Web Application Firewalls
Web Application Firewalls:
Defense in Depth for Your Web Infrastructure
By Jim Beechey - March 2009
I.
Introduction
Over the past few years, a clear trend has emerged within the information security landscape;
web applications are under attack. “Web applications continue to be a prime vector of attack for
criminals, and the trend shows no sign of abating; attackers increasingly shun network attacks for
cross-site scripting, SQL injection, and many other infiltration techniques aimed at the
application layer.” (Sarwate, 2008) Web application vulnerabilities can be attributed to many
things including poor input validation, insecure session management, improperly configured
system settings and flaws in operating systems and web server software. Certainly writing
secure code is the most effective method for minimizing web application vulnerabilities.
However, writing secure code is much easier said than done and involves several key issues.
First of all, many organizations do not have the staff or budget required to do full code reviews
in order to catch errors. Second, pressure to deliver web applications quickly can cause errors
and encourage less secure development practices. Third, while products used to analyze web
applications are getting better, there is still a large portion of the job that must be done manually
and is susceptible to human error. Securing an organization’s web infrastructure takes a defense
in depth approach and must include input from various areas of IT including the web
development, operations, infrastructure, and security teams.
One technology that can help in the security of a web application infrastructure is a web
application firewall. A web application firewall (WAF) is an appliance or server application that
watches http/https conversations between a client browser and web server at layer 7. The WAF
then has the ability to enforce security policies based upon a variety of criteria including
signatures of known attacks, protocol standards and anomalous application traffic.
II.
Web Application Firewall Architecture
WAF Placement
Appliance-based WAF deployments typically sit directly behind an enterprise firewall and in
front of organizational web servers. Deployments are often done in-line with all traffic flowing
through the web application firewall. However, some solutions can be “out of band” with the
use of a network monitoring port. If network based deployments are not preferred, organizations
have another option. Host or server based WAF applications are installed directly onto corporate
web servers and provide similar feature sets by processing traffic before it reaches the web server
or application.
Security Model
A WAF typically follows either a positive or negative security model when it comes to
developing security policies for your applications. A positive security model only allows traffic
1
Jim Beechey
Web Application Firewalls
to pass which is known to be good, all other traffic is blocked. A negative security model allows
all traffic and attempts to block that which is malicious. Some WAF implementations attempt to
use both models, but generally products use one or the other. “A WAF using a positive security
model typically requires more configuration and tuning, while a WAF with a negative security
model will rely more on behavioral learning capabilities.” (Young, 2008)
Operating Modes
Web Application Firewalls can operate in several distinct modes. Vendor names and support for
different modes vary, so check each product for specific details if a particular mode is desired.
Each mode offers various pros and cons which require organizations to evaluate the correct fit
for their organization.





Reverse Proxy – The full reverse proxy mode is the most common and feature rich
deployment in the web application firewall space. While in reverse proxy mode a device
sits in line and all network traffic passes through the WAF. The WAF has published IP
addresses and all incoming connections terminate at these addresses. The WAF then
makes requests to back end web servers on behalf of the originating browser. This mode
is often required for many of the additional features that a WAF may provide due to the
requirement for connection termination. The downside of a reverse proxy mode is that it
can increase latency which could create problems for less forgiving applications.
Transparent Proxy – When used as a transparent proxy, the WAF sits in line between
the firewall and web server and acts similar to a reverse proxy but does not have an IP
address. This mode does not require any changes to the existing infrastructure, but
cannot provide some of the additional services a reverse proxy can.
Layer 2 Bridge – The WAF sits in line between the firewall and web servers and acts
just like a layer 2 switch. This mode provides high performance and no significant
network changes, however does not provide the advanced services other WAF modes
may provide.
Network Monitor/Out of Band – In this mode, the WAF is not in line and watches
network traffic by sniffing from a monitoring port. This mode is ideal for testing a WAF
in your environment without impacting traffic. If desired, the WAF can still block traffic
in this mode by sending TCP resets to interrupt unwanted traffic.
Host/Server Based - Host or server based WAFs are software applications which are
installed on web servers themselves. Host based WAFs do not provide the additional
features which their network based counterparts may provide. They do, however, have
the advantage of removing a possible point of failure which network based WAFs
introduce. Host based WAFs do increase load on web servers so organizations should be
careful when introducing these applications on heavily used servers.
Additional Features
WAF appliances are often either add-on components of existing application delivery controllers
or include additional features to improve the reliability and performance of web applications.
These additional features can help make the case for implementing a WAF for organizations not
already taking advantage of such features. Not all WAF solutions have these features and many
2
Jim Beechey
Web Application Firewalls
are dependent upon the deployment mode chosen. Typically a reverse-proxy deployment will
support each of these features.





III.
Caching – Reducing load on web servers and increasing performance by caching copies
of regularly requested web content on the WAF thus reducing repeated requests to back
end servers.
Compression – In order to provide for more efficient network transport, certain web
content can be automatically compressed by the WAF and then decompressed by the
browser.
SSL Acceleration – Use of hardware based SSL decryption in a WAF to speed SSL
processing and reduce the burden on back-end web servers.
Load Balancing – Spreading incoming web requests across multiple back end web
servers to improve performance and reliability.
Connection Pooling – Reduces back end server TCP overhead by allowing multiple
requests to use the same back end connection.
Products and Solutions
Non-Commercial Web Application Firewalls
ModSecurity - www.modsecurity.org
The most widely used web application firewall is the open source project ModSecurity.
ModSecurity is currently maintained by Breach Security, a company who also sells commercial
appliances. “ModSecurity is a web application firewall that can work either embedded or as a
reverse proxy. It provides protection from a range of attacks against web applications and allows
for HTTP traffic monitoring, logging and real-time analysis” (ModSecurity, 2008). ModSecurity
generally uses a negative security model and also has several related projects which help enhance
the solution. ModSecurity for Apache is a module for Apache containing ModSecurity. The
ModSecurity Core Rules are a collection of rules that will detect the most common web attacks.
The core rules are a great starting point for those new to ModSecurity. The ModSecurity console
creates a centralized console for individual ModSecurity instances to report logs and alerts to.
The ModSecurity profiler analyzes web application traffic and creates application profiles which
can then be used to implement a positive security model.
Microsoft URLScan - http://learn.iis.net/page.aspx/473/using-urlscan
Another free option exists for Microsoft IIS called URLScan. “UrlScan v3.1 is an ISAPI filter
that reads configuration from a urlscan.ini file and restricts certain types of requests (enumerated
in urlscan.ini) from being executed by IIS.” (IISteam, 2008) URLScan is a solution that
Microsoft IIS shops should strongly consider even if they have a separate web application
firewall. First of all; it’s free, and second, the application runs on the web server itself and,
therefore, can be used as yet another layer of defense.
Commercial Web Application Firewalls
3
Jim Beechey
Web Application Firewalls
Commercial solutions offer the traditional benefits of vendor support and, hopefully, ease of
management. Commercial solutions often come with “out of the box” rules for more common
applications such as Microsoft Outlook Web Access and SharePoint. These solutions also often
provide regular vendor updates for new attacks. Another reason to look at a commercial solution
is the additional features many offer such as load balancing, SSL offloading, caching and
acceleration. Organizations that do not have, or are evaluating, these features should give strong
consideration to commercial solutions. Prices vary tremendously between solutions, primarily
due to their ability to scale to the enterprise, ISP or web hosting level.
Barracuda Networks – www.barracudanetworks.com
Barracuda Networks, most known for their SPAM Firewalls, got into the web application
firewall business with their acquisition of NetContinuum. Barracuda, based in Campbell
California, uses a negative security model for its policies and includes many of the application
controller type features. Barracuda currently has two lines of appliances, the web site firewall
and web application controller lines. The web site firewall line is geared towards small/medium
businesses with units scaled for between 25 to 100Mbps of throughput. The web application
controller line is geared towards larger customers. Pricing for the web site firewall starts at
$5,500.
Breach Security – www.breach.com
Breach Security offers two lines of web application firewall appliances, WebDefend and
ModSecurity Pro M1100. The ModSecurity Pro appliances are based upon the open source
project ModSecurity, which Breach sponsors. According to Breach, the WebDefend line “uses
bi-directional traffic analysis, automated behavioral profiling and multiple collaborative
detection engines to maintain the flow of business-critical traffic while delivering complete
protection for payment card data, Social Security numbers and other sensitive information.“
(Breach Security, 2008) The WebDefend product can sit inline or out of band and uses a positive
security model. The out of band solution removes any latency concerns and comes with server
based agents to help thwart detected attacks. Breach was founded in 2004 and its corporate
headquarters are located in Carlsbad California. Pricing for the WebDefend line starts at 45,000.
Deny All – www.denyall.com
Deny All and their rWeb line is another option in the web application firewall space. The rWeb
line is a proxy-based model and uses a positive security model. Deny All is based in Paris
France. The rWeb appliance also offers caching, compression, load balancing, and SSL off
loading.
F5 – www.f5.com
F5 sells a web application firewall add-in module for its BigIP line of application delivery
controllers and a standalone WAF appliance. F5 calls the device the application security
manager. Based in Seattle Washington, F5 is one of the leading companies in the application
delivery space and their WAF module is a good fit for companies already using their product
4
Jim Beechey
Web Application Firewalls
line. The ASM uses a positive security model for defining security policies and comes with all
the features you would expect from an enterprise ready WAF. One of the more interesting
features is their integration with WhiteHat Sentinel Vulnerability Assessment Service which can
automatically create ASM rules based upon vulnerabilities found from a WhiteHat Sentinel scan.
The standalone WAF is priced around $28,000, while the larger BigIP solution starts around
$65,000.
Imperva – www.imperva.com
The SecureSphere web application firewall from Imperva is one of the more highly regarded
appliances on the market. Gartner says that Imperva “appears most often on Gartner clients’
short lists.” (Young, 2008) Imperva, based in Redwood Shores California, uses what the
company calls “transparent inspection” technology to provide security with high performance.
Security policies are based upon a positive security model and Imperva also has options for
database monitoring and vulnerability scanning. Prices start at $35,000.
Other Vendors













Citrix – Application Firewall – www.citrix.com
Applicure – DotDefender – www.applicure.com
Armorlogic – Profense – www.armorlogic.com
Bee-Ware – iSentry – www.bee-ware.net
BinarySec – Application Firewall – www.binarysec.com
BugSec – www.bugsec.com
eEye Digital Security – SecureIIS – www.eeye.com
Fortify Software – Defender – www.fortifysoftware.com
Forum Systems – Xwall, Sentry – www.forumsys.com
Microsoft - ISA Server – www.microsoft.com/isaserver
Visonys – Airlock – www.visonys.com
mWEbscurity – webApp.secure – www.webscurity.com
Xtradyne – Application Firewalls – www.xtradyne.com
List from (http://www.owasp.org/index.php/Web_Application_Firewall)
IV.
Implementation, Tuning and Maintenance
Web application firewalls are certainly not a plug and play solution. They require rigorous
testing prior to implementation and regular tuning thereafter. During the implantation phase,
most vendors will have either a learning or passive mode so that the WAF can be properly tuned
before blocking any traffic. A solution based upon a positive security model will need to learn
what “normal” traffic looks like for your applications. Negative security model solutions will
typically be deployed in a non-blocking mode so that any false positives can be tuned prior to
turning on blocking capabilities. Similarly to intrusion prevention systems, a WAF requires
regular monitoring of log files to detect attacks and tune false positives. Organizations also need
to consider how to incorporate WAF testing and tuning into their standard development practices
so that the impact of new applications can be evaluated prior to deployment.
5
Jim Beechey
Web Application Firewalls
V.
PCI Compliance
One of the major reasons organizations have an interested in web application firewalls is PCI
DSS version 1.1. Requirement 6.6 states that organizations need to protect web applications by
either reviewing all custom code for vulnerabilities or installing a web application firewall. This
choice sparked a bit of controversy in the industry over which was the best practice. There are a
myriad of arguments on both sides, but most agree that the best approach it to implement both
methods rather than choosing one over the other. This requirement, however, has certainly
shown a bright spotlight on WAF technology and, if anything, given vendors fuel to sell their
products.
VI.
Conclusion
A web application firewall is another tool in your arsenal to protect your organization’s critical
web assets and associated data. They are not a substitute for properly written code or input
validation, however provide an additional layer of defense. A WAF can also be a highly
effective defense for blocking newly discovered vulnerabilities or previously successful attacks.
A WAF can protect a site while vulnerabilities are being fixed and thoroughly tested by your
developers. Any organization with a significant web application infrastructure should consider
deploying a web application firewall as part of a defense in depth strategy.
REFERENCES
Breach Security, (2008). Web Application Security, Application Security. Retrieved January 26,
2009, Web site: http://www.breach.com/company/index.html
IISteam, (2008, Nov 1). Using URLScan. Retrieved December 8, 2009, Web site:
http://learn.iis.net/page.aspx/473/using-urlscan/
ModSecurity, (2008). ModSecurity: open source web application firewall. Retrieved January 16,
2009, Web site: http://www.modsecurity.org
Sarwate, A (2008, July 30). Hot or not: web application firewalls for security and regulatory
compliance. Retrieved February 2, 2009, from SC Magazine Web site:
http://www.scmagazineus.com/Hot-or-not-Web-application-firewalls-for-security-andregulatory-compliance/article/113146/
Young, G (2008, May, 22). An Introduction to Web Application Firewalls. Gartner Research,
G00157756, Retrieved November 11, 2008, from
http://www.gartner.com/DisplayDocument?ref=g_search&id=677008&subref=simplesearch
6
Jim Beechey