Web Application Firewalls Web Application Firewalls: Defense in Depth for Your Web Infrastructure By Jim Beechey - March 2009 I. Introduction Over the past few years, a clear trend has emerged within the information security landscape; web applications are under attack. “Web applications continue to be a prime vector of attack for criminals, and the trend shows no sign of abating; attackers increasingly shun network attacks for cross-site scripting, SQL injection, and many other infiltration techniques aimed at the application layer.” (Sarwate, 2008) Web application vulnerabilities can be attributed to many things including poor input validation, insecure session management, improperly configured system settings and flaws in operating systems and web server software. Certainly writing secure code is the most effective method for minimizing web application vulnerabilities. However, writing secure code is much easier said than done and involves several key issues. First of all, many organizations do not have the staff or budget required to do full code reviews in order to catch errors. Second, pressure to deliver web applications quickly can cause errors and encourage less secure development practices. Third, while products used to analyze web applications are getting better, there is still a large portion of the job that must be done manually and is susceptible to human error. Securing an organization’s web infrastructure takes a defense in depth approach and must include input from various areas of IT including the web development, operations, infrastructure, and security teams. One technology that can help in the security of a web application infrastructure is a web application firewall. A web application firewall (WAF) is an appliance or server application that watches http/https conversations between a client browser and web server at layer 7. The WAF then has the ability to enforce security policies based upon a variety of criteria including signatures of known attacks, protocol standards and anomalous application traffic. II. Web Application Firewall Architecture WAF Placement Appliance-based WAF deployments typically sit directly behind an enterprise firewall and in front of organizational web servers. Deployments are often done in-line with all traffic flowing through the web application firewall. However, some solutions can be “out of band” with the use of a network monitoring port. If network based deployments are not preferred, organizations have another option. Host or server based WAF applications are installed directly onto corporate web servers and provide similar feature sets by processing traffic before it reaches the web server or application. Security Model A WAF typically follows either a positive or negative security model when it comes to developing security policies for your applications. A positive security model only allows traffic 1 Jim Beechey Web Application Firewalls to pass which is known to be good, all other traffic is blocked. A negative security model allows all traffic and attempts to block that which is malicious. Some WAF implementations attempt to use both models, but generally products use one or the other. “A WAF using a positive security model typically requires more configuration and tuning, while a WAF with a negative security model will rely more on behavioral learning capabilities.” (Young, 2008) Operating Modes Web Application Firewalls can operate in several distinct modes. Vendor names and support for different modes vary, so check each product for specific details if a particular mode is desired. Each mode offers various pros and cons which require organizations to evaluate the correct fit for their organization. Reverse Proxy – The full reverse proxy mode is the most common and feature rich deployment in the web application firewall space. While in reverse proxy mode a device sits in line and all network traffic passes through the WAF. The WAF has published IP addresses and all incoming connections terminate at these addresses. The WAF then makes requests to back end web servers on behalf of the originating browser. This mode is often required for many of the additional features that a WAF may provide due to the requirement for connection termination. The downside of a reverse proxy mode is that it can increase latency which could create problems for less forgiving applications. Transparent Proxy – When used as a transparent proxy, the WAF sits in line between the firewall and web server and acts similar to a reverse proxy but does not have an IP address. This mode does not require any changes to the existing infrastructure, but cannot provide some of the additional services a reverse proxy can. Layer 2 Bridge – The WAF sits in line between the firewall and web servers and acts just like a layer 2 switch. This mode provides high performance and no significant network changes, however does not provide the advanced services other WAF modes may provide. Network Monitor/Out of Band – In this mode, the WAF is not in line and watches network traffic by sniffing from a monitoring port. This mode is ideal for testing a WAF in your environment without impacting traffic. If desired, the WAF can still block traffic in this mode by sending TCP resets to interrupt unwanted traffic. Host/Server Based - Host or server based WAFs are software applications which are installed on web servers themselves. Host based WAFs do not provide the additional features which their network based counterparts may provide. They do, however, have the advantage of removing a possible point of failure which network based WAFs introduce. Host based WAFs do increase load on web servers so organizations should be careful when introducing these applications on heavily used servers. Additional Features WAF appliances are often either add-on components of existing application delivery controllers or include additional features to improve the reliability and performance of web applications. These additional features can help make the case for implementing a WAF for organizations not already taking advantage of such features. Not all WAF solutions have these features and many 2 Jim Beechey Web Application Firewalls are dependent upon the deployment mode chosen. Typically a reverse-proxy deployment will support each of these features. III. Caching – Reducing load on web servers and increasing performance by caching copies of regularly requested web content on the WAF thus reducing repeated requests to back end servers. Compression – In order to provide for more efficient network transport, certain web content can be automatically compressed by the WAF and then decompressed by the browser. SSL Acceleration – Use of hardware based SSL decryption in a WAF to speed SSL processing and reduce the burden on back-end web servers. Load Balancing – Spreading incoming web requests across multiple back end web servers to improve performance and reliability. Connection Pooling – Reduces back end server TCP overhead by allowing multiple requests to use the same back end connection. Products and Solutions Non-Commercial Web Application Firewalls ModSecurity - www.modsecurity.org The most widely used web application firewall is the open source project ModSecurity. ModSecurity is currently maintained by Breach Security, a company who also sells commercial appliances. “ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis” (ModSecurity, 2008). ModSecurity generally uses a negative security model and also has several related projects which help enhance the solution. ModSecurity for Apache is a module for Apache containing ModSecurity. The ModSecurity Core Rules are a collection of rules that will detect the most common web attacks. The core rules are a great starting point for those new to ModSecurity. The ModSecurity console creates a centralized console for individual ModSecurity instances to report logs and alerts to. The ModSecurity profiler analyzes web application traffic and creates application profiles which can then be used to implement a positive security model. Microsoft URLScan - http://learn.iis.net/page.aspx/473/using-urlscan Another free option exists for Microsoft IIS called URLScan. “UrlScan v3.1 is an ISAPI filter that reads configuration from a urlscan.ini file and restricts certain types of requests (enumerated in urlscan.ini) from being executed by IIS.” (IISteam, 2008) URLScan is a solution that Microsoft IIS shops should strongly consider even if they have a separate web application firewall. First of all; it’s free, and second, the application runs on the web server itself and, therefore, can be used as yet another layer of defense. Commercial Web Application Firewalls 3 Jim Beechey Web Application Firewalls Commercial solutions offer the traditional benefits of vendor support and, hopefully, ease of management. Commercial solutions often come with “out of the box” rules for more common applications such as Microsoft Outlook Web Access and SharePoint. These solutions also often provide regular vendor updates for new attacks. Another reason to look at a commercial solution is the additional features many offer such as load balancing, SSL offloading, caching and acceleration. Organizations that do not have, or are evaluating, these features should give strong consideration to commercial solutions. Prices vary tremendously between solutions, primarily due to their ability to scale to the enterprise, ISP or web hosting level. Barracuda Networks – www.barracudanetworks.com Barracuda Networks, most known for their SPAM Firewalls, got into the web application firewall business with their acquisition of NetContinuum. Barracuda, based in Campbell California, uses a negative security model for its policies and includes many of the application controller type features. Barracuda currently has two lines of appliances, the web site firewall and web application controller lines. The web site firewall line is geared towards small/medium businesses with units scaled for between 25 to 100Mbps of throughput. The web application controller line is geared towards larger customers. Pricing for the web site firewall starts at $5,500. Breach Security – www.breach.com Breach Security offers two lines of web application firewall appliances, WebDefend and ModSecurity Pro M1100. The ModSecurity Pro appliances are based upon the open source project ModSecurity, which Breach sponsors. According to Breach, the WebDefend line “uses bi-directional traffic analysis, automated behavioral profiling and multiple collaborative detection engines to maintain the flow of business-critical traffic while delivering complete protection for payment card data, Social Security numbers and other sensitive information.“ (Breach Security, 2008) The WebDefend product can sit inline or out of band and uses a positive security model. The out of band solution removes any latency concerns and comes with server based agents to help thwart detected attacks. Breach was founded in 2004 and its corporate headquarters are located in Carlsbad California. Pricing for the WebDefend line starts at 45,000. Deny All – www.denyall.com Deny All and their rWeb line is another option in the web application firewall space. The rWeb line is a proxy-based model and uses a positive security model. Deny All is based in Paris France. The rWeb appliance also offers caching, compression, load balancing, and SSL off loading. F5 – www.f5.com F5 sells a web application firewall add-in module for its BigIP line of application delivery controllers and a standalone WAF appliance. F5 calls the device the application security manager. Based in Seattle Washington, F5 is one of the leading companies in the application delivery space and their WAF module is a good fit for companies already using their product 4 Jim Beechey Web Application Firewalls line. The ASM uses a positive security model for defining security policies and comes with all the features you would expect from an enterprise ready WAF. One of the more interesting features is their integration with WhiteHat Sentinel Vulnerability Assessment Service which can automatically create ASM rules based upon vulnerabilities found from a WhiteHat Sentinel scan. The standalone WAF is priced around $28,000, while the larger BigIP solution starts around $65,000. Imperva – www.imperva.com The SecureSphere web application firewall from Imperva is one of the more highly regarded appliances on the market. Gartner says that Imperva “appears most often on Gartner clients’ short lists.” (Young, 2008) Imperva, based in Redwood Shores California, uses what the company calls “transparent inspection” technology to provide security with high performance. Security policies are based upon a positive security model and Imperva also has options for database monitoring and vulnerability scanning. Prices start at $35,000. Other Vendors Citrix – Application Firewall – www.citrix.com Applicure – DotDefender – www.applicure.com Armorlogic – Profense – www.armorlogic.com Bee-Ware – iSentry – www.bee-ware.net BinarySec – Application Firewall – www.binarysec.com BugSec – www.bugsec.com eEye Digital Security – SecureIIS – www.eeye.com Fortify Software – Defender – www.fortifysoftware.com Forum Systems – Xwall, Sentry – www.forumsys.com Microsoft - ISA Server – www.microsoft.com/isaserver Visonys – Airlock – www.visonys.com mWEbscurity – webApp.secure – www.webscurity.com Xtradyne – Application Firewalls – www.xtradyne.com List from (http://www.owasp.org/index.php/Web_Application_Firewall) IV. Implementation, Tuning and Maintenance Web application firewalls are certainly not a plug and play solution. They require rigorous testing prior to implementation and regular tuning thereafter. During the implantation phase, most vendors will have either a learning or passive mode so that the WAF can be properly tuned before blocking any traffic. A solution based upon a positive security model will need to learn what “normal” traffic looks like for your applications. Negative security model solutions will typically be deployed in a non-blocking mode so that any false positives can be tuned prior to turning on blocking capabilities. Similarly to intrusion prevention systems, a WAF requires regular monitoring of log files to detect attacks and tune false positives. Organizations also need to consider how to incorporate WAF testing and tuning into their standard development practices so that the impact of new applications can be evaluated prior to deployment. 5 Jim Beechey Web Application Firewalls V. PCI Compliance One of the major reasons organizations have an interested in web application firewalls is PCI DSS version 1.1. Requirement 6.6 states that organizations need to protect web applications by either reviewing all custom code for vulnerabilities or installing a web application firewall. This choice sparked a bit of controversy in the industry over which was the best practice. There are a myriad of arguments on both sides, but most agree that the best approach it to implement both methods rather than choosing one over the other. This requirement, however, has certainly shown a bright spotlight on WAF technology and, if anything, given vendors fuel to sell their products. VI. Conclusion A web application firewall is another tool in your arsenal to protect your organization’s critical web assets and associated data. They are not a substitute for properly written code or input validation, however provide an additional layer of defense. A WAF can also be a highly effective defense for blocking newly discovered vulnerabilities or previously successful attacks. A WAF can protect a site while vulnerabilities are being fixed and thoroughly tested by your developers. Any organization with a significant web application infrastructure should consider deploying a web application firewall as part of a defense in depth strategy. REFERENCES Breach Security, (2008). Web Application Security, Application Security. Retrieved January 26, 2009, Web site: http://www.breach.com/company/index.html IISteam, (2008, Nov 1). Using URLScan. Retrieved December 8, 2009, Web site: http://learn.iis.net/page.aspx/473/using-urlscan/ ModSecurity, (2008). ModSecurity: open source web application firewall. Retrieved January 16, 2009, Web site: http://www.modsecurity.org Sarwate, A (2008, July 30). Hot or not: web application firewalls for security and regulatory compliance. Retrieved February 2, 2009, from SC Magazine Web site: http://www.scmagazineus.com/Hot-or-not-Web-application-firewalls-for-security-andregulatory-compliance/article/113146/ Young, G (2008, May, 22). An Introduction to Web Application Firewalls. Gartner Research, G00157756, Retrieved November 11, 2008, from http://www.gartner.com/DisplayDocument?ref=g_search&id=677008&subref=simplesearch 6 Jim Beechey