Industry statistics show that 80 per cent of malicious attacks target Port 80, the Web traffic pass-through. Why, then, does the onus for Web application protection still fall largely on network-layer devices? Web applications clearly need special security.
Firewalls specifically designed to protect Web applications would recognise a hacker’s attempt to create a buffer overflow, to inject false SQL or system commands in program variables, or to otherwise manipulate the datastream for ill purposes. Web application firewalls see the breaches that a network-layer firewall (or intrusion-detection system) is not capable of detecting.
Traditionally, most attacks in the past targetted the network layer. However, with the widespread deployment of firewalls, hackers have become more sophisticated. Most meaningful attacks these days occur at the application layer.
Until recently, users have relied on intrusion detection systems (IDS) at the application level to stop malicious traffic. However, IDS is usually not able to conclusively block malicious activity. Its primary function is to detect and notify and, provided someone is watching, give an opportunity for manual reaction to the intrusion.
“The void that exists in securing a perimeter network is largely a result of firewalls being mostly unable to stop meaningful attacks due to their lack of application awareness,” said Sheldon Walters, business development manager and technical director of Australian managed security services provider, Zento.
“IDS, although able to detect, are ineffective in stopping, the attacks. They are architected in such a way that multiple network sensors need to be deployed to inspect all network segments.
Walters said the the area that lay between firewalls and IDS technology was true application-based firewalling.
“The two technologies are rapidly gravitating toward each other already,” he said.
To create an IDS that can prevent, the device needs to be architected like a firewall, Walters said.
This is the next big race in the firewall market, and the major vendors are rapidly building greater levels of application awareness into their products.
Security experts have begun to call the Web application firewall a must-have.
“I would never deploy a Web application today if I haven’t deployed a Web application firewall,” said Ravi Ganesan, vice-chairman of NSD Security, which helps user organisations build secure Web infrastructures.
Training Web developers to build secure applications and to conduct initial and periodic vulnerability tests are musts, but don’t suffice. Ganesan equates doing those things but not also deploying a Web application firewall to calling Windows or other operating system secure and throwing out the perimeter firewall.
“You’d be crazy,” he said.
Program manager with the Family and Children First (FCF) office, Ed McNachtan, can testify to the benefits of Web application firewalls. He discovered them early — four years ago, when FCF used Health Insurance Portability and Accountability Act (HIPAA) draft documents to perform a Gap Analysis of the security architecture it planned to use for interagency communications via the Web.
“We found our security plan failed around Web applications, and we needed to make reasonable efforts to block that hole,” McNachtan said.
He is using AppShield, a software-based Web application firewall from start-up Sanctum, to protect two particularly complex and politically touchy applications that have taken years to develop.
The first, in pilot tests now, is a family violence cross-jurisdictional database application. The second is a collaborative case-management application that will go into pilot tests by year-end.
“We have privileged and confidential information that we have to protect, plus HIPAA rules and guidelines to follow,” McNachtan said. “I’m married to AppShield. It does a great job.”
Other early users likewise are enamoured with their Web application firewalls. Speaking of the APS-100 appliance from Teros, one user, who preferred not to be named, said: “The cool thing is, it actually found a problem with the application itself — the way we were passing uniform resource locator (URL) strings. It debugged our application!”
This network design engineer, who is working on an outsourced state Medicaid claims-processing application, considers the use of a Web application firewall a competitive advantage.
“The need to have a [Medicaid claims-processing] application that works is half the story,” he said. “The other half is that it’s secure and reliable, and the Web application firewall is one of the pieces telling that part. This is going to make a huge impact for us [in winning business].”
Other users also see the Web application firewall as a tool for winning business.
“The confidence we get having the Web application firewall when a potential customer comes in — we can really go to the bargaining table,” Web operations manager at Agile Software, Todd Bowersox, said.
Having a Web application firewall rated highly with potential customers in the systems audits Agile underwent during its sales cycle, Bowersox said.
Audits of vendor systems were common among US Food and Drug Administration-regulated medical device manufacturers, one of Agile’s target customer bases, he said.
“The value that the Teros firewall adds is immeasurable,” Bowersox said.
Besides a polished image, Agile also gains protection for its Web site and some internal Web applications.
A consultant presentation on Port 80 vulnerabilities “lit the flame and got us thinking about and looking into Web application firewalls,” he said. “We didn’t want to get caught with our pants down, especially with some of our clients coming in and asking, ‘What are you doing about security?’”
Web application firewall vendors are divided into two camps: software and hardware. Software vendors include eEye Digital Security, KaVaDo, MultiNet, Sanctum, Turillion Software and webScurity. Hardware vendors include Permeo Technologies, MagniFire WebSystems, Permeo Teros and Whale Communications.
A Web developer who has tested Web application firewalls for the Network World Global Test Alliance, Thomas Powell, said software-based Web application firewalls were a good choice for those with only one or two servers.
Proximity might be an advantage because a software product would reside on the same Web server as the applications it’s protecting, Powell said. Software-based products were also relatively inexpensive. There were even freeware versions available.
But a hardened Web application firewall became almost mandatory for large organisations, he said. KaVaDo’s InterDo and Sanctum’s AppShield were possible exceptions.
Besides choosing between hardware and software, users investigating Web application firewalls had to decide whether they would use whitelisting or blacklisting.
Powell said he favoured the more-sophisticated whitelisting approach of mapping an application to determine what requests and inputs were allowable, and then blocking everything else.
But he said that whitelisting products could require fine-tuning to get that application map correct.
“The challenge [with whitelisting] is, unless the site is very well-constructed, it’s not possible to have a perfect idea of the application,” he said. “If a site is poorly developed, then there’s the potential for false positives.”
Like antivirus software, blacklisting products look for common attack signatures and, if found, either warn security managers or block the user.
One downside of blacklisting was that unless the signature list was 100 per cent up-to-date, bad queries could get through, Powell said.
Another was vendor lock-in. Because those signature files need regular updating, blacklisting tended to keep users engaged with one Web application firewall vendor.
Powell recommended limiting blacklisting use to instances where false positives must be avoided.
Igniting the market
Early users of whitelisting firewalls say that the application-learning process hasn’t been perfect. But users interviewed for this story said their vendors excelled at problem resolution and customer service — a start-up’s fortes. In fact, while Web applications themselves are hardly new, their growing importance has created a hotbed of start-up activity. No fewer than two-dozen known start-ups are addressing the Web application protection problem.
Of course, established network vendors aren’t
letting newcomers walk into this market unchallenged. Check Point Software, Cisco Systems, NetScreen Technologies, Nokia and Symantec are among the security vendors enhancing their platforms with more intelligent assessment of application traffic. Meanwhile, F5 Networks, Nortel Networks and Radware are claiming Web application security as a function of their content switches.
But there’s also a whole crop of other start-ups crafting more multi-purpose platforms of which Web application protection is but one function.
The idea of imbuing familiar security devices with application-layer protection has its user appeal.
INFO1, the fourth largest mortgage credit reporting provider in the US, plans to use Check Point Next Generation with Application Intelligence for Web application protection, director of network and security, Jim Noble, said.
INFO1 began offering Web access to credit reports four years ago.
“We started using Check Point prior to September 1999 to protect our networks and systems,” he said, “and that’s one of the reasons we’re going with AI today. It’s the next functional upgrade.”
Noble said he was very comfortable with the enhanced network-layer firewall instead of a purpose-built Web application firewall.
“Our Web is fairly well-protected, and I’m confident that we’ve mitigated 98 per cent to 99 per cent of risks,” he said. “Is it worth our energy to get the last one per cent? No, not in a business sense.”
No matter which platform choice they made, extended enterprises must address the question of Web application protection, and soon, security experts concluded.
“You’ve got to have a Web application firewall,” Gartner analyst, Richard Stiennon, said. “New e-commerce services will just be too vulnerable without something like that.”