FRAMINGHAM (11/05/2003) - Industry statistics show that 80 percent of malicious attacks target Port 80, the Web traffic pass-through. Why, then, does the onus for Web application protection still fall largely on network-layer devices? Web applications clearly need special security.
Firewalls specifically designed to protect Web applications would recognize a hacker's attempt to create a buffer overflow, to inject false SQL or system commands in program variables, or to otherwise manipulate the datastream for ill purposes. Web application firewalls see the breaches that a network-layer firewall (or intrusion-detection system) is not capable of detecting.
Security experts have begun to call the Web application firewall a must-have.
"I would never deploy a Web application today if I haven't deployed a Web application firewall," says Ravi Ganesan, vice chairman of NSD Security, which helps user organizations build secure Web infrastructures.
Training Web developers to build secure applications and to conduct initial and periodic vulnerability tests are musts, but don't suffice. Ganesan equates doing those things but not also deploying a Web application firewall to calling Windows or other operating system secure and throwing out the perimeter firewall. "You'd be crazy," he says.
Ed McNachtan, program manager with the Family and Children First (FCF) office serving Montgomery County, Ohio, can testify to the benefits of Web application firewalls. He discovered them early - four years ago, when FCF used Health Insurance Portability and Accountability Act (HIPAA) draft documents to perform a Gap Analysis of the security architecture it planned to use for interagency communications via the Web. "We found our security plan failed around Web applications, and we needed to make reasonable efforts to block that hole," McNachtan says.
He is using AppShield, a software-based Web application firewall from start-up Sanctum Inc., to protect two particularly complex and politically touchy applications that have taken years to develop. The first, in pilot tests now, is a family violence cross-jurisdictional database application. The second is a collaborative case-management application that will go into pilot tests by year-end. "We have privileged and confidential information that we have to protect, plus HIPAA rules and guidelines to follow," McNachtan says. "I'm married to AppShield. It does a great job."
Other early users likewise are enamored with their Web application firewalls. Speaking of the APS-100 appliance from Teros Inc., another start-up, one user, who asked not to be named, says, "The cool thing is, it actually found a problem with the application itself - the way we were passing URL (uniform resource locator) strings. It debugged our application!"
This network design engineer, who is working on an outsourced state Medicaid claims-processing application, considers the use of a Web application firewall a competitive advantage. "The need to have a (Medicaid claims-processing) application that works is half the story. The other half is that it's secure and reliable, and the Web application firewall is one of the pieces telling that part. This is going to make a huge impact for us (in winning business)," he says.
Other users also see the Web application firewall as a tool for winning business. "The confidence we get having the Web application firewall when a potential customer comes in - we can really go to the bargaining table," says Todd Bowersox, Web operations manager at Agile Software Corp., a product life-cycle management vendor in San Jose, California.
Having a Web application firewall rates big with potential customers in the systems audits Agile undergoes during its sales cycle, Bowersox says. Audits of vendor systems are common among U.S. Food and Drug Administration-regulated medical device manufacturers, one of Agile's target customer bases, he says. "The value that the Teros firewall adds is immeasurable," he says.
Besides a polished image, Agile also gains protection for its Web site and some internal Web applications. A consultant presentation on Port 80 vulnerabilities "lit the flame and got us thinking about and looking into Web application firewalls," Bowersox says. "We didn't want to get caught with our pants down, especially with some of our clients coming in and asking, 'What are you doing about security?'"
Web application firewall vendors are divided into two camps: software and hardware. Software vendors include eEye Digital Security, KaVaDo Inc., MultiNet, Sanctum Inc., Turillion Software and webScurity Inc. Hardware vendors include Permeo Technologies Inc., MagniFire WebSystems Inc., Permeo Teros and Whale Communications Inc.
Thomas Powell, a Web developer who has tested Web application firewalls for the Network World Global Test Alliance, says software-based Web application firewalls are a good choice for those with only one or two servers. Proximity might be an advantage because a software product would reside on the same Web server as the applications it's protecting, Powell says. Software-based products are also relatively inexpensive - with freeware versions even available.
But a hardened Web application firewall becomes almost mandatory for large organizations, he says, citing KaVaDo's InterDo and Sanctum's AppShield as possible exceptions. In Powell's August test of six software-based Web application firewalls, App-Shield won our World Class award for its dynamic policy generation and strong default configuration. InterDo came in a strong second because of its "extreme flexibility." Each stood out among the rest "for their ability to defend against attacks." (Powell, who is chief executive officer of Web development firm PINT in San Francisco, will test hardware-based Web application firewalls early next year.)
Besides choosing between hardware and software, users investigating Web application firewalls have to decide whether they want to use whitelisting or blacklisting.
Powell says he favors the more-sophisticated whitelisting approach of mapping an application to determine what requests and inputs are allowable, and then blocking everything else. But he cautions that whitelisting products can require fine-tuning to get that application map correct. "The challenge (with whitelisting) is, unless the site is very well-constructed, it's not possible to have a perfect idea of the application," he says. "If a site is poorly developed, then there's the potential for false positives."
Like anti-virus software, blacklisting products look for common attack signatures and, if found, either warn security managers or block the user. One downside of blacklisting is that unless the signature list is 100 percent up-to-date bad queries can get through, Powell says. Another is vendor lock-in, he notes. Because those signature files need regular updating, blacklisting tends to keep users engaged with one Web application firewall vendor. Powell recommends limiting blacklisting use to instances where false positives must be avoided.
Igniting the market
Early users of whitelisting firewalls say that the application-learning process hasn't been perfect. But users interviewed for this story say their vendors excel at problem resolution and customer service - a start-up's fortes. In fact, while Web applications themselves are hardly new, their growing importance has created a hotbed of start-up activity. No fewer than two-dozen known start-ups are addressing the Web application protection problem.
Of course, established network vendors aren't letting newcomers walk into this market unchallenged. Check Point Software Technologies Ltd., Cisco Systems Inc., NetScreen Technologies Inc., Nokia Corp. and Symantec Corp. are among the security vendors enhancing their platforms with more intelligent assessment of application traffic. Meanwhile, F5 Networks Inc., Nortel Networks Ltd. and Radware Ltd. are claiming Web application security as a function of their content switches.
But there's also a whole crop of other start-ups crafting more multipurpose platforms of which Web application protection is but one function. Vendors of this ilk include Nauticus Networks Inc., NetContinuum Inc., Neoteris Inc. and Permeo. The idea of imbuing familiar security devices with application-layer protection has its user appeal.
INFO1, the fourth largest mortgage credit reporting provider in the U.S., plans to use Check Point Next Generation with Application Intelligence for Web application protection, says Jim Noble, director of network and security at the Norcross, Georgia, company. INFO1 began offering Web access to credit reports four years ago. "We started using Check Point prior to September 1999 to protect our networks and systems," he says, "and that's one of the reasons we're going with AI today. It's the next functional upgrade."
Noble says he's very comfortable with the enhanced network-layer firewall instead of a purpose-built Web application firewall. "Our Web is fairly well-protected, and I'm confident that we've mitigated 98 percent to 99 percent of risks," he says. "Is it worth our energy to get the last 1 percent? No, not in a business sense."
No matter which platform choice they make, extended enterprises must address the question of Web application protection, and soon, security experts summarize. "You've got to have a Web application firewall," says Richard Stiennon, an analyst at Gartner Inc. "New e-commerce services will just be too vulnerable without something like that."
And most industry watchers say cost shouldn't be an prohibitor for large corporations. "You're probably looking at a five-figure investment (for a hardened Web application firewall), so there's no reason not to have something," says Eric Ogren, analyst at The Yankee Group. Yankee recommends doubling up on your Web application firewalls for high availability, placing an investment at about US$50,000, or $25,000 per firewall.
"Considering we're talking about devices meant to secure your way of doing business, it's easy to justify a $25,000 investment," Stiennon says. "My advice is: Buy a Web application-specific firewall today and install it in front of all your Web servers as soon as you can."