Re: web appliaction security products (AKA application firewalls)

[Jason Childers <childers_j () yahoo com>]

Yes there are good ones, as well as bad ones.  Having
been a Principal Engineer working alongside he CTO at
Butterfly Security we were developing one called
CodeSeeker which, due to unfortunate market and
economic conditions, were unable to continue
commercial development.  We recently decided to
release it under the GPL to the OWASP project for
people just like you! :)

Codeseeker, and I'm a bit biased, is actually the best
on the market! ;)  There are things you need to watch
out for though in this new technology niche:

(1) Appliance vs. Software product...

The appliance market is growing and a lot of appliance
makers view web application firewall technology as a
great service offering as part of their appliance's
core service.  Some problems with using this
technology as an appliance are that you're adding a
single point of failure to your network.  If that goes
down, your network is now again open and insecure...
and what's worse (but maybe not from a security
standpoint) inaccessable.

The software product allows you to install an instance
on each webserver you're trying to protect.  This is
probably the *best* solution because it scales with
your network just as any other server software scales
with your system.  If it goes down, it doesn't bring
down your whole network and is an isolated incident
that is easy to trouble shoot.  It works within your
existing network infrastructure as opposed to
requiring you to rethink your network topology as some
of the hardware appliance vendors would like you to
do.

(2) Try and find one based on open standards.  In my
view the more that are based on open standards the
less worried you'll have to be about back doors.  Not
too long ago there was an instance of a former
employee hacking into their employers WAF (Web
Application Firewall)...  that can probably happen on
any platform, but the holes in open platforms are
probably going to get fixed much sooner.

(3) If you choose to go with a software system, make
sure it doesn't add ridiculous amounts of load to your
server.  It's hard to get the algorithm down to a
benchmark of < 5% server load... but those that do it
should be praised.  There are some products out there
that don't do this very well... and fortunately
CodeSeeker is not a part of this group!  We stress
tested CodeSeeker and were able to keep our cpu load
requirements at just about 4% at heavy load!  But
Gabriel Lawrence (http://www.owasp.org/codeseeker/)
could give you better answers surrounding this... he
performed the exact tests and knows the specifics
surrounding that statistic.

(4) The WAF should make every attempt to integrate
with, and contribute back to the community, known
vulerabilities.  It's likely that the true winner in
this space is going to be openly compliant with
something like the VulnXML project
(http://www.owasp.org/vulnxml/) for OWASP, and VulnXML
is well on its way to leading this space.

(5) Some tools require you to put them in "learning"
mode so they can "understand/recognize" what normal
usage of your site is.  In my view, that's not a WAF
security product... that's a smarter IDS!  If your
website changes, then you have to put the tool back in
learning mode - thereby exposing your website's
security and your infrastructure at known calculatable
times.

What I think is the most important thing to look for
is a solution that actually eases the pain of your
security woes... and not more complex.  You don't want
to have to replace a security team with a WAF and have
to hire a team of people in order to understand what
the WAF is telling you.  The information the WAF is
assimalating regarding potential security breaches
should be portrayed to the user/SA in a manner they
can understand without spending copius amounts of
extra time at having to become an expert in the
security space.

Hope that helps. I'm sure there are many other
opinions about this out there.  I just have direct
professional experience surrounding some of the
issues.

Cheers,
-Jason

--- Shimon Silberschlag <shimons () bll co il> wrote:
> What is the group experience with these type of
> devices? Any good, bad
> or horror stories about using/maintaining them? Any
> specific
> recommendations?
>
> I know the charter doesn't really cater for
> discussion of commercial
> tools so please keep answers
> generic and objective
>
> Shimon Silberschlag
>
> +972-3-9352785
> +972-51-207130


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus – Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com