Web application firewalls take on more heat

Over the next few months Web application firewall vendors Citrix, F5 Networks, Imperva, NetContinuum and Protegrity will add features that let their products take on bigger roles in speeding traffic to server farms and better protecting networked corporate data.

While traditional firewalls have blocked packets effectively at Layer 3 for years, they are proving ineffective against attacks that prey on application weaknesses. Web application firewalls detect application anomalies and whether sensitive data - such as credit card and Social Security numbers - is being tapped and can block or mask it.

Many businesses with Web applications get along without Web application firewalls, says Rob Whiteley, an analyst with Forrester Research. Most protect the traffic with SSL encryption, and some use SSL VPNs to make sure authorized people are connecting to the Web applications.

But high-stakes financial services businesses, for instance, often turn to these devices, Whiteley says. "Application firewalls are for those who cannot afford to have anything go wrong. It's not like you're leaving a gaping hole by not having an application firewall," he says. "It's just giving yourself an extra measure of protection."

Web application firewalls are being integrated with load balancers and application switches that ensure the availability of Web applications to create products that address accessibility and security at the same time.

"We think the application firewall is going to go away and be replaced by something that is a little more availability- and assurance-focused," says Andrew Jaquith, a Yankee Group analyst.

Such platforms work to keep servers available to end users and safe from attacks. They also make sure that the traffic moving in and out of data centers is not compromised, he says.

Stand-alone Web application firewalls examine HTTP and HTTPS traffic at the application layer, looking for attacks that try to slip by as legitimate application flows. "The products are defending against people that are trying to use malicious attacks to cause Web sites to disgorge sensitive information or for break-ins," Jaquith says.

Start-ups Teros, MagniFier, Kavado and Sanctum, all bought by others, made these devices. Citrix bought Teros, F5 bought MagniFier, Protegrity bought Kavado and WatchFire bought Sanctum.

Things to know about Web application firewalls

While they protect applications from such exploits as buffer overflows and format string attacks, application firewalls are a targeted defense mechanism that doesn’t solve all Web security problems. For instance, they:
May require the tweaking of certain Web apps or Webified client/server apps to work properly.
Can’t replace traditional network-layer firewalls or intrusion detection/prevention systems.
May need reconfiguration to deal with attacks against newly discovered application vulnerabilities.
Can work independently of load balancers and application switches.
May not meet regulatory demands for data protection.

While these vendors approach the problems of accelerating and securing Web application traffic differently, they share a common spot in the network: in front of application servers. The features they offer can include load balancing traffic among servers, compression, encryption, reverse proxying of HTTP and HTTPS traffic, checking for application conformance and pooling TCP sessions.

For its part, Citrix aims to merge its Web application firewall with its application switch, so the device will distribute traffic to servers and also parse it for application-layer attacks, the company says. This integration is scheduled for the second quarter of next year, according to the company.

Expect NetContinuum to add software tools next year that make configuring application-security policies easier, says Varun Nagaraj, CEO at NetContinuum. The company also is considering what role its application gateway might play in identity and access management, under schemes such as Security Assertion Markup Language, which relies on applications to authenticate users.

F5 will look to protect XML and SIP traffic to support Web services and VoIP, says Erik Giesa, vice president of product management and marketing for the company. It also is looking to add WAN-acceleration technology to its platform and to produce a software developers' kit to encourage the creation of self-securing applications that could block traffic when they discover breaches. To do this, the application would tie into software governing F5's Big IP application switch to cause a rule change within Big IP that would block suspect traffic.

Imperva plans to develop auditing and assessment tools that help customers comply with such regulations as the payment-card industry standard, the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act for protecting private information, says Shlomo Kramer, Imperva CEO.

Protegrity expects to blend its database security gear with the application-protection software it got with Kavado, says Jeannine Bartlett, vice president of product strategy and development for Protegrity. "Our releases in the coming year are directed at back-end reporting, statistics, metrics, mapping specific applications to customers' various needs to comply with regulators. That's what larger corporations are really looking for," she says.

All this activity marks a coming- of-age for application firewalls, Whitely says. Most of these devices stem from reverse-proxy technology in which traffic to Web servers is terminated by the proxy and passed on to the servers in a separate session, and then the server response is proxied. While the traffic is proxied, the device looks at it to determine whether it represents an attempt to exploit application vulnerabilities.

Vendors didn't sell many of these boxes, says Whiteley, who estimated revenues per company topped out at $10 million per year. But because they occupy the same spot in the network as application switches and load balancers/application accelerators, it makes sense to integrate them, he says.

Some customers have bought application switches as separate devices that they deploy in tandem with load balancers. For instance, Baker Hill, a financial-services application service provider in Carmel, Ind., has deployed a Teros (now Citrix) application firewall in front of an F5 Big IP appliance, which sits in front of Microsoft IIS servers, says Eric Beasley, the firm's senior network administrator.

Customers demanded the application firewall be installed, he says. "As we marketed to larger financial institutions, they looked at that architecture and said it's Microsoft. I see Nimbda, I see Code Red, I see all these problems. We won't do business with you unless you put some kind of a reverse proxy in front of that environment," he says. "We have clients who say in their contracts if that ever gets removed, we break our contract with you. It's that important."

Pacific Northwest National Laboratory, which does work for the U.S. Department of Energy, uses a NetContinuum application firewall to protect its Web applications, says Mark Hadley, a research scientist in the laboratory's cybersecurity group.

This sometimes requires reworking applications so they can get through, Hadley says. For instance, if a certain field in an application protocol uses a character that also is used in the Web application URL, such as a forward slash, it could represent a vulnerability that an attacker could exploit. The options are to let the traffic through unexamined or rewrite the application to get rid of the ambiguity, Hadley says. So users should be prepared for possible work on their applications.

Hadley recommends setting up a test environment to run applications through before they are deployed to identify and remedy such glitches.

Whiteley says this type of complexity may push some customers to deem application firewalls too complex to deploy, especially if their applications aren't critical to the business.

As vendors carry out their plans to integrate application firewalls in the same device with application switches and create software tools to make them easier to configure, more business customers will use them, Whiteley says. "It will hit mainstream adoption in another nine to 12 months," he says. n

Learn more about this topic

All-out blitz against Web app attacks


ICE helps VoIP traverse firewalls


De-perimeterization is the way to go for network security


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10