Consortium hopes to lift Web-application firewall confusion.
"Web application firewall" is a simple term, but understanding what it means is proving so difficult for customers that an industry consortium is publishing advice on how to make a choice among the many devices that fall into this category.
Last week, a document called "Web Application Firewall Evaluation Criteria" was published by the Web Application Security Consortium, a group formed a year ago that includes users, vendors and consultants.
Web application firewalls examine HTTP and HTTPS traffic at the application layer, looking for attacks masquerading as legitimate application traffic. They defend against attempts to tap information stored on Web application servers, such as credit card and Social Security numbers, and proprietary corporate information.
So many methods try to accomplish this goal that it is difficult for potential customers to figure out what product best suits their needs, says Mark Kraynak, director of product marketing for WAF vendor Imperva, who served on the Web Application Security Consortium committee that wrote the document. Other vendors include Citrix, F5 Networks and Protegrity.
One size doesn't fit all
No single WAF device is appropriate for all networks, says Ivan Ristic, who headed the evaluation effort for the consortium. He also runs Thinking Stone, a Web application security-consulting firm. "You need to look at your security requirements and business goals. Create a short list of features you need," he says.
For example, a business that needs to document all HTTP transactions for regulatory purposes may need a WAF with very few features, Ristic says. Or a business with a single Web server might only need application firewall software that can run on the server itself and not a separate WAF, he says.
The range of features is broad. A WAF can deal with SSL traffic by terminating it, examining it and passing it on, or capturing it and decrypting it but not terminating sessions. Similarly, if a WAF needs to block traffic, it can terminate network-protocol connections and not pass on malicious traffic or it can sever suspicious connections.
Individual products can support more or fewer versions of HTTP, encryption and authentication. These devices may or may not support filtering of outgoing traffic.
"Three years ago, there wasn't anything like this [evaluation criteria]," says a senior network executive at a Midwest financial services firm that uses Citrix gear. The firm would not allow its name to be used. "We had to hire a third party to do attack and penetration testing for us."
Raphael San Miguel, who worked on the project and is a senior consultant with daVinci Consulting in Spain, says management of these devices is important.
They should be able to adapt to new attacks without manual intervention. "You can't be changing configuration parameters all the time. If you do, security will depend on how good the administrator is who is working right now," he says.
The IT executive for the financial-services firm agreed. "It's not the type of solution you can buy, put in and never make changes again. It has to adapt to new threats," he says. Automation is important, because the manual configuration of one of the devices he tested was so complex that it was easy to misconfigure.
To do so, the devices must understand application logic and adapt their filters when they recognize traffic patterns that stray from how legitimate traffic performs, he says. Different devices determine normal traffic differently. Some have tools that simulate traffic to the server to figure out the give and take of legitimate traffic. Others monitor actual network traffic to make the same determination. The former can discover quickly how an application works, but the latter is more accurate.
San Miguel says in a few weeks the consortium will publish applications that simulate attacks on applications that potential customers can use to test WAF products. A customer would set up a test network with a PC running the attack simulator and a server being attacked on which WAF devices can be installed to see how well they protect the server.
Learn more about this topicComplex devices have customers uncertain about what to buy
01/13/06Web Application Firewall Evaluation Criteria
12/05/05NTT launches IPv6 firewall service