Who Needs a Web Application Firewall?
January 29, 2008 Alex Woodie
At the turn of the millennium, IT shops were scrambling to deploy firewalls and other devices to stop hackers from infiltrating their servers. Over the ensuing years, network security professionals got very good at locking down their charges. As a result, hackers have moved onto more productive pastures, including exploiting vulnerabilities in Web applications themselves. This has given rise to a new security device: the Web application firewall. The question is: Do you need one?
It’s staggering how far the IT industry has come in the last eight years, and how quickly the Internet has evolved. What started as a way to connect universities and defense establishments has turned into a trillion-dollar commercial medium connecting hundreds of millions of people, companies, and organizations.
Of course, with all that money and information flowing over networks, the Internet has become a treasure trove for hackers, criminals, and info-pirates. As the result of several high-profile incidents over the last couple of years, we’ve started to become aware of the enormity of the problem.
It’s almost enough to wish you could go back to 1999. Back then, Web applications weren’t nearly the target they are today, according to Sanjay Mehta. vice president of sales and business development for Breach Software, a developer of Web application firewalls based in Carlsbad, California.
“Hacking has gone from sport to commerce,” Mehta says. “If you think back in 1999 people were really concerned about defacement. Somebody would come after me by defacing my Web site, which causes embarrassment to my company and glory for the hacker. It was all about reputation. But if you think about modern-day hacking, people are after information, and there’s a for-profit market for that information.”
While the stakes have been raised in Web security, the nature of the attacks has also evolved. Network professionals have deployed several layers of security, including traditional network firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), virtual private networks (VPNs), SSL encryption, and other network-level techniques. “Networks are inherently more secure,” Mehta says.
Because hackers no longer have an easy time infiltrating networks, they’ve had to shift their strategy. As a result, hackers are now attacking at the application level, which requires a completely different form of defense, Mehta says. Breach Software defends against the new approaches in hacking by developing Web application firewalls.
Any Web App Is Potentially Vulnerable
One of the biggest security problems is that just about any Web application could be vulnerable, according to Mehta. Whether it’s a small, homegrown PHP-based e-commerce Web site running a Linux server, or an enterprise-strength stock trading system built with WebSphere running on i5/OS, there is a possibility the developers overlooked an aspect of the program and left a security hole that can be exploited.
In fact, Mehta says security holes are a likelihood due to the economics of Web application development. “We all want to write secure code, and that’s certainly the end point, but that’s a utopian goal that we’re never going to reach,” he says. “The business objectives of getting new Web applications out always overrule the security guy trying to make sure they’re secure.”
The big challenge of protecting Web applications–creating Web application firewalls–is that every single Web application is different, he says. “If you want to attack a Cisco router, you can attack a Cisco router exactly the same whether you’re attacking company A, B, C, or D. Now if you’re attacking a Web application, to protect it effectively you actually have to know how the application works, and an IPS doesn’t have that type of insight.” And even if security is as close to perfect as you can reasonably expect to get, criminals can sometimes exploit legitimate business logic to steal information–say, by modifying a cookie and resuming an e-commerce session–and not have to do a lick of “real hacking” to get it.
As a result of these challenges, Breach Software has taken a different approach to developing its premier Web application firewall, called Web Defend. With Web Defend, Breach monitors the standard behavior that users are expected to exhibit on a Web site–where they can click, what inputs they can type, and how the site is supposed to respond.
“We learn the actual page structure, the page size, and then we’ll learn all the parameters on the page,” Mehta says. “So that thing on the top left side is a log-in, and statistically we’ll learn it’s always between 4 and 14 characters, always alpha, sometimes numeric. If it has a special character, etc. And you can’t use double quote, you can’t use equal sign, you can’t use a slash. We learn all these unique permutations and combinations of how a user is allowed to interact with a Web site so we can build a model of correctness.”
Of course, if developers coded securely and did the proper input validation, then there would be no need for a product like Web Defend. “But people don’t do that,” Mehta says. “Fundamentally they’re rushing applications out the door. So we do all the input validations on their behalf.”
Closing the Security Loop
When Web Defend detects behavior that occurs outside of its model of correctness, it can take two actions. First, it can log the event and alert the administrator, who will hopefully fast-track it to the application developer to get a fix for the problem. This is the best case scenario, because the underlying vulnerability exists in his code. (Obviously, this approach doesn’t work so well when the application developer is Oracle or IBM, which have their own patching and release cycles.)
The second thing that Web Defend can do is to apply a so-called “virtual patch” that will prevent the behavior from occurring. This approach is good when the Web application owner doesn’t have access to the source code or a developer who can work with the source code to fix the problem. Web Defend also employs a signature-based approach to detect common forms of attack, such as SQL injections or cross-site scripting. In this way, customers are afforded the maximum level of protection, Mehta says.
But it’s not so much the real-time intrusion prevention as the interaction between a Web application administrators and the developer where Web Defend is designed to have the biggest impact. In addition to logging the event information, the software records the Web browser session of the user in question. It also prioritizes the events by importance, to make the conversation between Web site owner and Web application developer go much smoother.
“We give you all the information you need so you can actually go fix the application,” Mehta says. “So instead of constantly trying to detect and block attacks, now you can detect and remediate. And in the event you can’t remediate right away, we can still block. If you can’t fix the code yet, you can virtually patch it using our technology. But the right thing to do is go fix the code, and we give you a prioritized and educated way to go do that.”
Web Defend is deployed on appliances that fit into standard server racks. The typical Web Defend implementation costs about $50,000, and is primarily geared toward larger companies operating dozens or hundreds of Web applications that they have difficulty tracking and keeping central ownership over.
For smaller organizations with a less spread-out and better understood Web application infrastructure, Breach Software offers its ModSecurity line of Web application firewalls. Breach rolled out its ModSecurity line of products about a year ago following the acquisition of the company that developed the popular open-source ModSecurity product line. ModSecurity firewalls start at about $15,000.
Fore more information, visit www.breach.com.