Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Review: Web Application Firewalls

Think you know what Web sites are running on your servers? So did we. Then we started testing Web application firewalls and saw requests coming in for a site we didn't recognize--and which, by the way, was vulnerable. We assumed a vendor had left old data on an appliance under test, but all the vendors we asked insisted this was not the case. So we did an NSLOOKUP, and lo and behold, discovered one of our programmers was running a nonprofit Web site on our development server.



Heed the voice of experience--if you want to know exactly what's going on with your Web servers, a Web application firewall, or WAF, is worth every penny. Available in software or appliance form, WAFs work at the application layer, using deep-packet inspection to reveal the inner workings of Web applications while thwarting attacks made possible by insecure programming.

We invited WAF appliance vendors to send gear to our Syracuse University Real-World Labs®. We specified that products must inspect HTTP traffic and make decisions at the application layer to detect and stop common Web attacks, including SQL injection, buffer overflows, form-field manipulation, session hijacking, path traversal and forceful browsing.

  • 1