Disclaimer

The content of this material are challenges faced onsite and how I personally resolved them. Please be noted that solutions posted here

1> should not be considered as ultimate. The material may be considered for reference only.

2> should not be considered as guarantee that solutions may work. Contact Cyberoam support before making any changes.

3> blog does NOT belong to the Cyberoam. It's a blog...a personal blog.

Changes done after referring this site may seriously damage the network. So...

........DO CHANGES AT YOUR OWN RISK

(please contact cyberoamsupport before implementing any changes)

Monday, 25 June 2012

"Set it and forget it attitude"- Web Application firewall


Web Application Firewalls (WAFs) are an excellent last line of defense. They’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. I recommend WAFs to partners all the time. But is there more to the story?

Unfortunately, more security vendors deploy WAF to cover up instead of looking to fortify their coding practices which led to vulnerabilities in their web applications. WAF has also replaced good old security practices of conducting regular audit and security scan. It's "set it and forget it". This is especially common with the compliance as a checkbox mode of operation that’s present in many businesses. Reminds me of what Firewalls with Stateful Inspection Technology were 10 years ago.

WAF would not protect you against application logic flaws. What about weak passwords in your web application? Another flaw that may go unguarded.

Good security practices like security monitoring, patch management, change management, incident response processes/procedures and most importantly security awareness sessions still hold good.

Whether you work for a large enterprise or a small business, just know that Web Application Firewalls are not the end-all be-all solution for your web security problems. They’re good at what they do. But like airbags in our automobiles, they can’t be relied on completely. To set up WAF and rely on it completely to protect your Web application is being short sighted and a recipe for getting bitten when you least expect.

The solution is to layer your web controls and look to fortify your coding practices. Web Application flaws are better fixed as the source by performing periodic scans, manual tests and review your code.

After you follow best practices for setting up Web Application, let WAF be the icing on the cake.

2 comments:

  1. Hello there,

    I did implement WAF but have an issue with Activesync, i cannot seem to get iphones to sync with our exchange server after WAF.

    ReplyDelete