A Web Application Firewall (WAF) helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as SQL injection, DDoS attacks, Cross-Site Forgery (CSF), Cross-Site Scripting (XSS), file inclusion and clickjacking, among others. Building and deploying WAFs in today’s modern IT environments, increasingly complex applications with several moving parts and third-party components is a critical-yet-tough process. Here is a guide to help you navigate this process.

1) How WAF Works?

By deploying a WAF in front of a web application, a shield is placed between the web application and the Internet. While a proxy server protects a client machine’s identity by using an intermediary, a WAF is a type of reserve-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server.

A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic.

2) The Groundwork - Understand the application and how the WAF context relates to it.

In successful CSRF attack, the attacker causes the victim to carry out an action. Planning is the crucial first step in building a Firewall. Understand and analyzing an application -related engineering concerns, your unique context and specialized needs from web application security. Remember that traditional/ legacy approaches to web security and a one-size-fits-all open-source Web Application Firewall do not make the cut, given the increasing complexity and dynamism of today’s world. So, it is crucial to understand what your objectives are, where the WAF sits in your security solution and accordingly, tailor security. Based on your needs, context and budgetary constraints, you must decide how your Firewall will be deployed – as hardware, software or as a cloud WAF. Each of these modes of deployment has its own unique benefits and weaknesses. However, cloud WAF is widely preferred by organizations and security experts owing to its cost-effectiveness, easy deployment, scalability, and agility.

3) Choosing the right security model for WAF

Blacklist or negative security model: This model utilizes the generic signatures for safeguarding the website against the known attacks and it also makes use of some specific signatures for blocking the attacks that might result due to any vulnerability in the web application.

Whitelist or positive security model: This model utilizes the signatures and at times it makes use of additional logic in order to permit only that traffic that meets certain criteria. An example of this is allowing only the HTTP GET requests made through a specific URL and blocking all other traffic.

Hybrid security model: This model is applicable to both the positive and negative models. Some of the configurable options of a WAF include blocking the session, blocking the request, blocking the user, blocking the IP address or logging the user out. 

4) Create and configure the WAF policies

Starting with the basic policies – analyzing traffic, understanding patterns and action on uncovering vulnerabilities, etc. If you are onboarding to a service, the Web Application Firewall will already have default policies.

Once the basic policies are laid down, you must configure and tune these policies and create custom policies in line with your context identified in the planning stage. For instance, if you do not serve in specific countries or continents, you can block those geographies from accessing your application. Similarly, there could be flaws arising from business policy changes. So, the WAF policies need to be tuned continuously. You must also enable logging and security analytics in the WAF so that security experts can closely monitor and manage security.

Most importantly try to keep the WAF policies updated to provide defenses against existing application security risk that you may uncover with Web application security assessments and build on those policies and attacks as a foundation for creating future application-specific updates on your WAF.

5) Make the WAF intelligent with AI-ML

By continuously updating you WAF based on existing risks you uncover in your application from security testing feeds and also be understanding the attacks happening in your website, you can make the Web Application Firewall more productive. It will continuously learn from past attack history and global threat intelligence and mapping it to your existing application security risks will enable you to minimize your risks more accurately.

6) Keep yourself updated on the latest security

Your Web Application Firewall is only as effective as the rules and models you choose. Being updated on the latest happening and best practices on the security front will enable you to tune your WAF and your security solution better.