WebApp Sec mailing list archives
Re: web appliaction security products (AKA application firewalls)
From: Jason Childers <childers_j () yahoo com>
Date: Fri, 22 Nov 2002 10:24:32 -0800 (PST)
Yes there are good ones, as well as bad ones. Having been a Principal Engineer working alongside he CTO at Butterfly Security we were developing one called CodeSeeker which, due to unfortunate market and economic conditions, were unable to continue commercial development. We recently decided to release it under the GPL to the OWASP project for people just like you! :) Codeseeker, and I'm a bit biased, is actually the best on the market! ;) There are things you need to watch out for though in this new technology niche: (1) Appliance vs. Software product... The appliance market is growing and a lot of appliance makers view web application firewall technology as a great service offering as part of their appliance's core service. Some problems with using this technology as an appliance are that you're adding a single point of failure to your network. If that goes down, your network is now again open and insecure... and what's worse (but maybe not from a security standpoint) inaccessable. The software product allows you to install an instance on each webserver you're trying to protect. This is probably the *best* solution because it scales with your network just as any other server software scales with your system. If it goes down, it doesn't bring down your whole network and is an isolated incident that is easy to trouble shoot. It works within your existing network infrastructure as opposed to requiring you to rethink your network topology as some of the hardware appliance vendors would like you to do. (2) Try and find one based on open standards. In my view the more that are based on open standards the less worried you'll have to be about back doors. Not too long ago there was an instance of a former employee hacking into their employers WAF (Web Application Firewall)... that can probably happen on any platform, but the holes in open platforms are probably going to get fixed much sooner. (3) If you choose to go with a software system, make sure it doesn't add ridiculous amounts of load to your server. It's hard to get the algorithm down to a benchmark of < 5% server load... but those that do it should be praised. There are some products out there that don't do this very well... and fortunately CodeSeeker is not a part of this group! We stress tested CodeSeeker and were able to keep our cpu load requirements at just about 4% at heavy load! But Gabriel Lawrence (http://www.owasp.org/codeseeker/) could give you better answers surrounding this... he performed the exact tests and knows the specifics surrounding that statistic. (4) The WAF should make every attempt to integrate with, and contribute back to the community, known vulerabilities. It's likely that the true winner in this space is going to be openly compliant with something like the VulnXML project (http://www.owasp.org/vulnxml/) for OWASP, and VulnXML is well on its way to leading this space. (5) Some tools require you to put them in "learning" mode so they can "understand/recognize" what normal usage of your site is. In my view, that's not a WAF security product... that's a smarter IDS! If your website changes, then you have to put the tool back in learning mode - thereby exposing your website's security and your infrastructure at known calculatable times. What I think is the most important thing to look for is a solution that actually eases the pain of your security woes... and not more complex. You don't want to have to replace a security team with a WAF and have to hire a team of people in order to understand what the WAF is telling you. The information the WAF is assimalating regarding potential security breaches should be portrayed to the user/SA in a manner they can understand without spending copius amounts of extra time at having to become an expert in the security space. Hope that helps. I'm sure there are many other opinions about this out there. I just have direct professional experience surrounding some of the issues. Cheers, -Jason --- Shimon Silberschlag <shimons () bll co il> wrote:
What is the group experience with these type of devices? Any good, bad or horror stories about using/maintaining them? Any specific recommendations? I know the charter doesn't really cater for discussion of commercial tools so please keep answers generic and objective Shimon Silberschlag +972-3-9352785 +972-51-207130
__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Current thread:
- web appliaction security products (AKA application firewalls) Shimon Silberschlag (Nov 22)
- Re: web appliaction security products (AKA application firewalls) Skip Carter (Nov 23)
- Re: web appliaction security products (AKA application firewalls) Kevin Spett (Nov 23)
- RE: web appliaction security products (AKA application firewalls) Fernando Martins (Nov 24)
- Re: web appliaction security products (AKA application firewalls) Jason Childers (Nov 24)
- Re: web appliaction security products (AKA application firewalls) Bennett Todd (Nov 25)
- <Possible follow-ups>
- RE: web appliaction security products (AKA application firewalls) Lars Troen (Nov 24)
- Re: web appliaction security products (AKA application firewalls) Dave Aitel (Nov 24)
- Re: web appliaction security products (AKA application firewalls) securityarchitect (Nov 24)
- Re: web appliaction security products (AKA application firewalls) Dave Aitel (Nov 24)