Secure Web Apps Through Firewalls

Do you think your web app is completely secure from attacks such as injections, cross-site scripting, etc? If not, then web app firewalls are for you. Here, we look at some of the more popular firewalls available

Saturday, November 01, 2008

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Web applications are at the heart of businesses today due to numerous advantages: improved efficiencies, cost reduction and more. However, their security becomes an issue of paramount importance. Applications are vulnerable to theft of sensitive data such as account numbers, personal information, corporate data and financial records. A crucial security measure to prevent such theft is through the deployment of a Web Application Firewall (WAF).

Web Application Firewall can either be software or hardware appliance based and acts as a security layer protecting the web server from intrusion or attacks. It works at OSI layer 7 and checks all requests and responses within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. The primary purpose of this firewall is to restrict access to ports, services that an administrator would want to protect. Common attacks include Cross-site Scripting (XSS) and SQL Injection. In cross-site scripting a malicious code is injected into the website generally in the form of a browser script. When this script gets executed on the browser of the end user, it can access cookies, session tokens and other sensitive information retained by the browser. Similarly in an SQL Injection attack the attacker can access sensitive data from the database and modify it. In order to prevent such attacks, a firewall should perform validation of all headers, cookies, query strings and hidden fields. The validation should not hamper the active content in any way. Network firewalls that operate at layer 3 are not capable of preventing these attacks. Some of you must be wondering that employing an SSL would ensure that data is safe. However, SSL protects data during transmission but not at the end points. A good thing about WAF is that the source code need not be modified. It can be negative or positive model based. The negative model works by checking for attack signatures from an existing database of signatures, by performing pattern matching. In this case, the update for signatures from the vendor is an important criterion. As a positive model, the WAF checks for any irregular behavior that does not fit into the regular traffic pattern. The security policies are enforced at the granular level by building a model in such a manner that user interactions and the unwanted traffic not adhering to policies is blocked. This model provides the flexibility to the administrator to define rules according to the needs of the application.

WAF can be implemented as an appliance based solution or as server side software. In case of a server side solution, the software has to be installed on each server and configured separately. This process is time consuming but one can save costs on hardware. However, if the software crashes then the server will also have to be shut down. When WAF is implemented as an appliance based solution it consumes less time for deployment. A single appliance can protect multiple servers after it has been configured. Also, in case the appliance fails, it will not bring down the server with it and traffic can be re-routed quickly.

WAF deployment
The deployment depends on whether the product is distributed as server side code or as an appliance. It also depends on the requirements of the enterprise. Another important point to remember is the user friendly interface and the reports generated by the software. These will help an administrator to keep a closer look on web activities. Let's look at some of the popular WAFs available:

Profense WAF
This is a feature rich web application firewall which comes with Load balancing and web acceleration capabilities. It can be implemented as a filtering gateway to validate requests to a web server. Profense also provides protection against CSRF (Cross Site Request Forgery) and session hijacking attacks with the use of validation through cryptographic tokens. The firewall uses web server isolation and cloaking techniques to protect a web server, ie no direct requests are sent to the original web server, it only forwards HTTP/HTTPS requests to the back-end servers. Also from the responses sent from the backend servers, firewall removes information such as the web server version, details of OS etc, before sending responses to the client; as attackers often use this information to perform targeted attacks. Another unique feature present in Profense is 'HTTP header compliance checking, ' where you have two types of compliance checking, strict header compliance and pragmatic HTTP headers compliance checking. In Strict header, the firewall validates all requests coming from clients against a valid list of HTTP headers; this helps to prevent attacks that aim to exploit web app vulnerabilities. However, pragmatic compliance uses much lighter access policy as compared to the Strict method, and allows non-standard headers to pass through.

Profense web firewall supports both positive as well as negative security models. The Positive security model protects against unknown threats by determining only allowed requests and blocks everything else, whereas the Negative security model can be used along with Positive model as it provides protection against known attacks through signature matching.

Profense protects web apps by creating a virtual proxy for the web server and forwards only the required part of the requests to the web server.

Profense can be downloaded from http://www.armorlogic.com/download_software.html. Currently it's available in a CD ISO image and virtual appliance format. We booted the machine with the ISO image and found that the machine automatically formats the hard drive and installs Profense web app firewall on it. During installation it asked for IP addresses for network interface. Once installed, Profense can be accessed through its web management interface. Initial configuration of is easy and it first asks the user to define virtual proxy for the original web server. Its web interface also has tools to test network connectivity, take backups, reboot firewall, etc.

Modsecurity
A feature rich open source Web application firewall, it's available as a hardware appliance and also as free software. It can act as a reverse proxy or as an embedded Apache module. Just like most of the WAFs, Modsecurity continuously monitors HTTP traffic to detect attacks. It can also operate as web intrusion detection tool. One useful feature about Modsecurity is that it makes HTTP Traffic logging possible, ie it logs everything from request to response. This helps in detecting attacks which are carried through POST requests. It also uses the Negative and Positive security model.

WebKnight
This open source Web application firewall is meant for the IIS web server. It is basically an ISAPI filter, which secures web applications by blocking certain requests. It scans all incoming requests and validates them based on filter rules. By default, it comes with security filters for SQL injection, Buffer overflow, directory traversal, etc. Configuring WebKnight is simple; it asks for features you would like to enable, such as late scanning, scan secure, non-secure ports, etc. Similarly, while doing incident handling, it allows users to configure if the firewall should immediately respond to the client with its default message or redirect the user to another URL. It also allows users to configure request limits, authentication, robots, headers, cookies, etc.

In WebKnight, you can easily customize how the firewall should behave and set the frequency for detecting attacks on the web server.

WebWall
Of all the firewalls we tested in our Lab, this was the most easy to setup and configure. It has a wizard driven configuration interface where you need to provide information about your domain name, Web Server IP Address, web server listening port and public listening port. Next, it asks you to choose security levels; by default it supports 3 levels: low, normal and high. You can also customize your security level configuration. Once you have chosen the security levels, click on finish. On webwall's main interface, click on 'start webwall firewall service' on the menu bar to start the webwall.

Webapp.secure
Webapp.secure is a web application firewall that can be deployed on any web server. it is available for Windows 2000/XP, Linux, FreeBSD, Solaris and QNX. It uses MMC compliant graphical user interface for configuring, staring/stopping and other related activities. Multiple instances of this application can be used to protect multiple IP-based virtual websites on the same server. Each instance runs as a separate service with its own configuration and its properties are logically grouped for easy access. A user can define policies for HTML content like usage of wildcard characters for entry points and in certain cases the entry point is available through an encrypted connection only. Similarly policies for non-HTML content can also be defined such as providing access to images.

This application provides real-time attack notifications. The user has the option to choose from three alert mechanisms i.e. email, HTTP and network notification. Most other configurations such as the maximum number of simultaneous connections, keep-alive-timeout, hide server identity, etc can be done. One important feature is the application manipulation protection which includes checks like HTML form field validation, cookie validation and others. It also informs about the nature of attacks, whether they are form field tampering, buffer overload, cookie tampering or others.

Piyush Dhingra and Swapnil Arora

Page(s)   1