As 2017 rolls out, the world of cyber-criminals can look back on a year of victories. Not only did hackers succeed in breaching a number of high quality targets, but they defaced or stole data from thousands upon thousands of business websites, as well. 2018 is sure to pose new and more complex challenges, but one solution that goes a long way in defending against the onslaught of hackers would be the WAF.
The ABCS of WAF
A web application firewall protects sites from web application threats stemming from incoming traffic, which can contain anything from regular users to good bots, bad bots and incredibly nasty attack attempts.
Whether it’s a request for a web page or data being submitted through a web form, the firewall uses preset rules for deciding what requests are legitimate and which ones are suspicious. Legitimate traffic is passed through, while requests that could jeopardize site security are blocked. Based on how a WAF is programmed, persons attempting to hack the website can be permanently blocked from accessing the site at all.
An effective WAF provides a comforting host of capabilities for keeping your company website online and secure. The multi-layered defense strategy of WAFs provides protection against all common cyber threats. These would include protection against cross-site scripting (XSS), SQL injections, DDoS attacks, malicious bots, Remote File Inclusion (RFI), illegal resource access, geo-based threats, IP reputation threats, and cookie poisoning.
Reality check
The effectiveness of a robust WAF leaves little room for dissent. Only three “limitations” come to mind: cost, configuration challenges, and ineffectiveness against network threats. Let’s look at these closer.
Cost: Some companies cite cost as the reason they don’t use an application firewall ahead of their websites. Many that do use a WAF simply buy a low-priced product off the Internet, install it, and then forget it’s there. When the company site suddenly displays a message from some foreign terrorist organization, they wonder what happened. Professional, cloud-based WAF solutions may cost a bit more than the consumer-grade products many organizations use to protect their digital assets. However, the cost of an effective WAF is far less than that a company incurs from website downtime, lost data, and lost customer confidence.
Configuration challenges: The best WAF in the world is of little value unless properly configured. It is tempting to look at the myriad of configuration options and to just hit the “default settings” button. Since this is the very approach far too many organizations take when setting up their website firewall, the results are often poor, leaving the company to think that their WAF failed to do its job. For a WAF to have maximum effectiveness, it must be carefully configured for the website it needs to protect. Since in-house IT staff usually lack the knowledge to properly customize the WAF, the value of a professional provider cannot be overstated.
Network Security: Nothing is better at keeping websites hardened against cyberattacks than a professional, properly-configured firewall. However, the WAF protects against threats that originate from HTTP traffic, not from threats that target an organization’s network. Keeping a website secure also requires keeping the company networks well-protected. This is especially important when the website server is on-premise. Yet even when it isn’t, weak network security can open a portal that hackers can use to access your admin GUI and take control of your site. While a WAF can protect the admin panel, if you store your login credentials, a network-based threat can walk right past your WAF and login.
A properly configured and maintained WAF is highly effective at preventing website attacks. When used in conjunction with a good network security solution, the odds of victory are greatly diminished for the hacker.
WAF implementation
Like anything else, there are good and not-so-good WAF providers. The good ones will offer a cloud-based solution, rather than attempting to piggyback a WAF onto your server directly. Cloud WAFs are immune from whatever viruses may reach your server via network vulnerabilities, and are easiest to manage and update. A reputable WAF provider will also be PCI-DSS certified. This is crucial for companies that allow credit card payments on their website. In fact, use of a certified WAF company could be a requirement for maintaining PCI compliance.
The job of installing and configuring the WAF should solely be the responsibility of your WAF provider. A reputable vendor will consult with you and determine the best WAF rules and policies for configuring your firewall. Since updates and patches are just a part of the world of cybersecurity, your WAF provider should assume all responsibility for keeping your WAF current 24/7/365. Finally, as threats change, the minimum requirement for your WAF provider should be adherence to OWASP recommendations for top 10 and zero-day threats.
One piece of the puzzle
Considering all the ways hackers can gain access to a website, deciding on a security solution can be daunting. While a properly configured and maintained WAF is indeed effective at preventing website attacks, it’s just one piece of what must be a multi-tiered approach.
In addition to a proper website firewall, a solid network security application is also necessary to keep a site protected. This is especially important when the website server is on-premise. Yet even when it isn’t, weak network security can open a portal that hackers can use to access your admin GUI and take control of your site. While a WAF can protect the admin panel, if you store your login credentials, a network-based threat can walk right past your WAF and login to your site.
Regular vulnerability scanning, website backups, and proper training of IT staff on the unique challenges of website security also help create a well-rounded solution for making your site a hardened target.