While rise in cyber crimes and fraud in recent times is a disturbing fact, what's shocking is that these usually exploit web application security vulnerabilities. In fact, blackhat hackers seem to have shifted most of their focus to the web application layer. As a result, organizations are turning to web application firewall (WAF) solutions
Requires Free Membership to View
as a means to tackle them.Today, the core issue is insecure application coding, since security is not kept as a key priority at the development stage. This may lead to attacks such as SQL (Structured Query Language) injection, cross-site
scripting or forgery on your Web application. Ways to
avoid such attacks include penetration-testing, source code review, or setting
up WAF solutions.
Regulatory requirements such as those for the Payment Card Industry - Data Security Standard
(PCI-DSS) compliance mandate protection of a Web application—either by source code review or using a WAF
solution. Since source code review can be a very lengthy process, you can go in for WAF
solutions to protect your web application while your developer is fixing code
vulnerabilities.
Types of WAF solutions
WAF
solutions mainly work through signature- and behavior-based models. In the case of the former,
the firewall may detect an attack on the basis of signature (typically special characters or
Unicode encoded characters). WAF tools look out for the telltale signs of SQL injection, cross-site
scripting or forgery attacks.
In the case of behavior-based models, WAF
solutions take into account behavioral anomaly. For example, an employee providing his personal
credit card number for online purchase should not be treated as information leakage or an attack.
Thus, WAF solutions need to distinguish between events and its
context.
WAF solutions can either be hardware-, appliance- or software-based firewalls. While hardware-based
WAF solutions sit in front of your web server or multiple Web servers (in case you run clusters),
software-based WAF solutions can be fairly effective if you run on a tight budget. You can also
look at open source-based WAF solutions. Since deployment of software-based WAF solutions has to be
done on a per server basis, it may bring in challenges of maintaining consistent policies across
multiple servers.
Hardware-based WAF solutions can be apt for companies which run multiple server clusters (as well
as those with sufficient budgets), as they also offer load balancing, SSL (Secure Sockets Layer)
encryption and decryption capabilities. Software-based
WAF solutions can be the right choice for organizations that run only a couple of servers and
have distributed Web applications. Such WAF solutions are less expensive and faster to deploy, as
compared to hardware- or appliance-based types. For instance, a high end hardware-based WAF box
could cost around Rs 30 lakh. Barracuda, Imperva, Citrix, Cisco, eEye Digital Security and
ModSecurity (an open source offering) are some of the major WAF vendors in the market.
Selecting WAF solutions
The first step in selection of WAF solutions is to decide between hardware-, appliance- and
software-based WAF solutions. You can also look for things like vulnerabilities and attacks that
these WAF solutions can detect, false positive rate at POC (Proof of Concept) stage, policy
customizability, strength of 'out-of-the-box' policies, and reporting structure (producing reports
that show compliance with standards like PCI-DSS).
Check aspects like ease of administration, flexibility in terms of configuration and changing
parameters, compatibility with existing infrastructure (for example, Active Directory integration),
log format (whether it is readable by your existing log management solution), throughput of your
Website, number of concurrent sessions supported, and so on. The learning
capability of WAF solutions should also be an important criterion. You must check the WAF
solution's capability in terms of learning as well as the extent to which it can be guided. Also
look for white and black listing capabilities.
Implementation and challenges
Initial
configuration of WAF solutions may require external support because you will need personnel
with thorough knowledge of Web applications and related attacks. Your application team has to work
with the consultant to define rules and parameters for WAF solutions. Otherwise, these solutions
will have a high number of false positives, resulting in a dead investment. So WAF solutions should
not become a mere item in the compliance checkbox.
Always remember that WAF solutions are not plug-and-play products. These solutions require tweaking
and configuration at the start. You must let WAF solutions remain in the learning and monitoring
mode for a while, in order to create required rules and parameters. Your internal security team
should be able to manage the firewall once it's in place. You can probably call a consultant once a
year to review the health of your WAF implementation.
About the author: KK Mookhey is the founder and principal consultant of NII Consulting,
which provides services in IT audits, risk management, compliance and computer forensics.
(As told to Dhwani Pandya)
This was first published in July 2010