23

What is a Web Application Firewall (WAF) and what are some of the things to look for in an effective one? Why would you deploy a WAF instead of just an IPS?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Sim
  • 1,227
  • 1
  • 13
  • 21
  • 3
    Ivan Ristic's ModSecurity Handbook is great for learning the details on how a WAF works https://www.feistyduck.com/books/modsecurity-handbook/ – Tate Hansen Nov 18 '10 at 05:13

1 Answers1

18

A Web Application Firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. By making use of the rules many attacks such as Cross-site scripting (XSS) and SQL Injection, can be detected and blocked.

For a more depth description see the OWASP Website and Wikipedia.

When it comes to choosing a Web Application Firewall there is a good list on Wikipedia. Personally I would recommend ModSecurity when using Apache.

When choosing a WAF personally the two most critical things I would consider are how effective its default ruleset is (aka how effective is it out the box) and how customisable the ruleset is to suite your specific application. Most of the time by using the default ruleset applications will break and the ruleset will need modifying. Obviously over things to consider are how effective its logging is, what sort of speeds it can handle, platforms it can support and how well maintained it is. As with any firewall its needs to be kept up-to-date to perform at its best against new attacks.

Although some IPS systems such as Snort do have rulesets that can monitor for Web Application attacks. In my experience I have found that an IPS is better for catching attacks at the Network level and a WAF with a good ruleset will work best for catching stuff at the application layer. Also by using a WAF you have a better choice of responses than you do with a IPS where you don't have to make a choice between block or allow instead you can take over actions.

Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
  • With WAFs you can also be a lot more granular, down to defining the size, format, range etc for a specific paramater on a specific page. – AviD Nov 18 '10 at 18:51
  • 4
    Another feature you should consider when selecting a WAF, is self configuration / learning mode. Not all WAFs support this, and not all do it well - but for large applications, it can be quite a bother to configure all pages and parameters ( thats `O(m * n)`), and self learning can help here. However, caveat emptor - overzealous learning can be even worse. – AviD Nov 18 '10 at 18:53