Web applications continue to be a prime vector of attack for criminals, and the trend shows no sign of abating; attackers increasingly shun network attacks for cross-site scripting, SQL injection, and many other infiltration techniques aimed at the application layer.
If you're not familiar with web application attacks, we covered them in detail in a previous column, available here. Also, the Open Web Application Security Project (OWASP) has an abundance of Web application security educational information available on its Web site, including the top 10 most prevalent web application attacks.
Combating web application attacks with web application firewalls (WAFs) can be effective. Web application firewalls are very good at preventing attacks where network firewalls and intrusion detection/prevention systems cease; this includes attacks such as XSS, SQL Injection, and attacks that target flaws in application logic or technical vulnerabilities in software.
Web application security also is gaining attention from regulators. Most notably, an update to the Payment Card Industry Data Security Standard, PCI DSS requires web applications be secured through code reviews or WAFs.
Before you make the leap to a WAF, there are some things you should understand and consider to make sure you select the one that is right for your needs and organization:
The two leading WAF architectures. These include negative and positive security models. With the negative security model, all transactions are allowed by default. Only those transactions that contain attacks are rejected. This type of WAF is signature based, which means attacks are detected by performing pattern matches. And, just as is the case with anti-virus software and IPS, the speed, quality, and quantity of vendor signature updates is crucial.
When it comes to the positive security model, the WAF will deny all transactions by default and will rely on rules to allow only transactions that are known to be safe. This method requires a significant amount of “training” for the firewall to learn which transactions are legitimate. When looking at WAFs that operate in this way, you want to know if the WAF supports automatic updates to its application behavior model — without having to retrain it for every update. Additionally, you should consider what normalization techniques it uses so that hackers cannot evade your firewall simply by altering a malicious payload so that it appears to be harmless.
WAFs don't displace code reviews. I'd like to make the point that WAFs should supplement, not replace, thorough security code reviews. WAFs aren't perfect and can break down; as a result, all software must be developed and hardened properly. For commercial software, that includes evaluating the software with a web application scanner, and performing a thorough security code review of all custom-built applications. A mistake in configuration, a signature that doesn't work, or a zero-day attack all can create a hole that attackers could slither through.
Secure Socket Layer (SSL). One of the most crucial things to consider, especially for retailers or anyone with a sensitive site, is how the WAF you choose manages SSL. Because SSL traffic typically is decrypted by the web server, the WAF will must be able to decrypt SSL traffic to check if a data payload has any harmful content. If your WAF can't do this, its usefulness is limited significantly. Typically, WAFs can support SSL in the following ways:
1. The SSL decryption operation is moved from the web server to the WAF. The WAF inspects data and passes only good requests on to the web server.
2. The WAF somehow is embedded in the web server or has hooks that the web server can call after decrypting the data. The WAF then can check the validity of each request.
Protocols and authentication technologies. Does your prospective WAF support HTTP/0.9, HTTP/1.0, and HTTP1.1? Can it handle basic authentication, digest authentication, client SSL certificates or two-factor authentication? You don't want to find yourself limited because the WAF you chose won't support the credentials or protocols you need.
Forensics. Is the WAF capable of logging valid, as well as invalid, logins and attempted logins? Can it cleanse sensitive data, such as personal information about shoppers and credit card data, from logs? You'll want these capabilities for your own investigations, in addition to complying with industry and government regulations.
Form Factor. Is the WAF delivered as an appliance with optimized/specialized hardware to increase performance, or is it a software-only solution that can be installed on a generic computer? While software-based WAFs usually are less expensive, they often don't provide the necessary throughput for demanding applications. While it's crucial that you vet price verse performance for any technology, it's especially vital when selecting a WAF. And you'll need to consider such speeds as maximum new connections/throughput/ concurrent connections/request latency, among others.
Web application security is a complex science, which means choosing the right WAF requires significant thought. But knowing that you're protected against the ever-increasing number of Web application attacks makes the effort more than worthwhile.