Web Application Firewall Assurance
()
About this ebook
Nowadays web application firewalls are capable of identifying and neutralizing sophisticated threats. They employ the finest methods of machine learning and decision making algorithms. As a result, more and more companies purchase and deploy them to protect their assets. The market is becoming saturated with the products that boast a slew of attractive features and promise near total protection.
Are web application firewalls worth their costs? Are they as secure as their vendors claim? Can they fulfill their role in layered security architecture? To what degree does their effectiveness depend on a proper configuration? How can the management be assured that web application firewalls ultimately make the information more useful, available, resilient and confidential?
Roman Potapov
Roman Potapov is actively employed in the field of the information security. His education encompasses various disciplines that complement each other. He gained his experience at a number of large and medium organizations around the world.
Related to Web Application Firewall Assurance
Related ebooks
Web Application Security is a Stack: How to CYA (Cover Your Apps) Completely Rating: 0 out of 5 stars0 ratingsNetwork Performance and Security: Testing and Analyzing Using Open Source and Low-Cost Tools Rating: 0 out of 5 stars0 ratingsHands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tools Rating: 0 out of 5 stars0 ratingsModern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization Rating: 0 out of 5 stars0 ratingsSeven Deadliest Network Attacks Rating: 3 out of 5 stars3/5Securing Cloud Services - A pragmatic guide: Second edition Rating: 0 out of 5 stars0 ratingsClient-Side Attacks and Defense Rating: 0 out of 5 stars0 ratingsSecurity Operations Center - Analyst Guide: SIEM Technology, Use Cases and Practices Rating: 4 out of 5 stars4/5Cyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Applied Network Security Rating: 0 out of 5 stars0 ratingsBuilding a Pentesting Lab for Wireless Networks Rating: 0 out of 5 stars0 ratingsStart-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit Rating: 0 out of 5 stars0 ratingsSeven Deadliest Web Application Attacks Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5Cybersecurity Design Principles: Building Secure Resilient Architecture Rating: 0 out of 5 stars0 ratingsCloud Security and Governance: Who's on your cloud? Rating: 1 out of 5 stars1/5CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security Rating: 0 out of 5 stars0 ratingsAsset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsDesigning and Building Security Operations Center Rating: 3 out of 5 stars3/5Software Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratingsWeb Penetration Testing: Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsSecurity Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsThe Certified Ethical Hacker Exam - version 8 (The concise study guide) Rating: 3 out of 5 stars3/5Burp Suite Essentials Rating: 4 out of 5 stars4/5Nmap in the Enterprise: Your Guide to Network Scanning Rating: 0 out of 5 stars0 ratingsSecurity Operations Center - SIEM Use Cases and Cyber Threat Intelligence Rating: 0 out of 5 stars0 ratingsBuilding Virtual Pentesting Labs for Advanced Penetration Testing Rating: 0 out of 5 stars0 ratingsSecuring Critical Infrastructures Rating: 0 out of 5 stars0 ratings
Security For You
CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsHacking For Dummies Rating: 4 out of 5 stars4/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsWireless Hacking 101 Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsUltimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Blockchain Basics: A Non-Technical Introduction in 25 Steps Rating: 5 out of 5 stars5/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5
Reviews for Web Application Firewall Assurance
0 ratings0 reviews
Book preview
Web Application Firewall Assurance - Roman Potapov
Web Application Firewall Assurance
By Roman Potapov
Smashwords Edition
Copyright 2015 Roman Potapov
Smashwords Edition, License Notes
This e-book is licensed for your personal enjoyment only. This e-book may not be re-sold or given away to other people. If you would like to share this book with another person, please purchase an additional copy for each recipient. If you’re reading this book and did not purchase it, or it was not purchased for your use only, then please return to your favorite e-book retailer and purchase your own copy. Thank you for respecting the hard work of this author.
Table of Contents:
Foreword
Web Application Firewall
Inherent Web Application Firewall Limitations
Challenges for Existing Web Application Firewalls
Why We Need Web Application Firewalls
Business Objectives and Requirements
Assurance Engagement Planning
Scope
Resources
WAF Risk Elements and Control Design
Governance Weakness
Unrealized Business Value
Deficient Policy, Standards and Procedures
Patch Mismanagement
Ineffective Change Management
Inadequate Physical Security and Business Continuity
Weak Relationships with Vendors and Solution Providers
Lack of Personnel Education And Experience
The WAF’s Security Misconfiguration
General Control Deficiencies
General Misconfiguration
Wrong System Options
Inaccurate Monitoring and Reporting
Misconfiguration of Remote Logging
Incorrect Parameter Settings
Application Protection Deficiencies
Application Traffic Misconfiguration
Attack Signature Misconfiguration
Inaccurate Machine Learning Settings
Misconfiguration of Wildcard Objects
Inadequate XML Security
Misconfigured Staging-Hardening Period
Inaccurate Detection of Traffic Anomalies
Inadequate Configuration Maintenance
Weak Integration with a Vulnerability Scanner
About the Author
Foreword
The modern business environment has been witnessing an explosive growth of the security technology. Web application firewalls are ubiquitous at businesses around the globe. They are an important part of layered security architectures. Web application firewalls support the defense-in-depth principle of the computer security. It is hard to imagine a large company without a web application firewall protecting many of its external and internal applications.
Nowadays web application firewalls are capable of identifying and neutralizing sophisticated threats. They employ the finest methods of machine learning and decision making algorithms. As a result, more and more companies purchase and deploy them to protect their assets. The market is becoming saturated with the products that boast a slew of attractive features and promise near total protection.
Often web application firewalls are integrated with load balancers, vulnerability scanners and other security systems. That makes them even more interwoven in information and automation security fabric.
Recent improvements and advances provided an enhanced protection but in the same time enticed the businesses to rely on these products more and more. Lots of critical applications are placed behind web application firewalls across all industries, segments and geographies.
Are web application firewalls worth their costs? Are they as secure as their vendors claim? Can they fulfill their role in layered security architecture? To what degree does their effectiveness depend on a proper configuration? How can the management be assured that web application firewalls ultimately make the information more useful, available, resilient and confidential?
These are the questions that we would like to research and answer when we conduct an audit or a security assessment of a web application firewall.
Web Application Firewall
Web application firewall or WAF is any automated application protection system that is not a part of that application. This would be the simplest and most general definition. It would encompass all technologies that are in use today to provide that protection. On a primitive level any web application firewall can be depicted as follows.
When the web application firewall gets an external or internal request for the application, it applies a set of rules to that request. That set of rules is usually called a security policy. If the request complies with the policy rules, it is sent further on to the application. If the request violates any of the security policy rules, the system generates a violation, and then either goes on to forward the request (and issues an alert) or prevents the request from reaching the application.
Just how many web application firewalls are out there in the market?
A simple Internet search would give you the following list. I put it in an alphabetical order to avoid promoting any product inadvertently:
A10 Networks - Thunder and AX Series
Akamai Technologies - KonaWeb
Applicure - DotDefender
AQTronix - WebKnight
Armorlogic - Profense
Barracuda Networks - Barracuda Web Application Firewall
Bayshore Networks - Application Protection Platform
Bee Ware - i-Suite
BinarySec - Security as a Service (Application Firewall)
BugSec - WebSniper
Cisco - ACE Web Application Firewall
Citrix - NetScaler
Cyberoam - Next-Generation Firewalls/UTMs
Dell - SonicWALL
DenyAll - Protect
eEye Digital Security - SecureIIS
Ergon - Airlock
F5 - Application Security Manager
Fortify Software - Defender
Fortinet - FortiWeb
Forum Systems - Xwall, Sentry
Imperva - SecureSphere
mWEbscurity - webApp.secure
Penta Security - WAPPLES
Port80 Software - ServerDefender VP
Privacyware - ThreatSentry IIS
Protegrity - Defiance TMS
Qualys - Ironbee
QuickDefence - Open Source WAF
Radware - AppWall
Riverbed - SteelApp
Trustwave - WebDefend
Trustwave SpiderLabs - ModSecurity
Xtradyne - Application Firewalls.
The list can go on and on. As we all know, not all products are created equal, and that does not necessarily mean better or worse. There are different protection methods, network placement, OSI stack level involvement, scalability, maintenance and many other factors to consider while selecting a suitable WAF.
WAF procurement deserves a book it its own right and is not in scope of this manual. However, if there was one word of advice on how to select a proper web application firewall, I would say, it has to be closely tailored to the business and security needs of each particular organization. That’s why I would never recommend one WAF over another without knowing the business and the security requirements