Hackers are no longer merely scanning for open ports on network firewalls to attack. They have shifted their tactics to targeting applications directly. Security experts say 80 percent of attacks today happen at the application layer, thus evading traditional methods of perimeter and core network protection.
“The need to protect Web applications that contain sensitive credit, financial or personal information from increasingly sophisticated attacks and data loss has never been greater,” said Paula Musich, senior analyst, Current Analysis. “The simple fact of the matter is that organizations are deploying Web applications and regulated Internet-facing data more broadly than ever. For hackers and cyber-criminals, that’s like painting a giant bulls-eye on those applications.”
Web application firewalls (WAFs) are proving to be useful in protecting Web apps against attack. A WAF is an appliance or server application that watches http/https conversations between a client browser and Web server at layer 7. The WAF then has the ability to enforce security policies based upon a variety of criteria, including signatures of known attacks, protocol standards and anomalous application traffic.
While WAFs add a new layer of protection to an organization’s security arsenal, the broad array of product form factors, architectures and other selection criteria make evaluation difficult. One of the chief considerations is whether to choose a non-proxy-based or proxy-based WAF.
In proxy-based application firewalls, the connection to the application is controlled by the proxy, and no packets or sessions flow to the back end until the proxy has inspected and validated the incoming data. Separate TCP sessions are used to manage and inspect user sessions and back-end server sessions.
Non-proxy-based application firewalls work off a Switched Port Analyzer by sniffing the traffic or without fully terminating TCP/IP protocol. These WAF products are an extension of intrusion prevention systems, which are commonly used by data centers to defend common desktops and servers against well-known virus and worm attacks. When deciding which WAF technology best suits your needs, the following functionalities are worth examining:
Hackers gather information in order to launch an attack on a Web server by trying to simulate error conditions on a Web site. Often, the resultant error messages expose information about the Web server, application server or the database being used. This information is then used to launch a full-scale attack on the Web infrastructure.
A proxy-based WAF intercepts the response from the back-end server and forwards it to the client only if it is not an error. If the response is an error, the WAF can suppress the response containing debugging information and send out a custom response. The WAF also removes headers such as server banners, which can be used to identify servers.
A WAF should secure applications where the incoming traffic may be encrypted or encoded using a nonstandard character encoding. A proxy-based WAF decrypts and normalizes data before running various types of checks in order to ensure that no attacks are smuggled inside of encrypted or encoded packets. It also offers multiple ways of securing inputs. Non-proxy-based WAFs cannot encrypt or digitally sign application data, and do not provide effective input validation.
Proxy-based WAFs intercept outbound data, so they can be configured to ensure that sensitive data such as credit card numbers are either masked or altogether blocked to protect data leakage. This is possible because the proxy-based WAF sits in line with the application server and secures data on both incoming and outgoing paths. This is not offered by non-proxy-based WAFs.
There are many ways of launching an application layer denial of service attack. Web applications maintain state information — such as the number of items in a shopping cart — with the help of sessions, which require some memory resources on the Web servers. Denial of service attacks lock up memory resources by forcing a Web server to create thousands of sessions, leading to performance degradation and even a server crash.
The WAF should be able to control the rate at which requests reach the Web server and track the rate of session creation. This is only possible with a system that proxies on behalf of the Web or application server.
The ability to enforce all security policies from a single control point allows for simplified operations and infrastructure and ensures safer and more efficient security administration. Because a non-proxy-based WAF does not terminate TCP connections, it does not have the ability to request credentials from incoming users, issue cookies upon successful credential exchange, redirect sessions to particular destinations, or restrict particular users to particular resources. Proxy-based solutions, on the other hand, can be an Authentication, Authorization and Accounting (AAA) authority or fully integrate with existing AAA infrastructure.
Because of the wide range of security violations, it is important that the administrator be able to respond to different threats differently. Only proxy-based solutions are able to offer this sort of flexibility.
Application attacks use SSL cryptography and common encoding techniques to bypass traditional security measures and hide their attacks. Proxy- and non-proxy-based WAFs are quite different in the way they handle SSL cryptography and key management. Non-proxy-based WAF vendors claim that they have the technology to “see” into an SSL encrypted packet as it passes by the WAF. However, because decrypting and analyzing the data takes time, the attack will have already reached the back-end servers and completed the transaction by the time the non-proxy-based WAF is ready to make a decision. Proxy-based WAFs, on the other hand, are designed to serve as an SSL termination endpoint. They tightly couple TCP, SSL and HTTP termination, giving them complete visibility into application content and allowing them to perform deep inspection on the entire session payload, including headers, URLs, parameters and form fields.
It is important that a WAF product does not negatively affect end-user response time. Proxy-based firewalls fully terminate the TCP, SSL and HTTP protocols, reducing end-user response time. They should be able to cache static content from the application, offloading servers and saving download time, and pool TCP connections to the back-end servers and offload SSL processing, thereby reducing server load and end-user response time. Non-proxy-based WAF products do not offer these features.
While non-proxy-based WAF products have evolved, they only provide some of the functionality necessary to fully protect a Web application. This isn’t adequate when it comes to protecting mission-critical business applications and confidential data. On the other hand, proxy-based WAFs offer complete and comprehensive protection for enterprise Web applications.
