"The Ease of Deployment is critical for the success of new projects. The greater the impact on the existing network infrastructure, the longer deployment takes."
The purpose of this post is not to redefine or to provide new guidelines of the PoV. The goal is to highlight the basics checklist to run and easily succeed an application onboarding.
As the PoV aims to demonstrate a solution matches the customer's use cases, it is important to define the customer's purpose before starting your PoV.
Below is listed a set of checks Imperva recommends performing before an application onboarding
Environment check
|
Hosting Firewall
|
Make sure that Imperva IPs are whitelisted in the firewall deployed in front of your web server.
|
To ensure that traffic to your website passes through Imperva only, you should block access to it from non. Imperva IP addresses.
|
|
IP rate limiting block
|
Make sure that server modules that enforce IP rate limiting are not set to Imperva Ips
|
When your traffic is being routed through Imperva, it appears to the hosting infrastructure as if all website traffic is arriving from a limited number of IPs (whereas previously the source IPs were very diverse). If any kind of rate limiting rules are being enforced, for example, to mitigate DDoS attacks, the Imperva Proxy Server IPs might be blacklisted, leading to availability issues for certain locations.
|
|
Web Server Firewall
|
Check that Imperva IPs are whitelisted in your web server firewall
|
To ensure that traffic to your website passes through Imperva only, you should block access to it from non Imperva IP addresses . A set of rules should be applied to your firewall (or to your .htaccess files) that will block all traffic coming from non-Imperva IP addresses.
|
|
Website caching consideration
|
Make sure the website returns the correct caching instructions, when serving content to different clients and or languages
|
If the Vary header is being used for such caching, Imperva will cache resource and pages if the Vary header is set with "Accept-Encoding". For other Vary parameters, Imperva will not cache the resource.
|
Site level
Perform at least those verifications and configurations on the application level
- Check if the site support SSL traffic : you can use your company certificate or Imperva can generate SSL certificate for your HTTPS traffic. Websites Settings>General
- Check if the Origin Server IPs/CNAME is the correct address to which imperva should forward the traffic Websites Settings>Origin Servers
- Make sure you perform the basic Bots/Non Browsers configuration regarding the Business Logic of your customers. Websites Settings>Security>Bot Access Control
- Adjust DDos settings or use the default (Automatic)
- WAF policies : most of the time default policy suffices but you can configure to match with your use cases. WAF Access Controls are also available to Block or whitelist Specific Ressources ( Countries, URLs, IPs,..)
- Confirm data storage location
To find out more, click on the following link https://docs.imperva.com/bundle/cloud-application-security/page/onboarding/setup-checklist.htm#Quicksetupchecklist
Success criteria
You should define relevant success criteria enabling to assess your PoV and indicate you are in the right direction
Here are a few success criteria examples, that can help you define your own.
- ABP : Demonstrate the ability to show bot traffic patterns via GUI and dashboards. Requests: dropped, accepted, forwarded.
- WAAP :
- Can the product defend against advanced attacks including command line access, illegal URL encoding, SQL Injection, Cross-Site Scripting, Parameter Tampering, Single Packet Attacks, and Scanning?
- ability to offer a centralized view of all alerts of all sites of an account in an analytics dashboard, on a single screen.
- ….And more others success criteria that you can define regarding the PoV guide.
Focusing on communication and Feedback with your customers along the PoV, is important to identify the pain points and solve/mitigate them.
At the end of your PoV do not forget the final report that provides the customer with the relevant information to influence decision-making.
#CloudWAF(formerlyIncapsula)