Six Key Considerations When Deploying a Web Application Firewall

Indusface
7 min readFeb 15, 2024

--

829 million attacks ranging from DDoS and bot to Zero-day and OWASP Top 10 attacks were recorded on the AppTrana WAF on just 1400 web and API applications.

So, implementing WAF as a first layer of defence is a no-brainer. That said, dozens of established start-ups operate in this space, and choosing a WAF provider can be daunting.

It is essential to consider various factors to ensure the selected WAF meets your organization’s unique needs and requirements.

This article will discuss the six key considerations to remember when deploying a Web Application Firewall to provide robust protection for your web applications.

1. Performance and Scalability

WAFs operate on the edge and filter the traffic before it hits your origin server. Therefore, it is important to look at several factors to ensure that WAF can protect your web applications without slowing them down. It should also adapt as your organization grows.

Here are some important aspects to consider:

Throughput

Check if the WAF can handle a lot of traffic without causing delays or affecting user experience. Find out how much traffic it can manage and if that meets your needs. AppTrana WAF is built on AWS; therefore, you’ll never have to worry about throughput. It scales seamlessly based on application needs.

Latency

Measure any extra delays the WAF may cause. These delays should be minimal to keep a good user experience. Some WAFs can help reduce delays and make your application work faster. Given robust availability zones and WAF blocks, the latency on AppTrana is almost always less than a few milliseconds.

When CDN is enabled, your application will be faster than without WAF. It is best to find this out in a real-world setting by starting a 14-day free trial on our website.

High Availability

Check if the WAF has high availability built in. You do not want the application to go down due to service unavailability at WAFs Infrastructure. This feature is important for organizations with strict uptime needs. By default, all customers who deploy AppTrana are ensured multiple availability zones, ensuring high availability.

Build for failure

It would be prudent to check how WAF behaves in case of failures. No software is error-proof. There are bound to be issues that happen in production, and it is important to test how the WAF solutions behave in case of failures. Will your application not be available, or will there be graceful failure based on services having issues? AppTrana is the only Cloud WAF solution that is built for failure. You can learn more about it here.

Integration with Content Delivery Networks (CDNs)

A WAF that works well with CDNs can help your application perform better by using the CDN’s global systems to serve content faster and with less delay. AppTrana WAF is CDN agnostic. That said, you have the option to enable AppTrana CDN powered by Tata Communications (acquired BitGravity in the US) with a single click. TATA CDN Edge is within 20–30 MS across North America, Europe, and Asia.

2. Ease of Deployment

Ease of deployment is critical to facilitate faster adoption of WAF, especially when there are a lot of application owners.

Here are some important aspects to consider:

Deployment options

Check the available deployment options, such as cloud-based, on-premise, or hybrid, and ensure that the WAF can seamlessly integrate into your existing environment. Choose a deployment option that aligns with your organization’s requirements and infrastructure.

Most organisations are adopting the cloud option due to reduced CAPEX and easy management provided by Cloud WAF vendors. AppTrana is built ground up for the cloud.

Initial setup and configuration

Evaluate the complexity of the initial setup and configuration process. A user-friendly WAF should have clear documentation, step-by-step guides, and, if possible, templates or wizards to simplify the initial setup.

User interface

Examine the user interface (UI) of the WAF’s management console. A well-designed UI should be intuitive, easy to navigate, and provide quick access to essential features and settings.

Integration with other tools

Check if the WAF can be easily integrated with other security tools and systems, such as

  • Intrusion detection systems (IDS)
  • Security information and event management (SIEM) systems
  • Content delivery networks (CDNs)

Seamless integration can enhance the WAF’s capabilities and streamline security management. With AppTrana, you can access open APIs to integrate any of the above tool sets.

Automation capabilities

Evaluate the WAF’s support for automation, such as automated responses to detected threats and integration with automation tools like Ansible or Terraform. Automation can reduce the manual effort required to manage the WAF and improve its overall efficiency.

3. Ongoing Maintenance and Management

The threat landscape is constantly evolving. Every month at least 200 zero-day vulnerabilities are discovered on applications.

WAF ensures better security and enables faster response to any threats. There’s also the added benefit of hard cost savings on deployment, configuration, and ongoing maintenance.

Here are some important aspects to consider:

Customization

Assess the WAF’s flexibility in terms of security rules, policies, and configurations. It should be easy to customize the WAF to meet your organization’s specific security needs, with the ability to create and modify rules, whitelist or blacklist IPs and adjust settings as needed.

This is where AppTrana really shines. The security research team at Indusface works with your applications team to ensure ZERO false positives on core, premium, and custom rules.

With a single button click, you can request a custom rule found either by the integrated DAST scanner or the bundled pen-testing service, and all critical and high vulnerabilities are patched within 24 and 48 hours, respectively.

Updates and patches

Consider the process for updating and patching the WAF. It should be easy to apply updates and patches, preferably with automated mechanisms, to ensure the WAF stays up-to-date with the latest security features and fixes.

As discussed earlier, all critical vulnerabilities are virtually patched within a day. We did this for our customers even during Log4J and Java Spring boot vulnerabilities discovered last year. The virtual patches were also extensively tested to ensure zero false positives across all the impacted customers.

Support and documentation

Review the quality of the WAF vendor’s support and documentation, including user guides, knowledge bases, FAQs, and forums. A responsive support team and comprehensive documentation can significantly ease the deployment and management process. 24X7 support is no longer just an enterprise feature; all our customers get 24X7 support guaranteed.

4. Compatibility with Existing Infrastructure

Ensuring compatibility with existing infrastructure is probably the most important consideration when you evaluate WAFs.

While Cloud WAFs like AppTrana are compatible with most infrastructure settings, including — on-premise, hybrid, public cloud, private cloud, and any combination of these options.

That said, you’ll still need to evaluate Cloud WAFs for the following:

Configuration and customization

Examine the WAF’s flexibility regarding security rules, policies, and configurations. A common problem with most WAFs is that core rules could block legitimate traffic. Evaluate if the vendor can ensure no false positives such as these.

AppTrana WAF ensures zero false positives through bundled managed services. Our security researchers ensure that the configuration can be easily customized to meet your organization’s specific security needs and policies.

You should also check if WAF supports the customization required for your application, like custom ports, as many Cloud WAFs restrict the port that application can listen on. AppTrana supports custom ports for your applications.

Compliance and regulatory requirements

If your organization is subject to specific compliance or regulatory requirements, ensure that the WAF solution meets these standards. This could include data protection regulations, industry-specific standards, or regional privacy laws.

AppTrana WAF has blocks in the US, EU, India, Dubai, and Australia, so it complies with most data sovereignty laws. Since the solution is ISO 27001, PCI, and GDPR compliant, which takes care of most compliance needs around PII data and credit card processing.

5. Cost and Licensing

Cost and licensing for a WAF are extremely complicated so we have written a dedicated article on Cloud WAF Pricing.

To summarize pricing, most Cloud WAFs like AppTrana combines subscription, pay-as-you-go, and add-on models.

The subscription is mostly at a per-application model. Also, it includes a component for bandwidth/traffic that the WAF inspects before passing on the clean traffic to the origin servers.

The add-ons are mostly at a feature/functionality level. For example, some WAF providers charge extra for features such as DDoS Mitigation, API Security, and managed services.

AppTrana WAF is comprehensive in that all the above features come bundled as part of the subscription. You can look for the details on the subscription on the AppTrana pricing page here.

6. Vendor Support

Since WAFs have a high chance of blocking legitimate traffic, how well the support team can help you reduce this is a critical evaluation point.

On vendor support, the proof lies in the pudding, and the best way to check for that would be to do a free trial or a paid pilot on one of your applications. This is easier to do on cloud WAFs when compared to on-premise or software WAFs.

We are proud to say that 100% of applications behind AppTrana WAF are in block mode, as our 24X7 support ensures that the rules don’t block legitimate traffic (ZERO false positives guarantee). The support also has your back by monitoring the site traffic to ensure that your applications are not getting hit by DDoS attacks.

In conclusion, AppTrana WAF is a flexible solution that satisfies most requirements (outside the mandate for on-premise solutions). Since you could onboard your application with a DNS change (a 5-minute activity for the infra team), start our no-obligation 14-day free trial to experience these attributes today.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.

Originally published at https://www.indusface.com on April 18, 2023.

--

--

Indusface

With cyber-security products built in the cloud and the most advanced intelligence platform, our variety of solutions will help you prevent today’s risk