Follow

WAF Policy Deployments: Phased vs. Aggressive

Like any other preventive control, the deployment of the Web Application Firewall (WAF) policy to protect a web application carries a risk of blocking legitimate traffic.  Policy tuning refers to the activity of analyzing traffic and making changes to the policy to prevent - or make negligible - the blocking of legitimate traffic (also known as false positives).

Depending on a number of factors, two broad approaches may be used toward WAF policy deployment.

Phased Deployment

The phased approach is the traditional approach to WAF policy deployment, whereby the policy is first deployed in transparent mode to analyze site traffic without the risk of blocking anything legitimate.  The site's DNS may be switched to Silverline at any time, upon which the Learning Phase will commence.  Once sufficient analysis has taken place, transition to blocking is done in a phased approach.  The phased deployment approach may be illustrated by: 

The phased approach is optimal for engagements in which blocking of legitimate traffic is highly undesirable.  The Silverline SOC will perform policy tuning, but in many cases will have to refer to the customer for feedback on certain types of traffic.  Depending on the complexity of the application, this interactive 'learning' phase can last quite some time and consume significant resources as customer security teams, customer development teams, and the SOC discuss and analyze possible false positives - during which time any malicious traffic will not be blocked.

It is recommended to use the phased approach when some of the following are true:

  • The application is a critical business asset for which the blocking of legitimate traffic would be unacceptable to the business
  • Application QA processes are not capable of replicating every possible valid transaction in the application, or it is not known if they are capable
  • The customer is able to commit resources - including possibly development resources - to engage with the SOC for an extended period to support violation analysis and policy tuning activities

Further information about the Phased Deployment method is available here: 

 

Aggressive Deployment

In an aggressive deployment, the policy is immediately deployed into blocking mode.  Testing of the application with the WAF policy in-place should take place before a DNS switch is made, and before the policy receives production traffic.  The approach is illustrated below:

Aggressive.jpg

This approach relies on a robust QA process to identify any policy tuning requirements prior to the direction of live traffic through Silverline.  This would be done using DNS overrides such as a host file entry.  The SOC makes any required policy tuning based on the results of QA testing through the WAF policy.

Another alternative is to agree a maintenance window and cutover traffic at the beginning of the window - the Silverline SOC can aggressively tune the policies in regular dialog with the customer (by means of a conference call, or Slack) so that the policy is ready for production once the window is over.  It is always possible to revert a policy, or components of a policy, to transparent mode if required.

Naturally, there is an inherent risk of blocking legitimate traffic; however, the aggressive approach drastically reduces the policy deployment life cycle and customer resource requirements, and enables immediate blocking of malicious traffic.

It is recommended to use the aggressive approach when some of the following are true:

  • Immediate protection is required from web application attacks
  • Some blocking of potentially legitimate traffic can be tolerated
  • QA processes are robust and can be relied upon to account for the vast majority of legitimate transactions in the application
  • The customer is unable to commit resources to ongoing, interactive security analysis and policy tuning discussions
  • An accelerated deployment is desired
  • The policy in question is not intended for production traffic
Was this article helpful?
5 out of 5 found this helpful
Have more questions? Submit a request