Security
Six factors to consider when evaluating WAFs
Web application firewalls protect critical business systems and databases from attack, theft and fraud.
by Noa Bar-Yosef
A Web application firewall (WAF) is a network device placed in front of the Web application to inspect incoming and outgoing application traffic, and to reconstruct application messages and application flows. Essentially, Web application firewalls protect critical business systems and databases from attack, theft and fraud.
WAFs provide a continuous line of defense against known and unknown vulnerabilities, verifying all data entering and exiting the application to block attacks. The WAF can enforce security rules on HTTP message structures, application form fields and cookies, and target URLs to protect applications against attacks such as SQL injection, cross-site scripting and parameter tampering.
The following criteria provide a useful benchmark for evaluating different WAF products:
1. No changes to the existing infrastructure: Installation of the WAF should be performed easily, with zero changes to data center infrastructures. The WAF should operate transparently to the network, applications and databases.
2. No performance degradation: Deployment of the WAF should not impact the performance of existing infrastructures, including applications and networks. It should also be transparent to Web users.
3. Apply both positive and negative security models: A negative security model relies on detecting explicit patterns of malicious behavior. Negative security mechanisms include signatures for known exploit vectors and arbitrary restrictions on individual parts in the request. A positive security model assumes the knowledge of normal behavior, any deviation from this baseline should be considered potentially malicious.
4. Application profiling: Gathering the information required to create a positive security model can be difficult, but a WAF should be able to automatically generate a profile of the application based on production traffic to model the structure and dynamics of all of its elements. A WAF can automatically build the complete baseline profile of protected applications and network traffic in a matter of days. Using the application profile, the WAF distinguishes between legitimate user behavior and illegitimate behavior to provide attack protection. When changes are made to the application, the WAF should detect the application changes and automatically adjust its profiles accordingly, without the need for manual intervention or tuning. A WAF should be able to combine (correlate) the outcome of both security models to yield a higher accuracy detection rate.
5. Provide virtual patching: The WAF vendor should be able to deliver timely updates to security mechanisms (i.e., signatures, rules or policies) that mitigate recently disclosed vulnerabilities. The WAF should be able to deploy these updates automatically, according to user-defined policy, providing protection until a vendor patch is available and can be deployed.
6. Integration with existing enterprise systems: Any device introduced into the network should integrate with existing systems. Important integration points for a WAF are security information event-management systems, log retention systems, identity management, incident management, application scanners and code analysis tools. Proper interaction between the WAF and these other elements provides layered and automated security.
Noa Bar-Yosef is a security researcher for Imperva,
Redwood Shores, Calif.
For more information
(click here)