Company

About

News

Articles

References

Legal

Company > Articles > How to evaluate a WAF

How to evaluate a WAF

« Fast track web security | Customer Stories »

Web Application Firewalls: How to evaluate, purchase and implement

2009-06-09
For the original article in CSO, Click Here [http://www.csoonline.com/article/494587/web-application-firewalls-how-to-evaluate-purchase-and-implement].

Application-layer attacks bypass standard perimeter defenses. Here's how to evaluate firewalls that screen web application traffic.

- By Mary Brandel

A Web application firewall (WAF) is designed to protect Web applications against common attacks such as cross-site scripting and SQL injection. Whereas network firewalls defend the perimeter of the network, WAFs sit between the Web client and Web server, analyzing application-layer traffic for violations in the programmed security policy, says Michael Cobb, founder of Cobweb Applications, a security consultancy.

While some traditional firewalls provide a degree of application awareness, it's not with the granularity and specificity that WAFs provide, says Diana Kelley, founder of consultancy Security Curve. For instance, the WAF can detect whether an application is not behaving the way it was designed to, and it enables you to write specific rules to prevent that kind of attack from reoccurring.

WAFs also differ from intrusion prevention systems. "It's a very different technology—it's not signature-based, it's behavioral, and it protects against vulnerabilities you [inadvertently] create yourself," says Greg Young, an analyst at Gartner.

One of the primary drivers for WAFs today is the Payment Card Industry Data Security Standard (PCI DSS), which identifies two ways of being in compliance: WAFs and code review. (See Source Code Analysis Tools: How to Choose and Use Them.) But another driver is simply the growing recognition that attacks are moving from the network to applications. In a study by WhiteHat Security, which assessed 877 websites from January 2006 to December 2008, 82 percent had at least one issue of high, critical or urgent severity.

Main WAF Attributes

The web application firewall market is still undefined, with many dissimilar products falling under the WAF umbrella. "Many products provide functionality above and beyond what one would consider a firewall," says Ramon Krikken, research analyst at Burton Group. "This makes products hard to evaluate and compare." In addition, new vendors are entering the market, by expanding existing non-WAF products into the integrated segment.

Here are the attributes that a WAF should have, according to a list provided by Ofer Shezaf, founder of research and consulting firm Xiom:

  • Have intimate understanding of HTTP. WAFs need to fully parse and analyze HTTP to be effective.
  • Provide a positive security model. A positive security policy allows only traffic known to be valid to pass through. Sometimes called "whitelisting," this provides an external input validation shield over the application.
  • Application-layer rules. Because of the high maintenance cost, a positive security model should be augmented by a signature-based system. But since Web applications are custom-coded, traditional signatures targeting known vulnerabilities are not effective. WAF rules should be generic and detect any variant of an attack, such as SQL injection.
  • Session-based protection: One of the biggest downsides of HTTP is the lack of a built-in reliable session mechanism. A WAF must complement the application session management and protect it from session-based and over-time attacks.
  • Allow fine-grained policy management. Exceptions should be applied to only minimal parts of the application. Otherwise, false positives force wide-open security gaps.

Web Application Firewall Selection Criteria

The Open Web Application Security Project (OWASP)—an open community focused on improving the security of application software—suggests the following selection of criteria for WAFs:

  • Very few false positives (i.e., should never disallow an authorized request).
  • Strength of default (out-of-the-box) defenses.
  • Power and ease-of-learn mode.
  • Types of vulnerabilities it can prevent.
  • Ability to keep individual users constrained to exactly what they have seen in the current session.
  • Ability to be configured to prevent specific problems, such as emergency patches.
  • Form factor: software versus hardware (hardware generally preferred).

Prime Considerations for Web Application Firewalls

WAFs versus source-code scanning. WAFs protecting applications in real time (rather than fixing them) has ignited criticism in the past. Some vendors are wary of the term "WAF," preferring instead "application awareness" or "application-layer intelligence," Kelley says. Today, however, a growing consensus seems to be that, implemented correctly, WAFs can serve as an important part of a layered security model, as they provide protection while you repair application vulnerabilities.

As Jeremiah Grossman, founder of WhiteHat Security, argues on his blog, there are far too many vulnerabilities to keep up with remediating them in the code itself. He advocates that vulnerabilities found through an assessment be imported as customized rules into a WAF, providing an option to mitigate now and remediate the source of the problem later.

Read more about application security in CSOonline's Application Security section.

Other stories by Mary Brandel
© 2005-2012  Armorlogic Toll free: 888-793-0363   |   Contact us   |   Privacy   |   Legal   |   Home   |     |