Re: IDS vs Application Proxy Firewall

["Arian J. Evans" <arian.evans () anachronic com>]

Detailed breakdown inline:

On Wed, Oct 22, 2008 at 11:05 AM, Zow Terry Brugger <zow () acm org> wrote:
> > Given. Still, it works at the application layer, otherwise it is a
> > cunningly-renamed stateful firewall which performs deep inspection.
>
> Absolutely, which I think underscores the point I was driving at, but
> never actually said, which is that the difference between the devices
> is primarily that of what network layer it's operating at. As with any
> network devices, as the field advances, we're going to see this line blur.

Actually, no. I do not think you will see this line blur quickly based
upon how the vendors are behaving today.

When you say "application proxy" I will speak here specifically to
"Web Application Firewalls" aka WAFs since I've created several
and I know these best (vs. reverse proxies like Bluecoat which do
not do any deep inspection, but rather do simple URL filtering
and URL pattern matching).

Today's WAFs have features that are different by KIND and not
DEGREE from IDS, IPS, and stateful inspection firewalls.
This includes Checkpoint's "application intelligence" or whatever
other marketing bullet points vendors put on the box.

The top WAFs today have the ability to reassemble and keep
track of the notion of a *session* within the application.

None of the other inspection widgets do this today. They
simply reassemble TCP, then (if) HTTP. Some only look
at the HTTP request headers (McAfee's Intrushield IPS
used to do this). Some look at the HTTP request and the
response. None of the IDS/IPS look at them in pairs.

Many WAFs can operate both inline (IPS style) or passive
monitoring (IDS style) using TCP resets if wanted as well.

So to provide concrete examples -- lets start by picking
on Intrushield -- one of many examples how McAfee does
not take web application security seriously. When they first
started claiming "Web Application Security" WAF-features
in their IPS they had *two* checks for SQL Injection:

* / UNION SELECT
and some other lame, obvious string, and it appeared that
they only looked for it in the URI.

- Cisco was similarly URI limited, though they have a full
new WAF product out in the field today.

By comparision the top Web Application Firewalls have
very extensive blacklists of dangerous SQL strings
and metacharacters to match on and block.

- ISS/IBM recently advertised on thefeature list for
the Proventia IPS that it stopped SQL injection, XSS
and even Phishing (!) believe it or not.

We actually called this out on the WASC list
(webappsec.org) and the product manager dropped
by, apologized, said marketing got overzealous and
that the feature list would be reality-grounded.

I've talked directly with Marty Roesch about this too,
specifically as to Sourcefire's interest in addressing
the problem with web application security. I'm sure
he's around here so I'll let him reply for himself. :)

The bottom line is none of the IDS/IPS vendors
today see a meaningful market for building WAF
features into their products, so instead most (like
Checkpoint and ISS) appear to be waging a simple
marketing war by just adding bullet points saying
"me too" without actually providing protections.

(Sad waste, too. The market appears to be finally
taking off as we speak. Asia has been hammered
with SQL injection bots and is ripe for WAFs, for example)

The dedicated WAFs are IDS and IPS-like in spirit,
but have evolved a lot in the last 7 years to have
fairly sophisticated features. Most of them are still
fairly immature in terms of performance, which I
think is due to lack of adoption until now, but 2008
has seen a huge increase in WAF purchases which
is forcing the best to mature.

At the top today you have Breach, F5, and Imperva.
And Imperva tends to overhype and market vaporware,
and has been kicked out of at least one of their
largest case-study accounts just recently, so that
doesn't leave many vendor options.

(I'm leaving out the Citrix/Teros product because
I hear nothing but dissatisfaction from product
owners these days; they have been kicked out
of every account I know of that they went into,
and I'm not sure if someone is drunk at the rudder
over there or what but they don't seem committed
to the product space)

There are a bunch of other 2nd and 3rd tier WAF
type options but I don't think the are worth the time
of day IMO.

This is what today's WAFs do:
+ blacklist
+ whitelist
+ auto-learn *magic elf inside* (TM)
+ APIs to take external vuln data
+ stateful HTTP session awareness
+ some limited semantic protections

Today's WAFs are long on Blacklists, and also
have policy-based Whitelisting. The latter is
often combined with their auto-learning engines
wherein magic elves inside configure the policy
for you. It all sounds cool.

The Whitelist approach rarely works, especially
with the auto-learning, in the real world unless
the application is static in nature.

So you are left with session protections (like
replacing session tokens/cookies with an
encrypted token placeholder, and enforcing
URL access in a session to only those links
that you've been handed in your session) and
essentially the bulk of what you get is
string-matching for all the syntax attacks.
( == blacklists)

By default they do not do well with semantic
attacks (say skipping an auth form, or weak
password reset questions, or even changing
an account number in a wire transfer) though
they all say they do, and honestly some of
the semantic issues should be easy for them.

The most evolved vendors have an API to
take in external data to create targeted
blocking-matches, so you can find your
own semantic issues and tell the WAF
where they are, and it can protect them.

This approach shows promise, especially
with legacy code and deprecated applications.

The traditional IDS/IPS market could easily
ramp up and challenge them on blacklists,
but I think the cost (performance) of session
tracking and protection, not to mention parsing
all the required elements like javascript to
find dynamically assembled links, will be
quite a challenge for them.

I think semantic issues with stay outside
of the realm of what the network IDS/IPS
folks deal with for the forseeable future.
(but this is just a guess)

Nobody in mainstream commercial WAF-land
is doing anything behavioral like the NBAD
realm of IDS. (Lancope, Mazu, Arbor)

This in fact was the focus of three of my
WAF projects, and both Parageis and
Razorwire proxy (based upon Mark Belles'
framework) included sophisticated
behavior concepts for human vs.
non-human and bad-human detection.

Anyway, that said, the behavioral realm
is begging to be explored more. I'm surprised
none of the vendors have touched it. It
seems so promising.

For example we statistically analyzed
input and found we could even flag and
drop syntax attacks with a high degree
of accuracy in Latin Unicode and US ASCII
charsets simply by degrees of standard
deviation comparing ratios of metacharacters
to alphanums or valid charsets for a field.

I'm not sure how broadly approaches
like this will work, but they have significant
promise and bear further investigation.

This probably goes too far beyond the
scope of your question so I will end this
didactic diatribe for now unless you want more.

ciao

-- 
-- 
Arian J. Evans.
Software. Security. Stuff.

ps -- unsure if this will make the list. Security
Focus has randomly blocked me from some
lists but not others, and I have been unable
to get the SF list-server admins to respond
to email about this for almost TWO YEARS
now for some reason.

This is probably why no one in the world
uses their webappsec list any more. For
questions about WAFs or HTTP security
stuff the best lists are to be found at WASC
(webappsec.org) and OWASP (owasp.org).

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------