Web application firewalls take on more heat

Over the next few months Web application firewall vendors Citrix, F5 Networks, Imperva, NetContinuum and Protegrity will add features that let their products take on bigger roles in speeding traffic to server farms and better protecting networked corporate data.

While traditional firewalls have blocked packets effectively at Layer 3 for years, they are proving ineffective against attacks that prey on application weaknesses. Web application firewalls detect application anomalies and whether sensitive data - such as credit card and Social Security numbers - is being tapped and can block or mask it.

Many businesses with Web applications get along without Web application firewalls, says Rob Whiteley, an analyst with Forrester Research. Most protect the traffic with SSL encryption, and some use SSL VPNs to make sure authorized people are connecting to the Web applications.

But high-stakes financial services businesses, for instance, often turn to these devices, Whiteley says. "Application firewalls are for those who cannot afford to have anything go wrong. It's not like you're leaving a gaping hole by not having an application firewall," he says. "It's just giving yourself an extra measure of protection."

Web application firewalls are being integrated with load balancers and application switches that ensure the availability of Web applications to create products that address accessibility and security at the same time.

"We think the application firewall is going to go away and be replaced by something that is a little more availability- and assurance-focused," says Andrew Jaquith, a Yankee Group analyst.

Such platforms work to keep servers available to end users and safe from attacks. They also make sure that the traffic moving in and out of data centers is not compromised, he says.

Stand-alone Web application firewalls examine HTTP and HTTPS traffic at the application layer, looking for attacks that try to slip by as legitimate application flows. "The products are defending against people that are trying to use malicious attacks to cause Web sites to disgorge sensitive information or for break-ins," Jaquith says.

Start-ups Teros, MagniFier, Kavado and Sanctum, all bought by others, made these devices. Citrix bought Teros, F5 bought MagniFier, Protegrity bought Kavado and WatchFire bought Sanctum.

While these vendors approach the problems of accelerating and securing Web application traffic differently, they share a common spot in the network: in front of application servers. The features they offer can include load balancing traffic among servers, compression, encryption, reverse proxying of HTTP and HTTPS traffic, checking for application conformance and pooling TCP sessions.

For its part, Citrix aims to merge its Web application firewall with its application switch, so the device will distribute traffic to servers and also parse it for application-layer attacks, the company says. This integration is scheduled for the second quarter of next year, according to the company.

Expect NetContinuum to add software tools next year that make configuring application-security policies easier, says Varun Nagaraj, CEO at NetContinuum. The company also is considering what role its application gateway might play in identity and access management, under schemes such as Security Assertion Markup Language, which relies on applications to authenticate users.

F5 will look to protect XML and SIP traffic to support Web services and VoIP, says Erik Giesa, vice president of product management and marketing for the company. It also is looking to add WAN-acceleration technology to its platform and to produce a software developers' kit to encourage the creation of self-securing applications that could block traffic when they discover breaches. To do this, the application would tie into software governing F5's Big IP application switch to cause a rule change within Big IP that would block suspect traffic.

Imperva plans to develop auditing and assessment tools that help customers comply with such regulations as the payment-card industry standard, the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act for protecting private information, says Shlomo Kramer, Imperva CEO.

Protegrity expects to blend its database security gear with the application-protection software it got with Kavado, says Jeannine Bartlett, vice president of product strategy and development for Protegrity. "Our releases in the coming year are directed at back-end reporting, statistics, metrics, mapping specific applications to customers' various needs to comply with regulators. That's what larger corporations are really looking for," she says.