Web Application Firewall Assurance

By Roman Potapov

Nowadays web application firewalls are capable of identifying and neutralizing sophisticated threats. They employ the finest methods of machine learning and decision making algorithms. As a result, more and more companies purchase and deploy them to protect their assets. The market is becoming saturated with the products that boast a slew of attractive features and promise near total protection.

Are web application firewalls worth their costs? Are they as secure as their vendors claim? Can they fulfill their role in layered security architecture? To what degree does their effectiveness depend on a proper configuration? How can the management be assured that web application firewalls ultimately make the information more useful, available, resilient and confidential?

• Language: English
• Publisher: Roman Potapov
• Release date: Jan 27, 2015
• ISBN: 9781310063350

Roman Potapov

Roman Potapov is actively employed in the field of the information security. His education encompasses various disciplines that complement each other. He gained his experience at a number of large and medium organizations around the world.

Book preview

Web Application Firewall Assurance

By Roman Potapov

Smashwords Edition

Copyright 2015 Roman Potapov

Smashwords Edition, License Notes

This e-book is licensed for your personal enjoyment only. This e-book may not be re-sold or given away to other people. If you would like to share this book with another person, please purchase an additional copy for each recipient. If you’re reading this book and did not purchase it, or it was not purchased for your use only, then please return to your favorite e-book retailer and purchase your own copy. Thank you for respecting the hard work of this author.

Table of Contents:

Foreword

Web Application Firewall

Inherent Web Application Firewall Limitations

Challenges for Existing Web Application Firewalls

Why We Need Web Application Firewalls

Business Objectives and Requirements

Assurance Engagement Planning

Scope

Resources

WAF Risk Elements and Control Design

Governance Weakness

Unrealized Business Value

Deficient Policy, Standards and Procedures

Patch Mismanagement

Ineffective Change Management

Inadequate Physical Security and Business Continuity

Weak Relationships with Vendors and Solution Providers

Lack of Personnel Education And Experience

The WAF’s Security Misconfiguration

General Control Deficiencies

General Misconfiguration

Wrong System Options

Inaccurate Monitoring and Reporting

Misconfiguration of Remote Logging

Incorrect Parameter Settings

Application Protection Deficiencies

Application Traffic Misconfiguration

Attack Signature Misconfiguration

Inaccurate Machine Learning Settings

Misconfiguration of Wildcard Objects

Inadequate XML Security

Misconfigured Staging-Hardening Period

Inaccurate Detection of Traffic Anomalies

Inadequate Configuration Maintenance

Weak Integration with a Vulnerability Scanner

About the Author

Foreword

The modern business environment has been witnessing an explosive growth of the security technology. Web application firewalls are ubiquitous at businesses around the globe. They are an important part of layered security architectures. Web application firewalls support the defense-in-depth principle of the computer security. It is hard to imagine a large company without a web application firewall protecting many of its external and internal applications.

Nowadays web application firewalls are capable of identifying and neutralizing sophisticated threats. They employ the finest methods of machine learning and decision making algorithms. As a result, more and more companies purchase and deploy them to protect their assets. The market is becoming saturated with the products that boast a slew of attractive features and promise near total protection.

Often web application firewalls are integrated with load balancers, vulnerability scanners and other security systems. That makes them even more interwoven in information and automation security fabric.

Recent improvements and advances provided an enhanced protection but in the same time enticed the businesses to rely on these products more and more. Lots of critical applications are placed behind web application firewalls across all industries, segments and geographies.

Are web application firewalls worth their costs? Are they as secure as their vendors claim? Can they fulfill their role in layered security architecture? To what degree does their effectiveness depend on a proper configuration? How can the management be assured that web application firewalls ultimately make the information more useful, available, resilient and confidential?

These are the questions that we would like to research and answer when we conduct an audit or a security assessment of a web application firewall.

Web Application Firewall

Web application firewall or WAF is any automated application protection system that is not a part of that application. This would be the simplest and most general definition. It would encompass all technologies that are in use today to provide that protection. On a primitive level any web application firewall can be depicted as follows.

When the web application firewall gets an external or internal request for the application, it applies a set of rules to that request. That set of rules is usually called a security policy. If the request complies with the policy rules, it is sent further on to the application. If the request violates any of the security policy rules, the system generates a violation, and then either goes on to forward the request (and issues an alert) or prevents the request from reaching the application.

Just how many web application firewalls are out there in the market?

A simple Internet search would give you the following list. I put it in an alphabetical order to avoid promoting any product inadvertently:

A10 Networks - Thunder and AX Series

Akamai Technologies - KonaWeb

Applicure - DotDefender

AQTronix - WebKnight

Armorlogic - Profense

Barracuda Networks - Barracuda Web Application Firewall

Bayshore Networks - Application Protection Platform

Bee Ware - i-Suite

BinarySec - Security as a Service (Application Firewall)

BugSec - WebSniper

Cisco - ACE Web Application Firewall

Citrix - NetScaler

Cyberoam - Next-Generation Firewalls/UTMs

Dell - SonicWALL

DenyAll - Protect

eEye Digital Security - SecureIIS

Ergon - Airlock

F5 - Application Security Manager

Fortify Software - Defender

Fortinet - FortiWeb

Forum Systems - Xwall, Sentry

Imperva - SecureSphere

mWEbscurity - webApp.secure

Penta Security - WAPPLES

Port80 Software - ServerDefender VP

Privacyware - ThreatSentry IIS

Protegrity - Defiance TMS

Qualys - Ironbee

QuickDefence - Open Source WAF

Radware - AppWall

Riverbed - SteelApp

Trustwave - WebDefend

Trustwave SpiderLabs - ModSecurity

Xtradyne - Application Firewalls.

The list can go on and on. As we all know, not all products are created equal, and that does not necessarily mean better or worse. There are different protection methods, network placement, OSI stack level involvement, scalability, maintenance and many other factors to consider while selecting a suitable WAF.

WAF procurement deserves a book it its own right and is not in scope of this manual. However, if there was one word of advice on how to select a proper web application firewall, I would say, it has to be closely tailored to the business and security needs of each particular organization. That’s why I would never recommend one WAF over another without knowing the business and the security requirements