Imperva Cyber Community

Expand all | Collapse all

Imperva WAF Deployment

  • 1.  Imperva WAF Deployment

    Posted 10-30-2019 21:33
    Hi All,

    Anyone can share on premise waf best practice?

    From installation, monitoring until blocking.

    Thanks
    Sudarta
    #On-PremisesWAF(formerlySecuresphere)


  • 2.  RE: Imperva WAF Deployment

    Imperva Employee
    Posted 10-31-2019 10:20
    This is a good topic, let me see if I can assist and get you started 

    Best Practices for WAF deployment 

    Planning 
    - Know your application - is it all SSL or a mix of non-SSL and standard port 80 traffic 
    -  Does the HTTP/S traffic use DHE based ciphers - if they do you will need to plan on deploying Reverse proxy 
    - WAF in bridge mode cannot decrypt/monitor DHE encrypted connections due to the algorithm used 
    - What is the average and max HTTP hits/sec - this may be hard to obtain but proper sizing requires such information
    - look at the network and  implement routing/switching so the WAF primarily sees only traffic that needs to be inspected 

    Policies 
    - Imperva provides a number of security policies out-of-the-box, and a few are applied by default 
    - look through these policies so you have a base understanding of what protection is already in place by default
    - Understand your industry security requirements. For example banking sites may need to look at policies that mitigate credential stufiing 
    - review the match criteria which is provided - by using the proper criteria you can create a policy that bets fit your needs

    Profiling 
    - Profiling is a key feature that allows the WAF to learn what is normal behavior for the application - you should always review what the profile has learned in case there was something that should not be allowed was learned 
    - It uses this information to detect anomalies that may indicate malicious  activity 

    Hope this provides  a start 



    ------------------------------
    Phil Klassen
    ------------------------------



  • 3.  RE: Imperva WAF Deployment

    Posted 11-01-2019 08:06
    Hi Phil,

    About the policy, when create the server group, service , application already have default policy. is this already best practice? i mean do i need to add certain policy?

    Can you share which policy for banking you are using?

    Thanks
    Sudarta

    ------------------------------



  • 4.  RE: Imperva WAF Deployment

    CHAMPION
    Posted 10-31-2019 14:20
    Hi Sudarta,

    I mostly deployed Imperva WAF in IMPHA Bridge mode (because it requires almost no topology changes) so my sharing will be based on this mode. But, you can choose different mode according to your need and you can find required information from docs.imperva.com portal about deployment options and HA modes.

    I will share my opinion regarding to Imperva Menus;

    * Discovery
    - Schedule Web Service Discovery scan weekly for detecting new web services on your network. You can populate "Site Tree" with the Discovered Servers results if you want.
    * Setup -> Sites
    - Define your authorized scanner (Netsparker, Nessus, etc.) tools' IP addresses as Ignore IP Group under "Source Restriction" setting of related server group.
    - Change Character Set option under Web Service regarding to your web service charset.
    - Configure Error Page setting to return 404 status code instead of "200 OK".
    - Define Data Masking Group for headers, parameters and cookies to mask sensitive data on Imperva GUI.
    - If Imperva is between a reverse proxy/load balancer and web application, set XFF header on reverse proxy/load balancer and define this header on Forwarded Connections settings on Imperva WAF.
    - If you see unsupported ciphers alerts, configure Transparent Reverse Proxy on Imperva WAF.
    - If you host more than one web application on same server, define web applications under related HTTP service and map it on Applications tab of HTTP service to profile different applications under different profile settings.
    - On each Web Application, set "URL Learning settings" as "Only URLs with parameters"
    * Setup -> Gateways
    - Define Fail Mode as "Fail Open" under Topology Configuration of related gateway group to bypass traffic through GW if GW malfunctions.
    * Risk Management - Web Scanner Integration
    - Integrate with Web Scanner Tool so you can use virtaul patching.
    * Policies -> Security
    - Define suitable followed actions for critical policies.
    * Policies -> System Events
    - Define suitable followed actions for critical system events to be able to be aware when they triggered.
    * Reports -> Manage Reports
    - Modify pre-defined reports according to your organisation's needs and schedule to send them to related teams.

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 5.  RE: Imperva WAF Deployment

    Posted 11-01-2019 08:06
    Hi Cezmi,

    Data masking group is mandatory for WAF deployment?

    You say on each Web Application, set "URL Learning settings" as "Only URLs with parameters" <-- is this best practice?

    Default setting is learning "All" , if only set URL Learning settings" as "Only URLs with parameters more secure?

    Which condition we need to use learning all or urls with parameters?

    Please advise.

    Thanks
    Sudarta

    ------------------------------



  • 6.  RE: Imperva WAF Deployment

    CHAMPION
    Posted 11-01-2019 08:47
    Hi Sudarta,

    Data Masking group is not mandatory, but you asked for best practice so if you use it, you can ensure the confidentiality of sensitive data like password of a user or payment card details (CC number, CVC/CVV number, etc.). I mean, if you do not use it, any violation regarding the web pages containing parameters for sensitive data (payment card details) causes Imperva Admins to be able to see the parameter values.

    When you use Data Masking Group, you will see something like that (parameter values replaced with *) regarding a login request at violations pane:
    Secondly, regarding to URL Learning Settings, in my opinion, if a page/URL does not include a parameter, we think that it is a static page and it cannot be attacked because of providing no user interaction. Therefore, we can close learning for static pages to optimize web application profiles and avoid big sized profiles.

    I hope, I can clarify the issue.

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 7.  RE: Imperva WAF Deployment

    Imperva Employee
    Posted 11-01-2019 09:03
    Hi Sudarta,

    Without Data Masking enabled, sensitive elements like passwords, SSN, date of birth, etc can be displayed in the logs in plain text. There is a default list of commonly used parameter names for sensitive data, but you will most likely need to add to these based on your applications.

    "Only URLs with parameters" is best practice. We are interested in learning parameters and values associated with those parameters. If the file is static (like a jpg for example) there are no parameters to learn, then the profile can be become full of 1000's of images very quickly depending upon the site. There is a default limit to the number of objects that will be profiled, so learning static objects adds little value. (yes, I am aware some sites send dimensions along with image files and these will be learned if used)

    ------------------------------
    Jaired Anderson
    Senior Professional Services Consultant
    imperva
    Tulsa OK
    ------------------------------