WebApp Sec mailing list archives
Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
From: "Ryan Barnett" <rcbarnett () gmail com>
Date: Sat, 12 Jan 2008 17:22:10 -0500
The first comment that would make is that you subject line is assuming a commercial WAF, whereas the are some (such as ModSecurity) which are open source/free options. So, taking the monetary ROI out of the equation, you still have a valid question of what value(s) can you gain by a WAF outside of the block actions. We are kind of stuck with the "firewall" term in this industry and is a shame as it can cause confusion as to what types of security policies and actions are or must be used. WAFs cand be used for many different purposes. Here are a few use cases to consider - 1) To inspect SSL web traffic. Many IDSs/IPSs don't decrypt SSL traffic for various reasons. They have to inspect a wide range of protocols whereas WAFs only have to deal with http (and xml, etc...). Due to the wide use of SSL, essentially all WAFs have the capability to decrypt this traffic. 2) HTTP auditing device There are many scenarios where you need to have better audit logs of the web transaction. Perhaps it is for administrative functions, login pages or credit card purchases. The default logging that most web servers or applications do is pretty bad. Have you ever tried to do incident response and you only had access to the CLF access logs? Good luck. 3) Incident response - trap and trace Another scenario is when you are doing incident response and you want to log everything that a client is doing. You can choose to log all transactions based on items such as source IP, SessionID, etc... Doing this same type of thing (with layer 7 payloads) with a NIDS is much more difficult. 4) Identifying application defects There are many web app vulns that may not manifest themselves until the app is in production. This means that source code analysis may miss it. Since the WAF is physically/logically between the client and app, it can see all inbound and outbound data. It is here where WAFs can identify when there are certain vulnerabilities, coding errors or misconfigurations in the app. Detailed error pages and source code leakages are great examples of this. The main benefit of this is that you can now take that info and provide it back to the web dev teams for remediation. 5) Info Leakage detection There may be sensitive data that is leaving you site that you didn't even know about. CC or Social Security numbers or other types of info may be leaking out. WAFs can help to flag this so that you are aware and can take action. 6) Identifying web vulns/attacks Forgetting about taking a blocking action for a moment, the most important aspect is to fisrt identify the issue. Once identified, then the appropriate remediation can be taken. I believe the web app vuln scanner folks would agree with this :) Hopefully this has shown some other value that WAFs can provide beyond simply blocking. Cheers, Ryan On 1/12/08, B Snake <bsnak3 () gmail com> wrote:
It seems like 90+% of companies that implement WAFs deploy them in listening-only mode and don't do any blocking for fear of false positives cutting off legitimate user activity. I'm new to WAFs and this may be a stupid question, but what security value does a WAF add if it's not doing any blocking of malicious activity? -BSnake
-- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- <Possible follow-ups>
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ivan Ristic (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 16)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? sankalpa h (Jan 20)