WebApp Sec mailing list archives
Internal servers, web application firewalls, and learning modes
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Tue, 2 Dec 2008 08:14:25 -0800
Sorry for the long post. My questions are at the end, but first, take a minute to see the hard limitations in our environment. My organization has no in house specialized web expertise, not in web development, or code audit, or web application vulnerability assessment. None. In the current financial climate we are unable to hire outside experts in the field, and, with no money for training, it's unlikely we'll be able to develop internal expertise in the near term. This is far from optimal, and I know that. But it's also completely out of my control or influence and unlikely to change anytime soon. We purchase shrink-wrap web-based applications for such narrow niches as probation department case management, or building permit process management, or wastewater treatment facility monitoring. Some of these are fairly complex, consist of multiple web server / application server / database tiers, and large piles of incomprehensible scripts. Some applications hold critical and highly confidential data, such as juvenile court records. As these are generally intended (at first) for internal use only, the servers themselves are mostly on our internal private network, all are Windows servers, and all are domain members. We are freqently locked into weak contracts with the providers of these apps, with little recourse for pursuit of bug-fixes, feature enhancement requests, or mitigation of vulnerabilities. Our RFPs and before-purchase evaluations of products are limited to purely functional aspects of the software, and include no secure coding requirements. These are the simple facts of the environment, and are unlikely to change. Our user base has recently begun pushing for internet-based access to these web interfaces, for their own employees, and for affiliated partners to access. In some cases there is resistance to recommended topology changes, such as moving web servers into firewall-protected subnets and DMZs. In others, functional requirements prevent it. In some cases pass-through authentication to the web apps via Active Directory is used. Our Windows server team prefers to keep things simple, using domain accounts for administration, and our internal WSUS and other tools for maintenance. Server hardening has been resisted where there is concern that it could possibly affect function of the app. These facts too are unlikely to change. As a security team, we are pushing hard to apply what appropriate risk mitigation we can. Often, we're not sure what mitigation is appropriate. At this time the suggestion has been made that a web application firewall will allow us to safely grant access to internal network web servers. In particular, Microsoft ISA Server 2006. All other things being equal, is a web application firewall an effective way to protect an internal web server from attack? Is ISA Server a useable WAF for an organization with little internal expertise? As I understand ISA as compared to other WAFs, there is no learning capability, and all application layer rules must be manually entered. Can application layer rules be developed for ISA by smart folks with limited HTML/HTTP background? Or are we better off pushing for acquisition of a trainable WAF? Barracuda has been suggested. Or is trainability less important, and we should focus on good attack signatures? We own a good IPS, but it is in listening mode only at this time. Within the limitations of our environment as outlined above, what recommendations would you make? Thanks for any thoughts. ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Internal servers, web application firewalls, and learning modes Dan Lynch (Dec 02)
- Re: Internal servers, web application firewalls, and learning modes Preston Connors (Dec 02)
- RE: Internal servers, web application firewalls, and learning modes Erwin Geirnaert (Dec 02)
- Re: Internal servers, web application firewalls, and learning modes yelukati mahendra (Dec 02)
- Re: Internal servers, web application firewalls, and learning modes Thomas Wallutis (Dec 03)