Abba Center for Excellence

VMware ESX & Virtual Center Training Course

Abba Managed Services: Co-Location

Shielding Web Apps

Web application firewalls offer effective protection from increasingly common exploits.
As businesses place more applications on the Web, they expose more of their sensitive data to hackers. Browser-based applications tunnel through the entire security perimeter of an organization, giving users unprecedented access to internal systems. It’s little wonder that the majority of attacks today target Web applications directly.  

ComputerWorld recently reported that the percentage of online vulnerabilities attributable to security holes in Web applications jumped to 72 percent in Q2 of 2007 from 67 percent in Q1. Conversely, security holes attributable to network vulnerabilities fell to 28 percent from 33 percent.

Organizations unwittingly leave themselves open to application-layer attacks because they don’t understand that their networks lack defenses to deflect them, according to a study by Forrester Research. “Most enterprises are not even aware that their traditional network firewalls cannot protect against these attacks,” the firm noted recently in a recent study.

Recently, traditional firewall vendors have begun touting “application layer security,” incorporating functionality from intrusion detection systems and intrusion prevention systems into their products. Unfortunately, these solutions have proven ineffective for two fundamental reasons: 1) They operate at the network layer rather than the application layer, and 2) they rely on attack signatures or other patterns of abnormal user behavior, leaving them blind to attacks targeting the specific vulnerabilities of an application, for which there is no generic pattern.

Beyond Standard Firewalls
As a result, businesses today are being forced to build a high degree of security into the applications themselves. While the logical first step is to scan and fix the code in development stage to eliminate security holes up front, most information security experts agree that organizations should also consider deploying a Web application firewall (WAF) to protect against possibly insecure code.

Standard firewalls are designed to restrict access to certain ports or services that an administrator doesn’t want unauthorized people to access. WAFs, on the other hand, are based on the application’s specific logic rather than on generic traffic patterns. They can be either software solutions or hardware-based appliances that are installed in front of a Web server in effort to shield it from incoming attacks.

WAFs are sometimes called “deep packet inspection firewalls” because they look at every request and response within the Web service layers. Unlike some intrusion-protection products that identify and keep out “bad traffic,” WAFs apply rules and policies to identify known “good traffic.” Using these policies, the product blocks all traffic that doesn’t appear to be coming from legitimate sources. This makes WAFs particularly effective against hackers scanning ports looking for vulnerable Web servers to use in denial-of-service attacks, and to protect e-commerce sites from the theft of sensitive customer information through application logic attacks.

Best Behavior
WAFs can detect and mitigate patternless exploits in real time, adding accurate, complementary protection to existing firewalls and intrusion detection systems. In addition, application layer packet inspection and behavioral logic protect against counterfeit application activity.

Behavior-based protection simply means that the WAF verifies that pages and applets flowing through the Web server do not vary from accepted norms. In this way, it can prevent a Web page from automatically running a script or installing code on the user’s machine. This capability offers strong protection from such known exploits as SQL injection, buffer overflows, form-field manipulation, session hijacking, path traversal and forceful browsing.

Some WAFs are also configurable to scrub any identifiable information such as Social Security numbers, credit card numbers, account numbers, patient health data and phone numbers. Another feature in some products is Web server cloaking, which prevents hackers from identifying what Web servers are running. This involves stripping out any identifying OS and Web server fingerprinting, concealing any HTTP error messages from users, removing application error messages from pages sent to users and checking to make sure no server code leaks out onto Web pages.

Growth Anticipated
Forrester lists Breach Security, Citrix Systems, F5 Networks, Imperva, NetContinuum and Protegrity as the leading WAF vendors. The research firm says WAF sales have more than doubled during the last two years, and Forrester expects that pace of growth to continue through 2008 with market revenue reaching $184 million in 2009.

Awareness of Web application threats may grow as businesses come into compliance with Payment Card Industry (PCI) standards for data security intended to protect credit card numbers and other personal data transferred during credit card checks and online transactions, Forrester says. These standards actually require WAFs as one of two options for protecting against unknown attacks on Web applications. The other option is reviewing the security of individual Web applications and fixing flaws, according to the Forrester study.

Today, every aspect of business is migrating to the Web. Unfortunately, every time a new Web-based application is created, back-end systems previously sheltered from direct access are now connected to the Internet — and potentially the world. The result is that a company’s critical data is exposed to potential external attacks. While WAFs don’t eliminate the need for rigorous testing, patching and securing of Web applications, they are impressive in their ability to identify, isolate and eliminate many of the most common types of Web application attacks.

Back to Menu
Back to Archive
888-ABBATECH
Abba Home Abba Contracts Contact Abba