How to Size Web Application Firewall

There are a few factors that organizations must consider when choosing a WAF.

Select an architectural type -

1. Inline which can again be in three models -

a. Reverse Proxy - It terminates all incoming traffic, scrutinizes the traffic and deals with the server on behalf of the requester. This consumes processing power so must be sized and tested to avoid latency issues.

b. Router mode - In contrast to the reverse proxy, it does not terminate requests meant for the server.

c- In-bridge mode - WAF acts as a layer 2 switch and does limited firewall services.

2. Tap/Span: It is a non-intrusive, passive option kept out of the traffic route. It monitors traffic from a tap or span port. This type is mainly used for accumulating data to be used later for investigation.

Choice of Deployment:

Organizations can choose a form they are comfortable with

a. Software-based Virtual edition, b. Hardware, or c. Cloud-based WAF.

Detection techniques:

How the WAF must be used/ sized to determine vulnerabilities. It is necessary to ensure that the WAF does not block genuine traffic.

a. Signatures - Negative security model matches a pre-set string to the traffic when scrutinizing for attacks. in contrary, positive security model blocks and examines all the traffic allowing traffic that looks safe.

b. Rules- Links a series of strings or a 16-digit number.  

c. Normalization- WAF must be normalized to be able to spot and examine the attacks that sometimes are successful in evading WAF detection.

Availability and throughput:

WAF must have the capability to cache copies of frequent visitor requesting web content to reduce repeat requests to the back-end servers. It should compress content automatically for fast network transport. Is it compatible with existing load balancers/HA devices?

The SSL certificates and encryption can increase the CPU overheads so necessitate sizing of the WAF to offload some of the processing work.

Was this answer helpful? 5 5