What is WAF
Your website is the face of your organization and in many
situations, an income generator.
The information offered should be precise, safe for
surfing , fast and practical.
resulting in client or business information protection
violations. It can lead to
customer discontent and desertion, financial failures, product
harm and even
legal challenges. Companies from all sectors fall prey to
web application attacks
that could have been prevented with more security focus and
financial commitment.
on their customer facing web applicatiions, similar to the strikes that hit Fox.Com. More
recently, T&T Parliament and Worldwide Law
enforcement Organization sites were defaced.
In both situations, online hackers focused on the security
gaps within these web applications.
evolve and are always overwhelming.
Security Project (OWASP) and the Web Application Security
Consortium (WASC) are
widely specified and generally known by many companies.
The two classifications overlap, but while the OWASP
provides a described Top ten
list of web program threats, WASC provides a broader
category of strengths,
weaknesses and provides specific research on each of the
ten OWASP groups.
For example, OWASPs first item on the Top Ten record is
known as “Injection” and could be
mapped to eight unique WASC products with regards to
“Injection” threats.
Regulations such as GLBA, HIPAA or FISMA all generate
some level of web application
security while
providing organization the independence to select the recommended technique of
threat minimization. In all situations, a Web Application
Firewall program (WAF) could be used as an
effective security tool that will enhance an
organizations threat posture.
The Payment Card Industry Data Security Standard
(PCI-DSS) is much more explicit
on web application protection recommendations. PCI-DSS is
a standard which was developed
to motivate and improve credit card holder data
protection and accomplish the wide adoption
of reliable data protection actions worldwide. It consists
of 12 requirements
which are structured in six primary groups. PCI-DSS area
Six details the
development and servicing of security techniques for
public facing applications.
Not meeting compliance can result in
penalties and rescind the ability to process credit card
transactions.
Why Existing
Defenses are Not Good Enough
A typical answer one could anticipate from organizations
when referring to their web
application security posture is: “we are protected by our
network firewall and our
IPS”. While
classic defense tools can protect against a broad range of threats, they
are not good enough to particular web applications needs.
Network firewalls (operating at layers 3 – network- and 4
–transport) are not
designed for web application protection (layer 7
–application), as they generally open
and close the door to ingoing and outgoing traffic
without really inspecting the
subject material of the traffic.
Intrusion Prevention Systems offer a better safeguard
against application threats.
However, their primary focus is on client weaknesses rather
than server vulnerabilities.
IPSs examine the content of network packets coordinate
the content to a predefined set
of signatures and then elevate an alert or block the
traffic if anomalies are detected. A
common IPS product contains several hundred signatures
which may not detect the
thousands of new web application weaknesses discovered
each year. Furthermore,
IPS tools on the market may not parse the web application
content. Subsequently, they are not in a
position of learning different web application elements, pages, variables, and
reaction to zero-day
attacks for which no signatures exist. In addition, IPSs
do not have the capacity to
understand the web application protocol logic so they are
powerless to detect protocol
violations (a common IPS evasion technique).
Web Application Security demands a strong comprehension of
how and applications works. How
they ask and get a resources, translate and parse
parameters, and how they generally
behave. These functions are provided by Web Application
Firewalls (WAF); security
systems adapted to web applications, with the ability to
comprehend Layer 7
(application) protocols, parse web applications details,
pages, and define security
policies as well as service XML and Web Services protection.
WAFs should be intelligently
designed and precisely optimized to provide maximum security in the shortest
time and with minimum impact on web application traffic.
Web Application
Security Obstacles
In prior years, attacks have developed and become more
complicated with assailants
using multiple attack vectors in a single attack plan.
The significant attacks on Sony were a mix of DDoS
attacks, directed at the availability
of the websites while concurrently distracting the focus
of Sony’s security
administrators with targeted web application
attacks (SQL injection). The
goal of these attacks were to take the user’s accounts
information. Simple correlation of
security activities from various sources may have turned
away this diversion technique.
Achieving superior and powerful web application security
posture is not an easy endeavor and there
are numerous issues web application firewalls encounter each
day.
Due to the way web applications are built, security
becomes a sophisticated equation
with numerous variables. Web applications are structured
on third party web servers, legacy
components, operating systems. They contain many settings,
pages, folders, variables and
authentication strategies.
Each of these layers could be targeted and are probably
vulnerable to attacks that
a company’s most effective security practices can’t
defend against. The organization
implementing the web application however relies on other
companies’ software which contains
known, recorded weaknesses or new vulnerabilities yet to
be found.
On average, a web application is being accessed both by
preferred genuine users and
attackers .
One of the greatest obstacles in protecting web
applications is the ability to precisely
distinguish between the two and prevent security threats
while not unsettling
regular traffic. In other words, stay clear of false
negatives and provide the most effective security
coverage while preserving a low or minimal percentage of
false positives. False
negatives place your applications at risk and false positives
disturb the genuine and boost
deployment operational efforts and costs substantially.
Elaborate time consuming deployments
Another problem is deployment considerations. WAFs’
deployments are well known for
being complicated and time consuming.
How do we utilize the web application firewall in a
timely and efficient manner and break the
belief of the complex WAF deployments? How do we ensure
the web application firewall
promptly starts to proficiently block attacks -"without
prolonging the testing phases forever?"
In order to accomplish web application security, the WAF
has to understand the application, map its
pages, parameters, and investigate its traffic in order
to create and eventually dynamically update
an application baseline. This baseline is the ordinary
state of the application and the
security instrument compares this baseline to new inbound
traffic. The learning and mapping
procedures could be timely and demand manual
configuration as web applications
normally contain a large number of pages, folders and a
multitude of parameters. Any application
modification would require complete relearning and
remapping of the baseline. This activity slows down
down the security policies definition and consequently
delays the actual WAF implementation.
The challenge is to provide the quickest time to protect
and produce a clean deployment
process and a fast dynamic learning curve of the
applications attributes while
immediately producing and successfully applying granular
security policies.
Scale to growing
businesses requirements
As the range and size of web applications expand, the web
application firewall focused
at protecting applications becomes taxed, dealing with
more bandwidth,
capacity and processing. Poorly developed WAFs can’t
maintain the payload and encounter
overall performance challenges and the incapability of
meeting the scalability demands of the
organization. .
The web application firewall should provide a strong,
scalable structure, enabling and organization
to meet the versatile and ongoing requirements for growth.
Clear and Valuable
Reports for Security Events
The last problem is to deliver accurate, centralized and
user-friendly logs, traces and reports
of the Web application security condition.
In-depth reporting and forensics analysis are helpful to
understand the attacks, how they
transpired and how they were blocked. In numerous cases,
institutions are searching for
correlation reports on a distinct security event
triggered on various components of
their application infrastructure. This is not generally
obvious as each security device provides
its own security statement which does not correlate.
An additional reporting obstacle is to present thorough,
clear and valuable reports for
regulations and standards compliance – for example PCI
reports.
Options
Although historically known to be difficult and costly
many known and lesser known web
application firewall companies are making significant
strides in improving WAF tools and
deployment strategies. If you do your research they will help you determine how a web
application will work for your organization .
View Keith Turgeon's profile
