 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
Industry statistics show that 80% of malicious attacks target Port 80, the Web traffic pass-through. Why, then, does the onus for Web application protection still fall largely on network-layer devices? Web applications clearly need special security.
Firewalls specifically designed to protect Web applications would recognize a hacker's attempt to create a buffer overflow, to inject false SQL or system commands in program variables, or to otherwise manipulate the datastream for ill purposes. Web application firewalls see the breaches that a network-layer firewall (or intrusion-detection system) is not capable of detecting.
Security experts have begun to call the Web application firewall a must-have.
"I would never deploy a Web application today if I haven't deployed a Web application firewall," says Ravi Ganesan, vice chairman of NSD Security, which helps user organizations build secure Web infrastructures.
Training Web developers to build secure applications and to conduct initial and periodic vulnerability tests are musts, but don't suffice. Ganesan equates doing those things but not also deploying a Web application firewall to calling Windows or other operating system secure and throwing out the perimeter firewall. "You'd be crazy," he says.
Ed McNachtan, program manager with the Family and Children First (FCF) office serving Montgomery County, Ohio, can testify to the benefits of Web application firewalls. He discovered them early - four years ago, when FCF used Health Insurance Portability and Accountability Act (HIPAA) draft documents to perform a Gap Analysis of the security architecture it planned to use for interagency communications via the Web. "We found our security plan failed around Web applications, and we needed to make reasonable efforts to block that hole," McNachtan says.
He is using AppShield, a software-based Web application firewall from start-up Sanctum, to protect two particularly complex and politically touchy applications that have taken years to develop. The first, in pilot tests now, is a family violence cross-jurisdictional database application. The second is a collaborative case-management application that will go into pilot tests by year-end. "We have privileged and confidential information that we have to protect, plus HIPAA rules and guidelines to follow," McNachtan says. "I'm married to AppShield. It does a great job."
Other early users likewise are enamored with their Web application firewalls. Speaking of the APS-100 appliance from Teros, another start-up, one user, who asked not to be named, says, "The cool thing is, it actually found a problem with the application itself - the way we were passing URL strings. It debugged our application!"
This network design engineer, who is working on an outsourced state Medicaid claims-processing application, considers the use of a Web application firewall a competitive advantage. "The need to have a [Medicaid claims-processing] application that works is half the story. The other half is that it's secure and reliable, and the Web application firewall is one of the pieces telling that part. This is going to make a huge impact for us [in winning business]," he says.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment