Monday, August 12, 2013

What Is a Web Application Firewall


What is WAF


 
Your Unprotected Business is at Risk

Your website is the face of your organization and in many situations, an income generator.

The information offered should be precise, safe for surfing , fast and practical. 
 
 
Failing to secure your online applications could adversely affect your business

resulting in client or business information protection violations. It can lead to

customer discontent  and desertion, financial failures, product harm and even

legal challenges. Companies from all sectors fall prey to web application attacks

that could have been prevented with more security focus and financial commitment.

 
For example, some of Sony’s popular problems were due to simple SQL injection attacks

on their customer facing web applicatiions, similar to the strikes that hit Fox.Com.  More

recently, T&T Parliament and Worldwide Law enforcement Organization sites were defaced.

In both situations, online hackers focused on the security gaps within these web applications.

 
Operating an application on the Web creates risk for any organization.  Risks are prevalent,

evolve and are always overwhelming.

 
The web application threat classifications created by the Open Web Application

Security Project (OWASP) and the Web Application Security Consortium (WASC) are

widely specified and generally known by many companies.

 

The two classifications overlap, but while the OWASP provides a described Top ten

list of web program threats, WASC provides a broader category of strengths,

weaknesses and provides specific research on each of the ten OWASP groups.

 

For example, OWASPs first item on the Top Ten record is known as “Injection” and could be

mapped to eight unique WASC products with regards to “Injection” threats.

Regulations such as GLBA, HIPAA or FISMA all generate some level of web application

security  while providing organization the independence to select the recommended technique of

threat minimization. In all situations, a Web Application Firewall program (WAF) could be used as an

effective security tool that will enhance an organizations threat posture.

 

The Payment Card Industry Data Security Standard (PCI-DSS) is much more explicit

on web application protection recommendations. PCI-DSS is a standard which was developed

to motivate and improve credit card holder data protection and accomplish the wide adoption

of reliable data protection actions worldwide. It consists of 12 requirements

which are structured in six primary groups. PCI-DSS area Six details the

development and servicing of security techniques for public facing applications. 

Not meeting compliance can result in

penalties and rescind the ability to process credit card transactions.

 

Why Existing Defenses are Not Good Enough

A typical answer one could anticipate from organizations when referring to their web

application security posture is: “we are protected by our network firewall and our

IPS”.  While classic defense tools can protect against a broad range of threats, they

are not good enough to particular web applications needs.

Network firewalls (operating at layers 3 – network- and 4 –transport) are not

designed for web application protection (layer 7 –application), as they generally open

and close the door to ingoing and outgoing traffic without really inspecting the

subject material of the traffic.

 
Intrusion Prevention Systems offer a better safeguard against application threats.

However, their primary focus is on client weaknesses rather than server vulnerabilities.

IPSs examine the content of network packets coordinate the content to a predefined set

of signatures and then elevate an alert or block the traffic if anomalies are detected. A

common IPS product contains several hundred signatures which may not detect the

thousands of new web application weaknesses discovered each year. Furthermore,

IPS tools on the market may not parse the web application content.  Subsequently, they are not in a
 
position of learning different web application elements, pages, variables, and reaction to zero-day

attacks for which no signatures exist. In addition, IPSs do not have the capacity to

understand the web application protocol logic so they are powerless to detect protocol

violations (a common IPS evasion technique).

 

Web Application Security demands a strong comprehension of how and applications works.  How

they ask and get a resources, translate and parse parameters, and how they generally

behave. These functions are provided by Web Application Firewalls (WAF); security

systems adapted to web applications, with the ability to comprehend Layer 7

(application) protocols, parse web applications details, pages, and define security

policies as well as service XML and Web Services protection. WAFs should be intelligently

designed and precisely optimized to provide maximum security in the shortest

time and with minimum impact on web application traffic.

 
Web Application Security Obstacles

In prior years, attacks have developed and become more complicated with assailants

using multiple attack vectors in a single attack plan.

The significant attacks on Sony were a mix of DDoS attacks, directed at the availability

of the websites while concurrently distracting the focus of Sony’s security

administrators with targeted web application attacks (SQL injection). The

goal of these attacks were to take the user’s accounts information. Simple correlation of

security activities from various sources may have turned away this diversion technique.

Achieving superior and powerful web application security posture is not an easy endeavor and there
 
are numerous issues web application firewalls encounter each day.

 
A multi-dimensional problem

Due to the way web applications are built, security becomes a sophisticated equation

with numerous variables. Web applications are structured on third party web servers, legacy

components, operating systems. They contain many settings, pages, folders, variables and
 
authentication strategies.

Each of these layers could be targeted and are probably vulnerable to attacks that

a company’s most effective security practices can’t defend against. The organization

implementing the web application however relies on other companies’ software which contains

known, recorded weaknesses or new vulnerabilities yet to be found.

 
Differentiating between attacks and genuine traffic

On average, a web application is being accessed both by preferred genuine users and

attackers .

One of the greatest obstacles in protecting web applications is the ability to precisely

distinguish between the two and prevent security threats while not unsettling

regular traffic. In other words, stay clear of false negatives and provide the most effective security

coverage while preserving a low or minimal percentage of false positives. False

negatives place your applications at risk and false positives disturb the genuine and boost
 
deployment operational efforts and costs substantially.

 

Elaborate  time consuming deployments

Another problem is deployment considerations. WAFs’ deployments are well known for

being complicated and time consuming.

How do we utilize the web application firewall in a timely and efficient manner and break the

belief of the complex WAF deployments? How do we ensure the web application firewall

promptly starts to proficiently block attacks -"without prolonging the testing phases forever?"

In order to accomplish web application security, the WAF has to understand the application, map its

pages, parameters, and investigate its traffic in order to create and eventually dynamically update

an application baseline. This baseline is the ordinary state of the application and the

security instrument compares this baseline to new inbound traffic. The learning and mapping

procedures could be timely and demand manual configuration as web applications

normally contain a large number of pages, folders and a multitude of parameters. Any application

modification would require complete relearning and remapping of the baseline. This activity slows down

down the security policies definition and consequently delays the actual WAF implementation.

The challenge is to provide the quickest time to protect and produce a clean deployment

process and a fast dynamic learning curve of the applications attributes while

immediately producing and successfully applying granular security policies.

 
Scale to growing businesses requirements

As the range and size of web applications expand, the web application firewall focused

at protecting applications becomes taxed, dealing with more bandwidth,

capacity and processing. Poorly developed WAFs can’t maintain the payload and encounter

overall performance challenges and the incapability of meeting the scalability demands of the

organization. .

The web application firewall should provide a strong, scalable structure, enabling and organization
 
to meet the versatile and ongoing requirements for growth.

 
Clear and Valuable Reports for Security Events

The last problem is to deliver accurate, centralized and user-friendly logs, traces and reports

of the Web application security condition.

In-depth reporting and forensics analysis are helpful to understand the attacks, how they

transpired and how they were blocked. In numerous cases, institutions are searching for

correlation reports on a distinct security event triggered on various components of

their application infrastructure. This is not generally obvious as each security device provides

its own security statement which does not correlate.

An additional reporting obstacle is to present thorough, clear and valuable reports for

regulations and standards compliance – for example PCI reports.

 

Options

Although historically known to be difficult and costly many known and lesser known web
 
application firewall companies are making significant strides in improving WAF tools and
 
deployment strategies.  If you do your research they will help you determine how a web
 
application will work for your organization .


View Keith Turgeon's LinkedIn profileView Keith Turgeon's profile

Sunday, March 17, 2013

Hiring Ruby on Rails

What a week. There is a real balance between capturing and delivering on new business opportunities.
The Namtek business development team had for the past few months been chasing several application development projects.  When the customers we've been chasing finally got their project and budget approvals it was incumbent on us to execute the staffing plan.

Both projects were for Ruby On Rails, a sub component of our clients overall project.  We'd been chasing these projects for weeks and had to balance keeping the bench lean but at the same time keeping our bench in a "just in time" posture.

The challenge is Ruby On Rails is in such high demand it's been difficult keeping talent "At The Ready"

Both projects we've been chasing are in the Boston market, which has just been void of available Ruby on Rails talent as their are so many start ups and mature firms who are in need of Ruby on Rails.

One project, which was suppose to start in mid February got a last second kick to the gut as the person assigned to the project decided to move on to greener pastures, and by greener I mean more money than  our project could afford.

We're seeing a big appetite with both the Boston and San Francisco for Ruby on Rails.

Moving forward we've realized we need to be more focused on the total compensation package for our Ruby on Rails team.  It's not always about the money.  Quite often working remote or a 4 day work week can encourage a new team member to choose our project versus another project.

My suggestion to anyone in need of Ruby on Rails, is act quick and be flexible on terms of total compensation.

Wednesday, February 27, 2013

SIEM For The Next Generation


As we see strategic IT requirements traversing the delicate balance of IT security and compliance, the value of Security Information and Event Management (SIEM) tools have increased in importance.  The collection and analysis of data from Content filters, VPNs, UTMs, routers switches and firewalls, databases and systems are critically important data points for every organization as the global threat vector continues to modify its tactics and focus.

Friday, December 28, 2012

I was just thinking over the holiday how some words and phrases from not so long ago have different meanings today.  I had this thought relative to a specific Christmas gift I purchased for my wife.

For Instance in 1882 in Texas if you said, Let's get a new team for the coach," what would that have meant?

What did we have for teams who did we have for coaches in 1882. Very few would be the answer.  Organized professional sports were, in many cases, still decades away.

Perhaps it litteraly meant, getting some new horses for the Concord Coach covered wagon, that helped tame the west.

My great grandfather was responsible for the City "Teams" in Exeter, NH at the turn of the century.
"Teams" had a very different meaning for him then for me.
coach_upright.jpg
This Concord Coach, circa 1852 appeared at the New York World's Fair of 1939 and was later put on display at the Boston & Maine Railroad Station in Concord, New Hampshire. It is now in the collection of the Museum of New Hampshire History at Eagle Square in Concord, N.H.

How many times when getting into a car have you said, "Shotgun."  Do you know where the phrase comes from.  It comes from the very people that navigated these covered wagons with their "Teams (horses)."  As protection of life and property was a very upfront and personal endeavor. 

I wonder if anyone getting into this wagon shouted, "Shotgun," as they were boarding.  I doubt it because it would have meant you were proclaiming your responsibility as the primary defender of the journey.

Or even today, bringing me to my personal Christmas shopping efforts, while shopping with my teenage daughter she noticed a woman wearing Coach.  I asked my daughter, maybe that is what we should get Mom."  She said, "sounds like an idea, let's go to the Coach outlet and see what they have."



Not Really what I had in mind.



Monday, June 11, 2012

Back Up Disaster Recover

Namtek is offering a new service for current and future customers, Back Up for Namtek's customers which leverages two Namtek parnters Exagrid and Windstream.
This new service can be structured in a operational expense model.

Monday, May 21, 2012

Disaster Recovery in the Cloud

Namtek adds Exinda to GSA Schedule

Adding Exinda to Namtek's GSA Schedule is very exciting as we are creating new ways to provide best of breed technologies to our mutual customers.
Add to that Namtek is creating cloud offerings realtive to Disaster Recovery that create new ways to access and montize these some times tedious yet necessary projects.

Namtek if very happy to have Exinda as a business partner serving the United States Government.