Logo
  1. Home
  2. Blog
  3. Cybersecurity
  4. Web Application Firewall Best Practices

Last updated September 25th, 2024 by Erez Tadmor

When it comes to protecting your digital/web assets, you know that your Web Application Firewall (WAF) is your BFF. And the last thing you want to do is cause any cybersecurity confusion when it comes to operating your WAF. This blog covers a few WAF best practices, particularly as it pertains to deployment, monitoring, and managing WAFs and WAF rules. 

As a side note, the information below pertains mostly to cloud-based WAF use cases, although many of these principles can be applied to on-premises and network-based WAFs as well. 

Deployment 

Before you and your WAF go steady, you’ll want to make sure you’ve laid out your needs, wants, and expectations. Answering these questions can help set the foundation for a strong relationship (both with the WAF and WAF provider):  

  • What web apps – and sensitive data – are you using, and, in turn, wish to protect? 
  • Does the WAF offer API security, access control, and address OWASP Top 10 vulnerabilities? 
  • Which threats are you most concerned about? If Cross-site scripting (XSS), SQL injection, and denial-of-service (DDoS attacks) top your mitigation list, then it’s a strong affirmation of your WAF commitment. What is the impact of these threats on your business? 
  • Do the WAF features align with your company’s security policy? Examples could include IP whitelisting, rate limiting, SSL support, and real-time monitoring (we’ll get into the latter below). 

Put another way, this simple list should be of use before you officially deploy your WAF: 

  • Document your applications and endpoints (including web servers and IP addresses) 
  • Document those applications’ owners 
  • Document your security risk tolerance 
  • Determine what is restricted and what is allowed 

Get In-Line 

One other decision you’ll need to make is whether this WAF will operate “in-line” or “out-of-line” (a.k.a. “out-of-band”). Simply put, you want the former. Why? More control over web requests (e.g., blocking/masking web traffic that doesn’t meet security policies), and stronger abilities to decrypt and log traffic. Lower risk, higher visibility, authentication? In-line WAFs, you had us at hello. 

Monitoring and Management 

When it comes to monitoring with your WAF, the more eyes the better. A first best practice in this arena is ensuring the WAF integrates with your SIEM. You’ll want the broadest view of your network traffic possible, and this is the right start. 

Another best practice is getting in touch with your network topology. By working with a solution/approach that provides visibility into it, you’ll have a stronger understanding of your application environment (from http traffic flows to dependencies within your application environment), particularly from a troubleshooting perspective. 

And don’t forget, when looking to constantly improve and optimize, you’ll want to make sure your devops folks have their own line of access (e.g., a developer account). 

Testing is Fun(damental)

In order to make sure you’re best managing your WAF, you’ll want to consistently test it against prevalent threat vectors (from SQL injection to cross-site scripting) and “newer” common attacks in the threat landscape (e.g., malware and bad bots). And you’ll want to stay up to date on the latest threat intelligence. There are a few proactive solutions out there that help, like the one below. 

In addition to testing, you’ll want to make sure your WAF is always audit-ready and checking all the compliance (e.g., PCI DSS) boxes. With that in mind, another best practice to consider is leverage technology and/or procedures that review WAF policies and configurations to ensure you’re in alignment with all policies and regulations, internal AND external. 

Tufin = More Than Just WAF Relationship Counseling

At Tufin, we firmly believe a WAF is not merely a tool, but a strategic asset in web application security. And when you can leverage trusted SaaS technology to help create, manage, and automate your security tools and policies, it’s a beautiful thing. 

Take a look at the Tufin Orchestration Suite security solution today. Book a free, hands-on demo with our network security pros. 

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Ready to Learn More

Get a Demo

In this post:

Background Image