Web Application Firewalls and IPv6

Does your WAF protect against IPv6 attacks?

Many organizations may be using a Web Application Firewall (WAF) to help them achieve security compliance and secure their web applications. Many organizations are also actively deploying IPv6 to their web systems. The intersection of these two groups will experience security vulnerabilities as they IPv6-enable their web applications yet their WAF is not actively inspecting the IPv6 web connections.

WAFs and IPv6

Web Application Security:

The Cisco Security Annual Report and many other reports have for many years shown how vulnerabilities in web applications have trended upward and are still very much a real threat. Simultaneously, the Open Web Application Security Project (OWASP) has worked hard to raise awareness of these issues and try to improve the security of web systems. Threats such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Buffer Overflow, Arbitrary Code Execution, Privilege Escalation, SQL Injection, and other attacks lead to web servers being compromised. Organizations have several choices when securing their web servers. They can create secure code in the first place or have that code audited by a web security application firm. They can proactively scan their web applications with vulnerability scanners capable of detecting the threats that attackers will target, or they can use an appliance or software system to try to intercept and block the attacks.

Web Application Firewalls (WAFs) are purpose-built security systems that inspect web requests and detect application-layer attacks. They can operate in-line the traffic path or at least be able to observe the web traffic. If the WAF detects a malicious connection, then the WAF would then be able to reset the connection to block the attack. WAFs have been available for many years and are now common in DMZ and data center deployments. WAFs may be integrated into a Server Load Balancer (SLB) or Application Delivery Controller (ADC) that may also have IPv6 capabilities.

Compliance Standards:

If you are required by PCI/HIPAA/SOX/GLBA/FISMA or other security standards to have a WAF then you should be keenly aware of what features that product does and does not have. The PCI DSS compliance recommendations listed in the "Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified, issued by the PCI Security Standards Council" Option 2 discusses WAFs. However, the PCI DSS 2.0 does not address IPv6 directly. Some may make the assumption that it is implied that the standards and guidelines apply to IPv4 communications and IPv6 communications.

Most server operating systems now support IPv6 natively and have IPv6 enabled by default. Many web servers will listen to inbound TCP port 80 connections on any IPv6 address on any interface without any administrator configuration. If you IPv6-enable your web application and connect it to the IPv6 Internet then you may be exposed to web application threats. Attackers will recognize that the web application has both an IPv4 "A" record and an IPv6 "AAAA" DNS record and the attacker will test the server's defenses using both protocols. Therefore, servers should be defended by dual-protocol firewalls, IPSs, and WAFs.

The Web Application Security Consortium (WASC) is an organization that helps develop and advocate standards for WAFs and to further their adoption. This organization has drafted the Web Application Firewall Evaluation Criteria (WAFEC) to help organizations making a product selection as well as to inform vendors about what features are important to customers. Unfortunately, the Web Application Firewall Evaluation Criteria Version 1.0 (January 16, 2006) does not mention anything about IPv6. This group is working on WAFEC 2.0 but there is no word if this will contain any mention of IPv6. Furthermore, OWASP's "Best Practices: Use of Web Application Firewalls" does not mention IPv6 as a consideration or a requirement.

ICSA Labs is a vendor-neutral independent testing laboratory that operates as an independent division of Verizon Business. Their focus has been testing firewalls and security products, but they also test Web Application Firewalls. ICSA Labs has published their "Web Application Firewall Certification Criteria Version 2.1 (Corrected)". However, it does not mention IPv6 in the least. ICSA Labs has certified several WAFs, but none of these products were tested for their support of IPv6. ICSA Labs can perform IPv6 product testing based on the NIST USGv6 Testing Program so that indicates that they are aware of IPv6, but it just hasn't made its way into their other testing criteria.

WAF Vendors:

Following is a list of some of the popular WAFs available on the market and the status of their IPv6 capabilities. Please note that this is not intended to be an exhaustive list and if you know of an IPv6-capable WAF, please comment on this blog.

AQTRONiX WebKnight "Web Application Firewall for IIS" does not seem to have any IPv6 capabilities. In fact, their web site states "WebKnight is not yet ready for IPv6, but this is currently not a major issue because the Internet is still using IPv4 (only the localhost loopback uses IPv6)". Maybe someone should tell them about World IPv6 Launch.

Barracuda Networks Web Application Firewall claims to be "IPv6 Ready" as listed on their data sheet. Barracuda's Product Blog listed last year that the 7.6 firmware has IPv6 support, but it is disabled by default. Apparently, customers need to contact a Barracuda support engineer to walk them through the process of enabling IPv6. The Barracuda Networks WAF family was tested by ICSA Labs but not for IPv6.

In 2010, Cisco announced End-of-Life and thus End-of-Sale for the Cisco ACE Web Application Firewall (WAF). This product does not have any IPv6 support, and because this produce has reached the end of its development, it will never get IPv6 capabilities.

The Citrix NetScaler family of application delivery controllers have supported IPv6 for many years now. Their product data sheet shows that IPv6 is a standard feature (no additional license fee) in all their platforms and editions. The Citrix NetScaler Application Firewall is IPv6-capable and the NetScaler also has simple and extended ACLs, DDoS protection, and HDOSP. ICSA Labs tested the Citrix NetScaler Application Firewall, but not for its IPv6 capabilities.

F5 Networks Inc. BIG-IP Appliances run the Application Security Manager (ASM) WAF. As of TMOS software version 11.1 (11.2 is the latest), the ASM WAF is IPv6-capable and provides IPv6 web application and HTTP protocol inspection. However, there are some caveats listed in their documentation "Support limitations for IPv6 (ID 359405) While ASM supports IPv6 addresses for application traffic management, ASM does not support IPv6 addresses for the following configurations: ICAP server, SMTP server, Remote logging server, DNS server, WhiteHat server, and Search engines/bot domains". ICSA Labs tested the F5's BIG IP Application Security Manager (ASM) but did not test its IPv6 capabilities.

Fortinet firewalls have had significant support for IPv6 for many years. However, their FortiWeb Web Application Security system does not have any IPv6 features. ICSA Labs performed testing of the Fortinet FortiWeb-1000C but did not perform any IPv6 testing of this product.

Imperva makes their AX series SecureSphere in a partnership with A10 Networks. Because this web application firewall system runs on the A10 Advanced Core Operating System (ACOS) the WAF is IPv6-capable. The A10 Networks AX series has substantial IPv6 capabilities as documented in the February 2012 NWW Clear Choice Test. ICSA Labs did test the Imperva SecureSphere Web Application Firewall, but not for IPv6.

Earlier this year, Juniper acquired Mykonos Web Security (MWS) and its web application security systems. Unfortunately, none of the online documentation mentions anything about its IPv6 capability. Hopefully, as this product evolves and is further integrated with other Juniper IPv6 products it will one day become fully IPv6 capable.

Qualys develops the IronBee open source web application firewall. Even though IPv6 is not listed in the features the Reference Manual shows how IPv6 addresses can be configured in the product.

ModSecurity is one of the oldest Web Application Firewalls. ModSecurity is now supported by Trustwave SpiderLabs (formerly Breach Security) and the ModSecurity Rules are available with a support contract. The latest version of ModSecurity 2.7.0-RC3 has IPv6 features that were first introduced in version 2.6. IPv6 is also supported in the various data formats and logging.

webSecurity Inc. makes their webApp.secure web application security system. Their product comes in a Professional Edition (PE) and a LiveCD Edition. However, their web site does not have any details on IPv6 capabilities in their products. webSecurity did issue a press release on August 20, 2010 stating that their products now have IPv6 support, however, that link is now broken.

Scanning:

Earlier, this article mentioned that companies may chose to perform proactive scanning and/or web application code verification to help their web applications be secure. Companies like Veracode and WhiteHat Security can perform dynamic or static scanning of web applications. These companies may be able to check for IPv6-related issues when performing a static off-line code assessment. However, today, few if any, can perform a dynamic scan over IPv6 transport. One could still perform the dynamic scan over IPv4 transport and then assume that if the application is secure over IPv4 then it must be secure over IPv6. However, that may be a false assumption if the same security protection measures for IPv4 do not equally exist for IPv6. There are many products and services offered in this space, but few of them have IPv6 capabilities. Web vulnerability scanning tools like Cenzic's Hailstorm may not have IPv6 capabilities either. Security companies like Rapid7 have embraced IPv6 and put support into their Nexpose 5.4 scanner and Metasploit 4.2 software.

Conclusion:

Customers have started asking these security vendors about their IPv6 product capabilities. However, some manufacturers have not prioritized IPv6 high on their product development roadmaps. The product testing laboratories are also not testing if an security device can secure both IP versions equally effectively.

If your WAF is not IPv6 capable then you should avoid enabling IPv6 Internet connectivity to your web applications if you do not have an IPv6 defensive capability. If you IPv6-enable your web app and expose a vulnerability then you are failing security compliance. IPv6 deployment is important and a focus for many organizations. However, it is best not to rush your IPv6 deployment and inadvertently create a security issue. It is much better to take a disciplined approach to IPv6-enabling your Internet-facing systems and make sure your deployment is secure right from the beginning.

Scott

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10