Not that long ago, firewalls were simple things. They fit neatly into corporate networks and helped to protect anything residing on that network from external threats. Today, the mission isn’t so simple.
Many corporate applications reside beyond the firewall and many workers need to access internal application from remote locations. And while traditional firewalls are good at blocking suspicious traffic at the lower levels of the TCP/IP protocol stack, they’re not designed to block layer 7, or application layer, attacks.
For instance, think of how much information enters your databases through web-based forms. Hackers obviously see those forms as a point of entrance they can compromise. As attackers started moving up the stack, security companies had to respond in kind.
Thus, web application firewalls are designed specifically to protect against layer 7 attacks. Web application firewalls are becoming nearly as important as traditional firewalls, and if your organization doesn’t have one, you are courting danger.
Keep these five questions in mind as you search for the web application firewall that is right for your organization:
1. What exactly are you trying to protect?
For some organizations, the main thing to protect will be a web-based email portal for traveling employees. For others, they need to protect sensitive customer data from prying eyes – a challenge that, if not met, could compromise compliance with industry regulations.
Carlos Romero is the EVP of Technology for Smart Business Technology (SMART), a developer of payment and transaction software. After more than two decades of developing payment software, their customers began asking them for a hosted solution.
“If you’re going to host and process payments, you need to achieve Level 1 PCI compliance,” Romero said. “That meant our online security had to meet the same standards as Wal-Mart or Visa.” (In contrast, the typical corner store is Level 4 compliant.)
SMART brought in an auditor, and the auditor’s main recommendation was to install a web application firewall. Romero investigated some low-cost, software-only solutions, but quickly dismissed them as inadequate.
Protecting cardholder data and maintaining PCI compliance meant that discount solution weren’t worth the risk, and that his organization would need to invest in a more robust hardware-based solution.
2. How will it fit in with your existing security solution?
SMART was already using Fortinet’s traditional firewalls, so the decision made sense. “We have a comfort level with Fortinet,” Romero said. “We know their products work as advertised. The UI is easy to use, and their support has always been top-notch.”
Romero liked the fact that his IT staff already pretty much knew their way around the FortiWeb product because the UI was consistent with other Fortinet firewalls. This reduced training time and, on an ongoing basis, will make managing the device much easier.
3. How open does your application need to be?
Human Kinetics (HK) publishes online materials related to kinesiology. It hosts its own e-commerce website and nearly 40 other educational and storefront sites, which together get about half a million unique visits per month.
Especially for e-commerce sites, the traditional method of blocking traffic doesn’t work. People need to be able to get to your storefront. After evaluating several (unnamed) vendors, HK selected F5’s BIG-IP Application Security Manager (ASM).
HK didn’t realize until after deploying F5 that the previous solution had been blocking more traffic than it should have. “Users would get an error message and the page wouldn’t load at all,” said Brad Trankina, Director of Network and Information Systems at Human Kinetics. “Some customers would leave the site in frustration rather than wait 10 to 15 seconds for a page to download.”
The previous solution they were using provided only high-level, non-specific error reports, which made it difficult to pinpoint and correct problems.
Lyons says HK’s entire approach to security has changed from that of keeping people out of the network to inviting them in. “With the F5 solution, we’re getting far fewer false positives, so we’re allowing more legitimate traffic,” he said. “Because F5 enables deep packet inspection, we can tell exactly what is causing an error and know how to fix it.”