Technology Update /
Web application firewalls protect data
By Izhar Bar-Gad
While traditional firewalls address network access control, blocking unauthorized network-level requests, application firewalls address the application layer by enforcing requests within application sessions. An application firewall specifically protects the Web application communication stream and all associated application resources from attacks that happen via the Web protocol.
Application firewalls address browser and HTTP attacks that manipulate application behavior for malicious purposes. These include data attacks, which use special characters or wild cards to change data; logic content attacks, which go after command strings or logic statements; and target attacks, which focus on accounts, files or hosts.
There are two approaches for an application firewall - a positive security model, which enforces positive behavior; and a negative security model, which blocks recognized attacks.
A positive security model enforces positive behavior by learning the application logic and then building a security policy of valid known requests as a user interacts with the application. The approach is as follows:
1. The initial policy contains a list of valid starting pages. The user's initial request must match the starting pages before creating a session policy.
2. The application firewall examines downloaded page requests, including page links, drop-down menus and form fields, and builds a policy of all allowable requests that can be made during the user's session.
3. User requests are verified as valid before being passed to the server. Requests not recognized by the policy are blocked as invalid requests.
4. The session policy is destroyed when the user session terminates. A new policy is created for each new session.
A negative security model blocks recognized attacks by relying on a database of expected attack signatures. The approach is as follows:
1. The policy is created with a set of known attack signatures.
2. There is no downstream page analysis to update the policy.
3. Recognized attacks are blocked, and unknown requests (good or bad) are assumed to be valid and passed to the server for processing.
4. All users share the same static policy.
Application firewalls install between the firewall and the application server, functioning at Layer 7 of the ISO model. All session information, both upstream and downstream, runs through the application firewall. Downstream requests are channeled through the application firewall, and in the case of a positive model, parsing occurs to build the policy. This requires an application firewall to sit in front of a cache server to ensure request validation.
Upstream requests also are channeled through the application firewall allowing only valid requests, thereby off-loading bad requests from the server.
Application firewalls understand inbound and outbound session requests. They offer in-line integration with existing applications and are compatible with Web application technologies. They work in real time to address threats before they reach the application.
An application firewall listens on TCP Ports 80 and 443, and accepts incoming HTTP/Secure HTTP requests from the client, parses them, associates them with a session or creates a session if required, and then matches requests to the policy for the session.
If this request is permitted (that is, the link is allowed), it is forwarded to the Web server. If it is not permitted, it is rejected. The Web server's response arrives at the application firewall, is associated with the same session the request belongs to, is parsed, and policy update (new links that are allowed) is extracted and associated to the session.
If this is the response of the first request, a cryptographic session cookie also is attached to the response to identify the client session in further communications. The application firewall finally forwards the response to the client.
Bar-Gad is CTO at Sanctum. He can be reached at firstname.lastname@example.org.