4 Environment Support To be effective the WAF has to work well in your environment. The following section describes aspects of a WAF required to support your environment. It is split into [two] sections. The first describes the options for deployment and the requirements your organization might have regarding those options and the impact to the environment. The second aspect is the support offered for the elements of the target environment. This further includes 2 aspects, support for protected applications support for environment options and ability to implement environment options. [MK: The example here is support for various authentication options vs. implementation of those options.] Evaluation guidelines: unless described otherwise, for each criteria group below select and evaluate only the criteria that are relevant to your organization. Keep in mind that requiring unneeded criteria may lead to higher cost and complexity in the solution selected. 4.1 Deployment Model 4.1.1 Packaging Packaging is often a matter of corporate culture and usually does not have significant effect on the quality of the solution. Verify that the WAF supports the packaging method your organization prefers. Note that method of delivery will limit the deployment architecture options available and vice versa. Delivery Method Description Deployment Architecture Options A. Appliance Software bundled with hardware. Appliances are usually highly optimized and may contain specialized hardware components to increase performance (e.g. SSL processors), availability (e.g. “fail-open” network interfaces) or perform other specialized functions (e.g. Lights-Out Management, or “LOM”, interfaces. Reverse Proxy Transparent Proxy Transparent Bridge Non-inline B. Virtual Appliance WAF is delivered as software packaged as an installable virtual instance for a specific hypervisor, e.g an .OVF file for VMWare ESX. Often a specific minimum configuration of resources (memory, disk, etc.) is required. Reverse Proxy Transparent Proxy Transparent Bridge Non-inline C. Software WAF is delivered as an application that can be installed on a generic computer. Often a specific reference configuration of hardware and operating system is required. Reverse Proxy Transparent Proxy Transparent Bridge Non-inline Embedded D. Software as a Service (SaaS) The WAF is provided to the user as a service. In this scenario the physical delivery model for the software can be hidden from the user. This model is typical for ”Cloud” models, but can also be relevant in hosted environments or even for on-premise deployments managed by a managed service provider. Reverse Proxy Transparent Proxy 4.1.2 Deployment Architecture Depending on size your organization may need just one deployment option. For large organizations with a variety of applications and environments, more than one option may be needed. Verify that the WAF supports the deployment mode or modes you prefer: A. D. Deployment Architecture Description Delivery Model Options Reverse Proxy Application traffic is re-directed through the WAF, typically using DNS reconfiguration or networking changes. The WAF terminates the HTTP session with the browser and opens a separate session to the application server. Appliance Virtual Appliance Software SaaS Transparent Proxy "A 'transparent proxy' is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification".i Typically, this means that the client IP appears to the server to be the same as the true source IP of the client. Appliance Virtual Appliance Software SaaS Transparent Bridge Application traffic is intercepted by the WAF at layer 2. This is typically accomplished by deploying the device at a network location through which user sessions normally flow, but in some cases can be accomplished via routing or other networking changes. The WAF does not terminate the user session, allowing the traffic to pass unaltered from browser to server. Appliance Virtual Appliance Software Non-inline Application traffic is forwarded “off-line” to the WAF device through a SPAN port or other network monitoring mechanism. The WAF is typically looking at only a copy of the traffic, so no sessions are terminated or otherwise affected. If desired, blocking must be accomplished via an indirect mechanism. Appliance Virtual Appliance Software Deploying WAFs in non-inline mode significantly reduces the possibility of blocking and is mostly valuable for proof of concept, learning mode, or for information centric deployments. Make sure that the sniffer supports passive decryption of SSL traffic. Embedded Application traffic is intercepted by embedding a WAF as a software module on the web server. Offers horizontal scalability with the number of Web Servers used but may affect web Software server performance. You will need to verify that the WAF supports your web server. 4.1.3 High Availability and Clustering Depending on the availability requirements of your organization you may want to select one of these high availability strategies. Depending on the characteristics of your WAF and your environment, high availability may be achieved “natively” meaning that the WAF itself provides the high availability mechanism or externally, meaning that the infrastructure of the environment provides the mechanism. A. Fail Open Upon failure, traffic is forwarded directly to the application, bypassing the WAF. In this scenario, application up time is preserved, but security functionality is lost during the down time of the WAF solution. Does fail open apply both to physical (e.g., loss of power) and software (e.g., software hang) failures? B. Fail Over Upon failure, control transfers from a primary WAF to a backup system. Fail over systems should ensure minimal disruption of service during fail over. What is the latency of switching nodes? What is the affect on sessions and session security when switching nodes? For many applications resetting sessions will be acceptable and can reduce the complexity of configuration of fail over. Can nodes be geographically distributed across data centers? How does this affect failover and state? C. Clustering An implementation in which multiple systems work simultaneously to increase performance and provide fail over between nodes. Can nodes be geographically distributed across data centers? How does this affect failover and state? For performance related aspects of high availability, refer to the “performance” section [XXX]. 4.2 Application Support It is extremely important that the WAF works seamlessly with your applications. This will ensure the availability and functionality of your application as well as allow the WAF to protect it effectively. This section lists a selection of the possible requirements related to application support. It would be impossible to list all of the possibilities and many smaller organizations will require only a subset of the items listed in this section. Larger organizations, with a more diverse application portfolio are more likely to require a broader set of supported technologies. Evaluation guidelines: The best method to ensure a WAF works with your application is to test it, i.e. to run an acceptance test with the WAF deployed and configured. 4.2.1 Specific Application Support For many organizations the applications in scope for WAF protection will be limited to a specific set of applications. In this case the best option is to list these specific applications and evaluate whether the WAF works well with them. 4.2.2 Application Protocol Support For organizations with a broader application base or that anticipate the need to support a broad range of application technologies, the following is a list of potential application technologies that a WAF may or may not support. Its importance to your organization depends on whether you use the technology or not. A. HTTP HTTP is the fundamental underlying protocol for many web applications. Verify that WAF supports the version(s) in use by your application portfolio. Verify support for relevant versions: 1.HTTP/0.9 2. HTTP/1.0 3. HTTP/1.1 Verify support for encoding types in use. Widely-used encoding types are below (yours may vary): 1. application/x-www-formurlencoded encoding 2. multipart/form-data encoding 3. v0 cookies 4. v1 cookies 5. chunked encoding in requests and responses. 6. request compression 7. response compression B. JSON JSON is a protocol often used for modern and “mobile” web applications. If it is in use by your application portfolio verify that the WAF supports this use. C. Other [MK Are there other application protocols we would want to include as “standard” ones to look at? In some of the comments on WAFEC v1, HTML5 was mentioned which doesn’t quite fit this section on protocols…does it justify a separate section?] [MK: looking for input as to what to put in here as standard support items related to JSON] 4.2.3 SSL Support SSL is often used to encrypt the communications between the browser and the applications. In order to inspect and protect the application a WAF must be able to get access to the unencrypted stream. A. Access How does the WAF access SSL Terminates SSL. The network needs to be re- encrypted communication? configured to move the SSL operations to the WAF itself. WAF decrypts the encrypted traffic to get access to the HTTP data. The communication between the WAF and the web server can be in plain-text, or SSL-encrypted. Passively decrypts SSL. Configured with a copy of the web server's SSL private key WAF decrypts the SSL traffic. The original data stream travels unaffected to the web servers, where it is separately decrypted and processed. Embedded. Working embedded in a web server, a WAF can be positioned to work after the SSL data is decrypted on the server. B. Cipher Suites A Cipher suite refers to the encryption algorithms used to encrypt and decrypt data. Does the WAF support the cipher suites that are in use by the applications? [MK do we want to list ciphers here? We had a list in WAFEC v1 and resulted in a lot of misguided check box evaluations] Some servers allow negotiation of cipher suites based on support by the browser. This may result in an unacceptable cipher suite to be used either unintentionally or via a crafted attack. Can the WAF enforce a minimum or specific cipher suite. C. Client Certificates Client certificate D. Implementation Security Some environments require special certification of the handling of private encryption keys and/or certification of the underlying encryption software. Can the WAF retrieve SSL keys from an external key storage facility (e.g. local or network-based Hardware Security Module)? Is the SSL implementation FIPS 140-2 certified? Which FIPS levels are supported (level II and/or III)? 4.2.4 Authentication Support Many applications that warrant the protection of a WAF are authenticated applications. As such it is important that the WAF can support the authentication methods in use for your applications. For all modes, verify the following for all relevant authentication schemes: 1. Application functionality and authentication continues to operate with WAF in place? 2. WAF can identify users for policies? [MK In some cases, users will want the WAF to be the point of authentication, I feel this should be in “other functionality” do others agree? A. Authentication Scheme Considerations Client Side Certificates Are client certificates supported in all relevant modes for the deployment? For termination mode, can the content from client certificates be sent to the application using some alternative transport method (e.g. request headers). B. Basic Authentication C. Digest Authentication D. NTLM Authentication E. Other Many applications use an outside software or service for authentication. For example, higher security environments might require a two-factor authentication for users. These solutions might use a combination of the above methods in combination with proprietary capabilities. Verify the WAF supports the specific authentication product or service in use. Reverse proxy Transparent reverse proxy Transparent bridge Out of line Embedded Network architecture changes Yes No No No No Software configuration changes Yes (1) No No No Yes requires installation on each web server that needs protection Site/application changes In some cases (1) In some cases (1) No No No Network point of failure Yes, but can be deployed in HA configuration Yes, can be when fitted with a failopen card or configured for high availability Yes, but can be fitted with a failopen card or configured for high availability No No Change to traffic dynamics Yes. Traffic redirected to proxy via DNS or routing changes. Yes. Traffic redirected to proxy via DNS or routing changes. No No No. Negative web server performance impact None None None None Competes for server resources; can affect server on malfunction Network separation Yes Yes Yes No No Scaling TODO TODO TODO TODO Easy; scales implicitly with web servers SSL Termination Termination Passive decryption Passive decryption Not applicable Changes client IP Address Yes . No No No No Response Options (see section 3.2 for definitions) Passive Active Intrusive Passive Active Intrusive Passive Active Intrusive Passive Passive Active Intrusive Content rewriting Yes Yes Limited No Yes Notes: 1. There are two cases when application changes may be required: 1. If the site requires client IP address to operate correctly and it is not possible to modify the configuration of the web server "fake" this information, then the only other solution is to modify the application to take the client IP address information from somewhere else (typically request headers) 2. If the site relies on the SSL private certificates to operate correctly then it will have to modify to retrieve this information from somewhere else (typically request headers). i RFC 2616 (Hypertext Transfer Protocol—HTTP/1.1) http://tools.ietf.org/html/rfc2616