IDS mailing list archives
Re: IDS vs Application Proxy Firewall
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Wed, 22 Oct 2008 17:16:58 -0700
Detailed breakdown inline: On Wed, Oct 22, 2008 at 11:05 AM, Zow Terry Brugger <zow () acm org> wrote:
Given. Still, it works at the application layer, otherwise it is a cunningly-renamed stateful firewall which performs deep inspection.Absolutely, which I think underscores the point I was driving at, but never actually said, which is that the difference between the devices is primarily that of what network layer it's operating at. As with any network devices, as the field advances, we're going to see this line blur.
Actually, no. I do not think you will see this line blur quickly based upon how the vendors are behaving today. When you say "application proxy" I will speak here specifically to "Web Application Firewalls" aka WAFs since I've created several and I know these best (vs. reverse proxies like Bluecoat which do not do any deep inspection, but rather do simple URL filtering and URL pattern matching). Today's WAFs have features that are different by KIND and not DEGREE from IDS, IPS, and stateful inspection firewalls. This includes Checkpoint's "application intelligence" or whatever other marketing bullet points vendors put on the box. The top WAFs today have the ability to reassemble and keep track of the notion of a *session* within the application. None of the other inspection widgets do this today. They simply reassemble TCP, then (if) HTTP. Some only look at the HTTP request headers (McAfee's Intrushield IPS used to do this). Some look at the HTTP request and the response. None of the IDS/IPS look at them in pairs. Many WAFs can operate both inline (IPS style) or passive monitoring (IDS style) using TCP resets if wanted as well. So to provide concrete examples -- lets start by picking on Intrushield -- one of many examples how McAfee does not take web application security seriously. When they first started claiming "Web Application Security" WAF-features in their IPS they had *two* checks for SQL Injection: * / UNION SELECT and some other lame, obvious string, and it appeared that they only looked for it in the URI. - Cisco was similarly URI limited, though they have a full new WAF product out in the field today. By comparision the top Web Application Firewalls have very extensive blacklists of dangerous SQL strings and metacharacters to match on and block. - ISS/IBM recently advertised on thefeature list for the Proventia IPS that it stopped SQL injection, XSS and even Phishing (!) believe it or not. We actually called this out on the WASC list (webappsec.org) and the product manager dropped by, apologized, said marketing got overzealous and that the feature list would be reality-grounded. I've talked directly with Marty Roesch about this too, specifically as to Sourcefire's interest in addressing the problem with web application security. I'm sure he's around here so I'll let him reply for himself. :) The bottom line is none of the IDS/IPS vendors today see a meaningful market for building WAF features into their products, so instead most (like Checkpoint and ISS) appear to be waging a simple marketing war by just adding bullet points saying "me too" without actually providing protections. (Sad waste, too. The market appears to be finally taking off as we speak. Asia has been hammered with SQL injection bots and is ripe for WAFs, for example) The dedicated WAFs are IDS and IPS-like in spirit, but have evolved a lot in the last 7 years to have fairly sophisticated features. Most of them are still fairly immature in terms of performance, which I think is due to lack of adoption until now, but 2008 has seen a huge increase in WAF purchases which is forcing the best to mature. At the top today you have Breach, F5, and Imperva. And Imperva tends to overhype and market vaporware, and has been kicked out of at least one of their largest case-study accounts just recently, so that doesn't leave many vendor options. (I'm leaving out the Citrix/Teros product because I hear nothing but dissatisfaction from product owners these days; they have been kicked out of every account I know of that they went into, and I'm not sure if someone is drunk at the rudder over there or what but they don't seem committed to the product space) There are a bunch of other 2nd and 3rd tier WAF type options but I don't think the are worth the time of day IMO. This is what today's WAFs do: + blacklist + whitelist + auto-learn *magic elf inside* (TM) + APIs to take external vuln data + stateful HTTP session awareness + some limited semantic protections Today's WAFs are long on Blacklists, and also have policy-based Whitelisting. The latter is often combined with their auto-learning engines wherein magic elves inside configure the policy for you. It all sounds cool. The Whitelist approach rarely works, especially with the auto-learning, in the real world unless the application is static in nature. So you are left with session protections (like replacing session tokens/cookies with an encrypted token placeholder, and enforcing URL access in a session to only those links that you've been handed in your session) and essentially the bulk of what you get is string-matching for all the syntax attacks. ( == blacklists) By default they do not do well with semantic attacks (say skipping an auth form, or weak password reset questions, or even changing an account number in a wire transfer) though they all say they do, and honestly some of the semantic issues should be easy for them. The most evolved vendors have an API to take in external data to create targeted blocking-matches, so you can find your own semantic issues and tell the WAF where they are, and it can protect them. This approach shows promise, especially with legacy code and deprecated applications. The traditional IDS/IPS market could easily ramp up and challenge them on blacklists, but I think the cost (performance) of session tracking and protection, not to mention parsing all the required elements like javascript to find dynamically assembled links, will be quite a challenge for them. I think semantic issues with stay outside of the realm of what the network IDS/IPS folks deal with for the forseeable future. (but this is just a guess) Nobody in mainstream commercial WAF-land is doing anything behavioral like the NBAD realm of IDS. (Lancope, Mazu, Arbor) This in fact was the focus of three of my WAF projects, and both Parageis and Razorwire proxy (based upon Mark Belles' framework) included sophisticated behavior concepts for human vs. non-human and bad-human detection. Anyway, that said, the behavioral realm is begging to be explored more. I'm surprised none of the vendors have touched it. It seems so promising. For example we statistically analyzed input and found we could even flag and drop syntax attacks with a high degree of accuracy in Latin Unicode and US ASCII charsets simply by degrees of standard deviation comparing ratios of metacharacters to alphanums or valid charsets for a field. I'm not sure how broadly approaches like this will work, but they have significant promise and bear further investigation. This probably goes too far beyond the scope of your question so I will end this didactic diatribe for now unless you want more. ciao -- -- Arian J. Evans. Software. Security. Stuff. ps -- unsure if this will make the list. Security Focus has randomly blocked me from some lists but not others, and I have been unable to get the SF list-server admins to respond to email about this for almost TWO YEARS now for some reason. This is probably why no one in the world uses their webappsec list any more. For questions about WAFs or HTTP security stuff the best lists are to be found at WASC (webappsec.org) and OWASP (owasp.org). ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IDS vs Application Proxy Firewall maash . rajani (Oct 21)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 21)
- Re: IDS vs Application Proxy Firewall "Zow" Terry Brugger (Oct 22)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 22)
- Re: IDS vs Application Proxy Firewall "Zow" Terry Brugger (Oct 22)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 22)
- Re: IDS vs Application Proxy Firewall Arian J. Evans (Oct 24)
- Re: IDS vs Application Proxy Firewall "Zow" Terry Brugger (Oct 22)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 21)
- <Possible follow-ups>
- Re: Re: IDS vs Application Proxy Firewall ebennett (Oct 22)