The systems in place that can assist with monitoring/securing your systems from application layer attacks are Next Generation Firewalls (NGFW), Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF). Here are just a few more “bumps in the road” that I’ve seen when it comes to these devices:
- Monitoring traffic at the application layer needs much love. You can’t just turn on a system like these and assume that you’ll be catching every bit of malicious traffic that comes past your interface. We’ll dig deeper into this later on, but each one of these systems needs to be tuned in order to work for your organization. Not all filters or signatures are going to be turned on by default and knowing what’s behind these security devices is going to be key (AKA Understand your network).
- Even with tuning in place you’ll still get false positives, albeit fewer, but false positives nonetheless. Management and others involved need to understand that this isn’t a silver bullet and that when properly tuned will assist with blocking malicious traffic. But the potential for false positives will always be there. What needs to be shown is the risk between having a potential false positive versus a security breach.
- These devices are always going to be in-line with your network and because of this will also be a concern as single point of failure if not configured properly. Making sure that the systems that are in place to protect your business don’t bring it down should be a priority. Having performance issues due to the signature load it’s scanning for or not having load balancing or clustering on them isn’t an option when they’re in such a delicate part of your network.