Integrate With Other Security Tools
An Intrusion Prevention System (IPS) is a security solution placed further within the network to identify and mitigate malicious activities that may bypass a firewall.
Intrusion Prevention System
It can be configured to report, block, or drop suspicious traffic in a similar way – but by integrating these two solutions, it’s possible to infuse the WAF deny-or-allow approach with some of the contextual application understanding offered by IPS.
To enhance protection, you could also integrate a cloud-based solution designed to defend against Distributed Denial of Service (DDoS) attacks. When an integrated WAF detects a DDoS attempt, it can reroute the traffic to the DDoS protection platform which is suitably equipped to handle large-scale, resource-hogging attacks – keeping your network safe.
And there are yet more upgrades possible…
Content Delivery Network
Since WAFs are positioned at the network edge, a cloud-hosted WAF can also include a Content Delivery Network (CDN) feature to cache website data and improve load times. The CDN uses multiple globally distributed Points of Presence (PoPs), and therefore ensures better performance for users by serving them from the closest location.
Gestione delle informazioni e degli eventi di sicurezza
Finally, integrating with a Security Information and Event Management (SIEM) system allows for centralized monitoring and analysis of security events. The WAF can send logs and alerts whenever a rule is triggered to the SIEM platform, where they are aggregated with data from other security tools, such as:
This enables security teams to detect patterns, correlate events, and rank incidents by risk.
These integrations let you expand request-by-request rulesets into comprehensive visibility into your overall security posture, with real-time threat detection, and the ability to generate detailed reports for compliance and auditing purposes.
Level Up Your Application Security with CloudGuard WAF
Checkpoint’s CloudGuard WAF is an integrated Web and API security solution, designed to protect your applications with unmatched precision and cohesion. Unlike signature-based WAF tools, CloudGuard WAF leverages machine learning and contextual AI to deliver a high level of threat prevention against known and unknown threats for both web applications and APIs with minimal tuning.
It has successfully blocked all of the biggest zero-day threats in recent years (such as Log4j and MOVEit) and generates virtually no false positives, saving security teams valuable time and resources.
It’s why we’re named as industry leaders in the 2024 Gigaom Radar Report.
With its innovative API discovery, CloudGuard effortlessly identifies your cloud assets—such as public vs. internal APIs, and old vs. new endpoints—allowing you to customize your security program for optimal protection.
From AI-driven threat detection and DDoS defense to file security, rate limiting, and bot prevention, CloudGuard’s WAF as a Service provides comprehensive protection for modern cloud environments.
Schedule a demo today and start laying your foundation for fully-secure applications.
Feedback