Internal servers, web application firewalls, and learning modes

["Dan Lynch" <DLynch () placer ca gov>]

Sorry for the long post. My questions are at the end, but first, take a
minute to see the hard limitations in our environment.

My organization has no in house specialized web expertise, not in web
development, or code audit, or web application vulnerability assessment.
None. In the current financial climate we are unable to hire outside
experts in the field, and, with no money for training, it's unlikely
we'll be able to develop internal expertise in the near term. 

This is far from optimal, and I know that. But it's also completely out
of my control or influence and unlikely to change anytime soon.

We purchase shrink-wrap web-based applications for such narrow niches as
probation department case management, or building permit process
management, or wastewater treatment facility monitoring. Some of these
are fairly complex, consist of multiple web server / application server
/ database tiers, and large piles of incomprehensible scripts. Some
applications hold critical and highly confidential data, such as
juvenile court records. 

As these are generally intended (at first) for internal use only, the
servers themselves are mostly on our internal private network, all are
Windows servers, and all are domain members. 

We are freqently locked into weak contracts with the providers of these
apps, with little recourse for pursuit of bug-fixes, feature enhancement
requests, or mitigation of vulnerabilities. Our RFPs and before-purchase
evaluations of products are limited to purely functional aspects of the
software, and include no secure coding requirements.

These are the simple facts of the environment, and are unlikely to
change.

Our user base has recently begun pushing for internet-based access to
these web interfaces, for their own employees, and for affiliated
partners to access. In some cases there is resistance to recommended
topology changes, such as moving web servers into firewall-protected
subnets and DMZs. In others, functional requirements prevent it. In some
cases pass-through authentication to the web apps via Active Directory
is used. Our Windows server team prefers to keep things simple, using
domain accounts for administration, and our internal WSUS and other
tools for maintenance. Server hardening has been resisted where there is
concern that it could possibly affect function of the app.

These facts too are unlikely to change.

As a security team, we are pushing hard to apply what appropriate risk
mitigation we can. Often, we're not sure what mitigation is appropriate.
At this time the suggestion has been made that a web application
firewall will allow us to safely grant access to internal network web
servers. In particular, Microsoft ISA Server 2006.

All other things being equal, is a web application firewall an effective
way to protect an internal web server from attack? Is ISA Server a
useable WAF for an organization with little internal expertise? As I
understand ISA as compared to other WAFs, there is no learning
capability, and all application layer rules must be manually entered.
Can application layer rules be developed for ISA by smart folks with
limited HTML/HTTP background? Or are we better off pushing for
acquisition of a trainable WAF? Barracuda has been suggested. Or is
trainability less important, and we should focus on good attack
signatures? We own a good IPS, but it is in listening mode only at this
time. 

Within the limitations of our environment as outlined above, what
recommendations would you make?

Thanks for any thoughts.

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------