Why intrusion prevention systems fail to protect web applicationsThere is overwhelming evidence in reports such as the SANS Top Cyber Security Risks and the Verizon Data Breach Investigation Report that web applications are the Achilles' heel of most networks and criminals know it. In order to protect web applications, the network security paradigm has to shift from “Keep People Out” to “What Are They Doing?” and the IT infrastructure spending needs to follow suit.
Organizations need to protect themselves from today's attacks which are occurring at the application layer. Intrusion prevention systems (IPSs) are often deployed in an attempt to protect web applications; however they are lacking many key protection elements. Below are the top seven reasons why IPSs fail to protect web applications:
1. A jack of all trades is a master of none.
IPSs have a wide protocol focus and are not solely focused on HTTP. This results in a reduced amount of system resources and signatures being allocated to web application protection. Web application firewalls (WAFs), on the other hand, do not inspect other protocols and can apply all processing and inspection power only to HTTP/HTTPS traffic.
2. You can't see me (access to encrypted traffic).
You can't inspect what you can't see. Most commercial IPSs are not capable of decrypting SSL traffic, which leaves a blind-spot in your detection and a channel for attackers to interact with the web application. The ability to decrypt and inspect SSL traffic is standard for WAFs.
3. Can you speak HTTP? (Application layer logic understanding)
Since IPSs are not “native” HTTP speakers, they do not properly parse the layer 7 web data down into their individual components, such as request headers, cookies and parameter names and payloads. They typically treat the HTTP data as one large blob of text which contributes to the higher false positive and negative alert ratios. WAFs are able to interpret the web data in the same way as the destination web application which means that it is able to better understand the context and apply rules and signatures more accurately.
4. Application layer rules (negative security model)
IPSs are mainly signature-based security systems so the breadth and quality is paramount. Unfortunately, most IPS signatures are based on vulnerabilities in public software so they are not effective for custom-coded web applications. WAF rules should also be generic in nature and provide “attack payload detection” to detect any variant of an attack.
5. Application profiling (positive security model)
IPSs typically inspect each request on its own, without any type of correlation of previous traffic. Commercial WAFs have automated learning and profiling capabilities based on a statistical model of all traffic that create custom, positive security profiles for each web resource. This allows for an input validation policy that permits only acceptable data to pass through and blocks attacks that are missed by the negative security model.
6. Application performance monitoring (Anti-automation/denial-of-service (DoS) defenses)
Acceptable traffic velocity levels are not a “one-size-fits-all” setting. Most IPSs have some form of base-lining capability which monitors traffic flows and can flag significant deviations, but they are not granular enough to be applied to each individual application resource. Web application attacks such as DoS, Brute force and scraping have unique thresholds for each site. WAFs are able to monitor the request velocity levels and apply threshold restrictions per resource, and block when these settings are violated. Additionally, by monitoring application response times, true DoS conditions may be identified.
7. Inspecting outbound data (information leakages)
IPSs focus mainly on the inbound requests and pay little attention to the data leaving the web applications. Attackers often use the data presented within web error messages to enumerate back-end database resources and fine tune their attacks. WAFs are able to inspect outbound response body payloads for typical database error messages and block it so that it is not provided to the client. In addition to error messages, WAFs are able to track the locations and amounts of sensitive data (such as credit card or Social Security numbers) and alert or block when there are changes.
Organizations need to change their approach to securing web applications by using products with specially designed features for protecting layer 7 traffic and data exchange. While IPSs serve an important role in preventing network-level attacks, they just can't perform at the top of the stack. WAFs are specialized products for detecting attacks against web applications in more depth than IPSs. The PCI Security Securitiy Council echoed this same sentiment it the Requirement 6.6 Application Reviews and Web Application Firewalls Clarified Supplemental Document, which lists many of the capabilities described here.