With 2006 just starting off many are happy to have left a myriad of security problems behind in 2005. I hope you see more security awareness and experience a cleaner network environment this year. This issue brings more technical articles and reflections on the past year. Many of you e-mailed us asking us to review software titles and hardware, so you’ll be glad to know that we have a review in this issue. Keep those comments coming and thanks for the support! Mirko Zorz Chief Editor Visit the magazine website at www.insecuremag.com (IN)SECURE Magazine contacts Feedback and contributions: Mirko Zorz, Chief Editor - [email protected] Marketing: Berislav Kucan, Director of Marketing - [email protected] Distribution (IN)SECURE Magazine can be freely distributed in the form of the original, non modified PDF document. Distribution of substantively modified versions of (IN)SECURE Magazine content is prohibited without the explicit permission from the editor. For reprinting information please send an email to [email protected] or send a fax to 1-866-420-2598. Copyright HNS Consulting Ltd. 2006. www.insecuremag.com The popularity of web application firewalls is on the rise. These tools used to be reserved for a very small percentage of high profile deployments, but, with the number of less costly products appearing on the market and an open source option available for anyone to try out (ModSecurity - modsecurity.org), they are finally available to the majority. In this article I will describe what web application time I thought it was a beautiful idea. Other people firewalls do and give you a quick overview of their must have liked the idea too because by mid 2005 most useful features. After reading the article you we have had formed a team consisting of some of should leave fairly familiar with the subject matter. the very knowledgeable people in the web applica- You should also have enough information to de- tion firewall market. The Web Application Firewall termine whether or not web application firewalls Evaluation Criteria project was born. (It's home have a place in your life. page is at webappsec.org/projects/wafec) The name of the project is a mouthful so we are usu- What is a web application firewall? ally referring to it by the abbreviation WAFEC. To save me some typing I will also refer to web appli- The interesting thing about web application fire- cation firewalls as WAFs from now on. walls is that no one really knows exactly what they are. Or, to say that correctly, it is difficult to get dif- This text is not about the work we've done for the ferent people to agree to a common definition. In project, although my opinions have, without any very broad terms, web application firewalls are doubt, been heavily influenced by it. I mention this specialized tools whose purpose is to increase project now (although it was bound to be men- security in web applications. But try pressing a few tioned sooner or later instead of later) is because I people to give you a more specific definition and remembered one of the emails sent to the project they'll give you more questions than answers. list, which illustrates my point about market confu- Some web application firewalls work are hardware sion beautifully. Achim Hoffmann, one of the fellow devices, some are software applications. Where team members, had sent a list of names various some are network-based, the others work embed- people and organizations used to refer to web ap- ded in web servers. You can try to compile a list of plication firewalls over time. With Achim's permis- web application firewall vendors and visit their web sion, I am providing the full list here (with a couple sites in order to learn more, but chances are you of additions I thought were appropriate): will only get more confused reading what you find there. • Adaptive Firewall • Adaptive Proxy Jeremiah Grossman, spokesman for the Web Ap- • Adaptive Gateway plication Security Consortium (webappsec.org), • Application Firewall approached me in late 2004 with an idea of start- • Application-level Firewall ing a project to figure out the web application fire- • Application-layer Firewall walls. Having been involved with WAFs for some • Application Level Gateway www.insecuremag.com 4 • Application-level Security Gateway picions by using Google to search for each of the • Application Security Gateway terms. Only the term "web application firewall" had • Application Security Device any adverts associated with it. • Stateful Multilayer Inspection Firewall • Web Adaptive Firewall Enough talk; what is a web application • Web Application Firewall firewall? • Web Application Security Device • Web Application Proxy The main reason it is often difficult for people to • Web Application Shield agree on a single definition for a web application • Web Shield firewall is simply because the name is used to re- • Web Security Firewall fer to too many things. If you look at the lower • Web Security Gateway network layers (web application firewalls are situ- • Web Security Proxy ated at layer 7) you will find that they are occupied • Web Intrusion Detection System by many devices, each specialized for a specific • Web Intrusion Prevention System purpose. We have routers, switches, firewalls, in- trusion detection systems, intrusion preventions There are 22 names on the list and none of them systems, and so on. In the HTTP world, however, are entirely adequate, for the reasons I will soon we are seeing roughly the equivalent functionality discuss. Adequate or not, of all the names only crammed into a single device type (and thus only one survived (guess which one). I verified my sus- one name): the web application firewall. THE MAIN REASON IT IS OFTEN DIFFICULT FOR PEOPLE TO AGREE ON A SINGLE DEFINI- TION FOR A WEB APPLICATION FIREWALL IS SIMPLY BECAUSE THE NAME IS USED TO RE- FER TO TOO MANY THINGS. Roughly speaking, it is possible to identify four dis- distinction between intrusion detection and intru- tinct functionality types within what is today called sion prevention if often not quite clear. But Richard a web application firewall (the names in the Bejtlich summed it up well: “... an "IPS" is a layer 7 bracket refer to the equivalent devices on the firewall that inverts the access control best prac- lower network layers): tice of "allow some, deny everything else." (In other words, an IPS performs a "deny some, allow 1. Audit device. Used to capture full content data everything else" function.) I absolutely detest the (Network Security Monitoring) or only transactions IPS label and wish access control devices were that match some criteria (Intrusion Detection Sys- simply identified as such, and not confused with tems). audit devices (e.g., IDSs).” 2. Access control device. Used to control access to web applications, either in positive security Additional confusion is often introduced when the mode (Network Firewalls) or negative security term deep-inspection firewalls is involved. Deep- mode (Intrusion Prevention Systems). inspection firewalls are devices which, some 3. Architectural/Network design tool. When operat- claim, have features equivalent to those of web ing in reverse proxy mode, used to distribute func- application firewalls. But, although there is some tionality, centralize access, virtualize infrastructure similarity, the difference is profound. Deep- and so on. inspection firewalls generally make some effort to 4. Web application hardening tool. Features that look beyond level 3 and into higher levels. Web increase web application security either by resolv- application firewalls, on the other hand, are tools ing the weaknesses inherent to web applications, that are built from the ground up to handle HTTP or by targeting the programming errors in the ap- and they understand it very well. A very good (and plications they are protecting. entertaining) overview of this subject has been provided by Marcus J. Ranum in his 'What is Because of the multi-faceted nature of WAFs peo- "Deep Inspection?' text, available at ple with different backgrounds tend to view them in ranum.com/security/computer_security/editorials/d different light. For example, people with back- eepinspect/. ground in network intrusion detection are likely to view WAFs as an IDS devices that just happen to It is important to accept one fact though: it is not operate on the HTTP level. Of course, to be en- necessary for a device to implement all four types tirely honest, the lower network layers are not of functionality in order for it to be called a web without their problems either. For example, the application firewall. As long as there is a clear www.insecuremag.com 5 understanding of the possible variations, anything a completely new vocabulary. It comes with its that increases web application security can be own set of problems and challenges, which are called a WAF as far as I am concerned. What end different from the ones of TCP/IP. users need to do is first determine what their • The real problem is that web applications are not needs are and then find a tool that fulfils them. simple users of the HTTP protocol. Instead, HTTP is only used to carry the application-specific data. Evolution of Web Intrusion Detection It is as though each application builds its own pro- tocol on top of HTTP. Intrusion detection, as a concept, has been with • Many new protocols are deployed on top of us for many years. Its purpose is to detect attacks HTTP (think of Web Services, XML-RPC, and by looking at the network traffic or by looking at SOAP), pushing the level of complexity further up. operating system events. The term intrusion pre- • Other problems, such as the inability of an NIDS vention is used to refer to systems that are also to see through encrypted SSL channels (which capable of preventing attacks.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages57 Page
-
File Size-