Application-level firewalls have become a top concern for companies who need to meet regulatory compliance standards. PCI DSS recently made application-level firewalls a requirement for companies that accept credit cards, so eCommerce merchants are rushing to understand web application firewalls. And even among companies that do not need to comply with PCI DSS regulations, application-level firewalls are fast becoming a critical piece of the security puzzle.
Traditional Firewalls Are No Longer Enough
While most organizations use a perimeter firewall to control traffic entering and leaving their network border, and protect against Internet attackers, this isn’t enough to protect against threats that come through applications. These conventional network firewalls won’t detect an application level intrusion because attackers know how to sneak through open ports used by authorized applications. That’s because these perimeter firewalls aren’t set up to check application data; all a hacker needs to do is hide their virus or malware inside the application itself.
Application-level firewalls are the only defense an enterprise has against the increasing threat of web application attacks. As attackers become more sophisticated, so must your network defense strategy. But because application firewalls are a relatively new requirement, even IT pros need some guidance in deploying them. Here are 3 web application firewall best practices to help you build an impenetrable network security system.
1. Make Sure It’s A Real Application Firewall – Not An Impostor
A true application-level firewall provides thorough protection against any and all of the following threats to your application traffic:
- SQL injection attacks
- XSS, or cross-site scripting
- Session hijacking
- Scanning and crawling
- Cookie tampering
- Path traversal attempts
- Denial of Service (DoS) attacks
Some people confuse an application firewall with deep-packet inspectors, web security gateways, and other content filtering products. Deep-packet inspection, also known as complete packet inspection and Information eXtraction, is a worthwhile component to your security strategy, but it doesn’t go far enough. While a deep-packet inspector can detect spyware and malware inside packets and their contents, it does not inspect application-layer code thoroughly enough to meet PCI compliance regulations. Similarly, web security gateways and content filtering tools can block malware coming from outside websites and email, but an application-level threat will slip right through their cracks.
Putting up appropriate defenses requires thorough and targeted detection of applications and application data. Though it works best combined with the other protections mentioned above, there is no replacement for a true application-level firewall.
2. Do Not Overlook Access Controls
One of the key practices is to ensure that your application firewall includes access controls. Access controls work like a fine-tooth comb to monitor and account for who can access your network systems and data, including when, where, and how. PCI and HIPAA compliance, among others, require access controls, and an application level firewall can help you meet this requirement.
An ideal application level firewall will integrate with access management systems to monitor employee access to web applications according to their security authentications. This includes regulating access to the application-level firewall so that only authorized users can access it for necessary management and upgrades.
3. Choose a Web Application Firewall That Fits Your Existing Infrastructure
Your application-level firewall needs to be compatible with your existing web infrastructure and corporate network. If you are changing your infrastructure only to accommodate the new firewall, you are wasting unnecessary time and resources. Whether you are still reliant on centralized hardware, or you use decentralized, off-premise servers, an application firewall expert can help you deploy the most compatible solution with minimal disruption. For example, some application level firewalls are plug-ins for existing web servers. That said, choosing an application firewall that can ultimately be integrated into a cloud-based virtualized system will have the greatest flexibility, longevity, and scalability.
The most important consideration when it comes to web application firewalls is your network performance. An application firewall can weigh on your network, negatively impacting performance and slowing site traffic, if it’s not configured properly or is incompatible with your infrastructure. You can avoid bottlenecks by load testing your application firewall and checking its throughputs within your network before you fully commit to an installation.
PointClick and Incapsula Partner for Web Application Firewall Best Practices
These are only three effective firewall practices, and they do not cover everything you need to know about this critical security enhancement. An application-level firewall is just one piece of a comprehensive security strategy, though an important one in the fight against web application attacks.
We at PointClick are pleased to announce our partnership with Incapsula, enabling us to provide Web Application Firewall, DDos Protection and CDN services to our clients. Together we are dedicated to helping you secure your online enterprise and improve their delivery, particularly when it comes to vulnerable web applications.
Contact us today to learn how you can benefit from our new partnership with Incapsula, and deploy a robust, multilayered network security program to safeguard your enterprise.