Web App Firewalls: How to Evaluate, Buy, Implement

. While the traditional WAF customer is the security team, many products are becoming attractive to a wider audience, thanks to analysis features, single-sign-on support and integration with Web services security, Krikken says. That's why he advises that WAF evaluation should include those responsible for enterprise architecture, application delivery and software development. "This will improve confidence in the security aspects of the solution, as well as alleviate availability and performance concerns," he says.

At a global energy company, in fact, the decision to use a WAF followed the need for a security service for the company's service-oriented architecture (SOA) implementation. The chief architect at the company decided on the Reactivity XML accelerator security device, which was later bought by Cisco Systems, which turned it into the ACE WAF. When the energy company determined that it needed an Internet-facing WAF, Cisco assured it that it could double-up on the use of ACE for both its internal SOA needs, as well as for securing its Web applications. (See also .)

. Application monitoring is one nontraditional use for WAFs that's growing in popularity, as WAFs are able to detect performance issues or whether the application is serving up error pages because of broken links.

. While you can use out-of-the-box blacklist rules for basic security, Krikken says, be prepared to invest ongoing time and effort for all but the most simple Web applications. "Even with rule templates and learning engines, initial tuning and ongoing customization will often be required to optimize effectiveness and reduce false positives," he says.

At the global energy company, the chief architect says his company was able to configure one use case in two hours with the Cisco WAF. However, he would like more best practices guides for configuring things like character filtering "rather than us scrambling to do this."