February 28, 2010, 4:51 PM — We all know that the Web is a nasty place, with denial of service attacks, SQL injection, cross-site scripting and other malware invented hourly to try to pry into your networks. Over the years, a number of vendors have come up with various solutions that go under the broad heading of Web application firewalls, or ways that they can help prevent the bad stuff from entering your user's desktops. It's worth diving into these products because they offer a great deal of protection that can save you aggravation down the road.
What are they, exactly? One definition can be found in a white paper written by Securosis' Rich Mogull: "A web application firewall is a firewall specifically built to watch HTTP requests and block those that are malicious or don’t comply with specific rules. The intention is to catch SQL injection, Cross Site Scripting, directory traversal, and various HTTP abuses, as well as misuse of valid authorization, request forgeries, and other attempts to manipulate web application behavior." That is a mouthful to be sure.
These exploits aren't new, and what is sad is that many of them are so old that they go back to the early days of the Web when Netscape was still around. For example, several years ago I wrote a white paper for Breach Security that demonstrated how easy it is to create a SQL injection attack – this information is still unfortunately quite current, and these attacks happen every day to sites that should know better.
The trouble with this category of security products is that it isn't very well defined. There aren't any hard edges, unlike a network firewall that has a pretty limited purpose in life. This could be because Web firewalls come in many different shapes and sizes, and can be integrated into other devices including Web servers, proxy or caching servers, load balancers, email anti-virus protection, intrusion prevention boxes and more. Layer on top of this the issue that most Web apps are in a constant state of change, making it hard to know when a site has been taken over by bad guys. Complicating the picture is that some Web apps are internally developed and maintained by IT or other departments who have a varying degree of skill when it comes to protecting them. And many products have built-in Web servers that are used for configuration and reporting interfaces, even though the products themselves serve other purposes. All of these need some sort of protection from abusers and hackers, and sorting all this out isn't easy, which is why this category of products remains somewhat off the corporate radar screen.
Web Application Firewalls
- Barracuda Software
- BlueCoat Web Filter
- Breach Security Web Defend
- Cisco ACE Web Applications Firewall
- Citrix NetScaler Application Firewall
- F5 Big-IP Application Security Manager
- Fortinet FortiWeb 1000-B
- GlobalVelocity GV-2010
- Imperva Secure Sphere Web Applications Firewall
- McAfee Web Security Appliance
- Palo Alto Networks
- Port80 Software Server Defender
- Symantec Web Gateway 8400
What is notable about this list is that it contains both traditional mainstream security and networking vendors and some upstart specialists too. One isn't necessarily better than the other.
Where to start? A good place is to read up on these products from OWASP here. This is a consortium of vendors and leading Web security developers who have tried to put down in one place what you need to know to build the best possible Web applications and protect them from harm. They have a comprehensive vendor list, a collection of best practices, sample "top-ten" attacks that you can use to harden your own applications and an evaluation guide.
Here are some questions to ask (and answer) before deciding on a particular solution:
Can the product decrypt SSL traffic streams and examine potential exploits that are in these payloads? Breach does this with no performance penalty because they make copies of the SSL traffic and then do an out-of-band analysis on the payloads. Some of the products can't work at all with SSL traffic, or can get overwhelmed when there is a lot of it, as it takes processing horsepower to decode all these bits properly.
How much inbound and outbound traffic can the appliance handle? Some vendors, like Barracuda and Palo Alto Networks, offer different-sized models to match your bandwidth and throughput requirements. Others are geared for particular traffic and application patterns. Some, like McAfee, offer a variety of products geared towards Web protection, including cloud-based Web Protective Service (that can evaluate domains, email and Web traffic), its Web Security Appliance, and its Webwasher/Web Gateway appliance, each of which has been acquired from previously independent security vendors.
How quickly can they learn about your traffic patterns and translate them into implemented and useful policies? Most of the products offer this ability, but you will want to check out how easy it is to create and modify a policy from the automated start-up wizards that they provide. In some cases, you will need to use command-line parameters to fine-tune the policies that are created by the wizards.
How much of the Payment Card Industry (PCI) Data Security Standard (DSS) requirements do they automatically handle? These are a comprehensive collection of standards to protect customer account data and other private information. They include everything from maintaining current anti-virus signature updates to managing Web vulnerabilities and restricting network access for particular users to the most sensitive information. Most of the products claim DSS compliance in some fashion, with some being able to do so out of the box with little or no user configuration. But given that these standards are so all encompassing, it pays to examine the vendor's claims and see exactly what they mean by compliance and how the DSS is actually implemented in the Web firewall policies. And it is also worth understanding what protective measures are automatically turned on by default.
Do you already have anti-virus, load balancing, proxy servers, or intrusion protection devices? If so, look for Web application firewall add-ons to your existing products or those that combine two or more protective technologies. In some cases, you might just need to purchase an optional module or feature to enable this protection. Certainly, if you already are using a security product from one of the vendors listed above, that is a good place to start.
What is the cost? Most of the hardware appliances start somewhere north of $30,000. While this seems steep, given the consequences of an exploit raging through your network, it can be money well spent. As an alternative, software tools can be free if open source, or Port80's add-on firewall for Microsoft's IIS Web server starts at $1,500.
We have just touched the surface of this market. Another place to get more details about how to evaluate these products can be found on our sister site CSOonline.com with this article: Web Application Firewalls: How to Evaluate, Purchase and Implement