Monday, August 12, 2013

What Is a Web Application Firewall


What is WAF


 
Your Unprotected Business is at Risk

Your website is the face of your organization and in many situations, an income generator.

The information offered should be precise, safe for surfing , fast and practical. 
 
 
Failing to secure your online applications could adversely affect your business

resulting in client or business information protection violations. It can lead to

customer discontent  and desertion, financial failures, product harm and even

legal challenges. Companies from all sectors fall prey to web application attacks

that could have been prevented with more security focus and financial commitment.

 
For example, some of Sony’s popular problems were due to simple SQL injection attacks

on their customer facing web applicatiions, similar to the strikes that hit Fox.Com.  More

recently, T&T Parliament and Worldwide Law enforcement Organization sites were defaced.

In both situations, online hackers focused on the security gaps within these web applications.

 
Operating an application on the Web creates risk for any organization.  Risks are prevalent,

evolve and are always overwhelming.

 
The web application threat classifications created by the Open Web Application

Security Project (OWASP) and the Web Application Security Consortium (WASC) are

widely specified and generally known by many companies.

 

The two classifications overlap, but while the OWASP provides a described Top ten

list of web program threats, WASC provides a broader category of strengths,

weaknesses and provides specific research on each of the ten OWASP groups.

 

For example, OWASPs first item on the Top Ten record is known as “Injection” and could be

mapped to eight unique WASC products with regards to “Injection” threats.

Regulations such as GLBA, HIPAA or FISMA all generate some level of web application

security  while providing organization the independence to select the recommended technique of

threat minimization. In all situations, a Web Application Firewall program (WAF) could be used as an

effective security tool that will enhance an organizations threat posture.

 

The Payment Card Industry Data Security Standard (PCI-DSS) is much more explicit

on web application protection recommendations. PCI-DSS is a standard which was developed

to motivate and improve credit card holder data protection and accomplish the wide adoption

of reliable data protection actions worldwide. It consists of 12 requirements

which are structured in six primary groups. PCI-DSS area Six details the

development and servicing of security techniques for public facing applications. 

Not meeting compliance can result in

penalties and rescind the ability to process credit card transactions.

 

Why Existing Defenses are Not Good Enough

A typical answer one could anticipate from organizations when referring to their web

application security posture is: “we are protected by our network firewall and our

IPS”.  While classic defense tools can protect against a broad range of threats, they

are not good enough to particular web applications needs.

Network firewalls (operating at layers 3 – network- and 4 –transport) are not

designed for web application protection (layer 7 –application), as they generally open

and close the door to ingoing and outgoing traffic without really inspecting the

subject material of the traffic.

 
Intrusion Prevention Systems offer a better safeguard against application threats.

However, their primary focus is on client weaknesses rather than server vulnerabilities.

IPSs examine the content of network packets coordinate the content to a predefined set

of signatures and then elevate an alert or block the traffic if anomalies are detected. A

common IPS product contains several hundred signatures which may not detect the

thousands of new web application weaknesses discovered each year. Furthermore,

IPS tools on the market may not parse the web application content.  Subsequently, they are not in a
 
position of learning different web application elements, pages, variables, and reaction to zero-day

attacks for which no signatures exist. In addition, IPSs do not have the capacity to

understand the web application protocol logic so they are powerless to detect protocol

violations (a common IPS evasion technique).

 

Web Application Security demands a strong comprehension of how and applications works.  How

they ask and get a resources, translate and parse parameters, and how they generally

behave. These functions are provided by Web Application Firewalls (WAF); security

systems adapted to web applications, with the ability to comprehend Layer 7

(application) protocols, parse web applications details, pages, and define security

policies as well as service XML and Web Services protection. WAFs should be intelligently

designed and precisely optimized to provide maximum security in the shortest

time and with minimum impact on web application traffic.

 
Web Application Security Obstacles

In prior years, attacks have developed and become more complicated with assailants

using multiple attack vectors in a single attack plan.

The significant attacks on Sony were a mix of DDoS attacks, directed at the availability

of the websites while concurrently distracting the focus of Sony’s security

administrators with targeted web application attacks (SQL injection). The

goal of these attacks were to take the user’s accounts information. Simple correlation of

security activities from various sources may have turned away this diversion technique.

Achieving superior and powerful web application security posture is not an easy endeavor and there
 
are numerous issues web application firewalls encounter each day.

 
A multi-dimensional problem

Due to the way web applications are built, security becomes a sophisticated equation

with numerous variables. Web applications are structured on third party web servers, legacy

components, operating systems. They contain many settings, pages, folders, variables and
 
authentication strategies.

Each of these layers could be targeted and are probably vulnerable to attacks that

a company’s most effective security practices can’t defend against. The organization

implementing the web application however relies on other companies’ software which contains

known, recorded weaknesses or new vulnerabilities yet to be found.

 
Differentiating between attacks and genuine traffic

On average, a web application is being accessed both by preferred genuine users and

attackers .

One of the greatest obstacles in protecting web applications is the ability to precisely

distinguish between the two and prevent security threats while not unsettling

regular traffic. In other words, stay clear of false negatives and provide the most effective security

coverage while preserving a low or minimal percentage of false positives. False

negatives place your applications at risk and false positives disturb the genuine and boost
 
deployment operational efforts and costs substantially.

 

Elaborate  time consuming deployments

Another problem is deployment considerations. WAFs’ deployments are well known for

being complicated and time consuming.

How do we utilize the web application firewall in a timely and efficient manner and break the

belief of the complex WAF deployments? How do we ensure the web application firewall

promptly starts to proficiently block attacks -"without prolonging the testing phases forever?"

In order to accomplish web application security, the WAF has to understand the application, map its

pages, parameters, and investigate its traffic in order to create and eventually dynamically update

an application baseline. This baseline is the ordinary state of the application and the

security instrument compares this baseline to new inbound traffic. The learning and mapping

procedures could be timely and demand manual configuration as web applications

normally contain a large number of pages, folders and a multitude of parameters. Any application

modification would require complete relearning and remapping of the baseline. This activity slows down

down the security policies definition and consequently delays the actual WAF implementation.

The challenge is to provide the quickest time to protect and produce a clean deployment

process and a fast dynamic learning curve of the applications attributes while

immediately producing and successfully applying granular security policies.

 
Scale to growing businesses requirements

As the range and size of web applications expand, the web application firewall focused

at protecting applications becomes taxed, dealing with more bandwidth,

capacity and processing. Poorly developed WAFs can’t maintain the payload and encounter

overall performance challenges and the incapability of meeting the scalability demands of the

organization. .

The web application firewall should provide a strong, scalable structure, enabling and organization
 
to meet the versatile and ongoing requirements for growth.

 
Clear and Valuable Reports for Security Events

The last problem is to deliver accurate, centralized and user-friendly logs, traces and reports

of the Web application security condition.

In-depth reporting and forensics analysis are helpful to understand the attacks, how they

transpired and how they were blocked. In numerous cases, institutions are searching for

correlation reports on a distinct security event triggered on various components of

their application infrastructure. This is not generally obvious as each security device provides

its own security statement which does not correlate.

An additional reporting obstacle is to present thorough, clear and valuable reports for

regulations and standards compliance – for example PCI reports.

 

Options

Although historically known to be difficult and costly many known and lesser known web
 
application firewall companies are making significant strides in improving WAF tools and
 
deployment strategies.  If you do your research they will help you determine how a web
 
application will work for your organization .


View Keith Turgeon's LinkedIn profileView Keith Turgeon's profile

No comments:

Post a Comment