Secure Web Apps Through Firewalls

Web applications are at the heart of businesses today due to numerous

advantages: improved efficiencies, cost reduction and more. However, their

security becomes an issue of paramount importance. Applications are vulnerable

to theft of sensitive data such as account numbers, personal information,

corporate data and financial records. A crucial security measure to prevent such

theft is through the deployment of a Web Application Firewall (WAF).

Web Application Firewall can either be software or hardware appliance based

and acts as a security layer protecting the web server from intrusion or

attacks. It works at OSI layer 7 and checks all requests and responses within

the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. The primary purpose of this

firewall is to restrict access to ports, services that an administrator would

want to protect. Common attacks include Cross-site Scripting (XSS) and SQL

Injection. In cross-site scripting a malicious code is injected into the website

generally in the form of a browser script. When this script gets executed on the

browser of the end user, it can access cookies, session tokens and other

sensitive information retained by the browser. Similarly in an SQL Injection

attack the attacker can access sensitive data from the database and modify it.

In order to prevent such attacks, a firewall should perform validation of all

headers, cookies, query strings and hidden fields. The validation should not

hamper the active content in any way. Network firewalls that operate at layer 3

are not capable of preventing these attacks. Some of you must be wondering that

employing an SSL would ensure that data is safe. However, SSL protects data

during transmission but not at the end points. A good thing about WAF is that

the source code need not be modified. It can be negative or positive model

based. The negative model works by checking for attack signatures from an

existing database of signatures, by performing pattern matching. In this case,

the update for signatures from the vendor is an important criterion. As a

positive model, the WAF checks for any irregular behavior that does not fit into

the regular traffic pattern. The security policies are enforced at the granular

level by building a model in such a manner that user interactions and the

unwanted traffic not adhering to policies is blocked. This model provides the

flexibility to the administrator to define rules according to the needs of the

application.

WAF can be implemented as an appliance based solution or as server side

software. In case of a server side solution, the software has to be installed on

each server and configured separately. This process is time consuming but one

can save costs on hardware. However, if the software crashes then the server

will also have to be shut down. When WAF is implemented as an appliance based

solution it consumes less time for deployment. A single appliance can protect

multiple servers after it has been configured. Also, in case the appliance

fails, it will not bring down the server with it and traffic can be re-routed

quickly.

WAF deployment



The deployment depends on whether the product is distributed as server side code
or as an appliance. It also depends on the requirements of the enterprise.

Another important point to remember is the user friendly interface and the

reports generated by the software. These will help an administrator to keep a

closer look on web activities. Let's look at some of the popular WAFs available:

Profense WAF



This is a feature rich web application firewall which comes with Load balancing
and web acceleration capabilities. It can be implemented as a filtering gateway

to validate requests to a web server. Profense also provides protection against

CSRF (Cross Site Request Forgery) and session hijacking attacks with the use of

validation through cryptographic tokens. The firewall uses web server isolation

and cloaking techniques to protect a web server, ie no direct requests are sent

to the original web server, it only forwards HTTP/HTTPS requests to the back-end

servers. Also from the responses sent from the backend servers, firewall removes

information such as the web server version, details of OS etc, before sending

responses to the client; as attackers often use this information to perform

targeted attacks. Another unique feature present in Profense is 'HTTP header

compliance checking, ' where you have two types of compliance checking, strict

header compliance and pragmatic HTTP headers compliance checking. In Strict

header, the firewall validates all requests coming from clients against a valid

list of HTTP headers; this helps to prevent attacks that aim to exploit web app

vulnerabilities. However, pragmatic compliance uses much lighter access policy

as compared to the Strict method, and allows non-standard headers to pass

through.

Profense web firewall supports both positive as well as negative security

models. The Positive security model protects against unknown threats by

determining only allowed requests and blocks everything else, whereas the

Negative security model can be used along with Positive model as it provides

protection against known attacks through signature matching.

Profense protects web apps by creating a virtual proxy for the web server and forwards only the required part of the requests to the web server.

Profense can be downloaded from http://www.armorlogic.com/download_software.html.

Currently it's available in a CD ISO image and virtual appliance format. We

booted the machine with the ISO image and found that the machine automatically

formats the hard drive and installs Profense web app firewall on it. During

installation it asked for IP addresses for network interface. Once installed,

Profense can be accessed through its web management interface. Initial

configuration of is easy and it first asks the user to define virtual proxy for

the original web server. Its web interface also has tools to test network

connectivity, take backups, reboot firewall, etc.

Modsecurity



A feature rich open source Web application firewall, it's available as a
hardware appliance and also as free software. It can act as a reverse proxy or

as an embedded Apache module. Just like most of the WAFs, Modsecurity

continuously monitors HTTP traffic to detect attacks. It can also operate as web

intrusion detection tool. One useful feature about Modsecurity is that it makes

HTTP Traffic logging possible, ie it logs everything from request to response.

This helps in detecting attacks which are carried through POST requests. It also

uses the Negative and Positive security model.

WebKnight



This open source Web application firewall is meant for the IIS web server. It is
basically an ISAPI filter, which secures web applications by blocking certain

requests. It scans all incoming requests and validates them based on filter

rules. By default, it comes with security filters for SQL injection, Buffer

overflow, directory traversal, etc. Configuring WebKnight is simple; it asks for

features you would like to enable, such as late scanning, scan secure,

non-secure ports, etc. Similarly, while doing incident handling, it allows users

to configure if the firewall should immediately respond to the client with its

default message or redirect the user to another URL. It also allows users to

configure request limits, authentication, robots, headers, cookies, etc.

In WebKnight, you can easily customize how the firewall should behave and set the frequency for detecting attacks on the web server.

WebWall



Of all the firewalls we tested in our Lab, this was the most easy to setup and
configure. It has a wizard driven configuration interface where you need to

provide information about your domain name, Web Server IP Address, web server

listening port and public listening port. Next, it asks you to choose security

levels; by default it supports 3 levels: low, normal and high. You can also

customize your security level configuration. Once you have chosen the security

levels, click on finish. On webwall's main interface, click on 'start webwall

firewall service' on the menu bar to start the webwall.

Webapp.secure



Webapp.secure is a web application firewall that can be deployed on any web
server. it is available for Windows 2000/XP, Linux, FreeBSD, Solaris and QNX. It

uses MMC compliant graphical user interface for configuring, staring/stopping

and other related activities. Multiple instances of this application can be used

to protect multiple IP-based virtual websites on the same server. Each instance

runs as a separate service with its own configuration and its properties are

logically grouped for easy access. A user can define policies for HTML content

like usage of wildcard characters for entry points and in certain cases the

entry point is available through an encrypted connection only. Similarly

policies for non-HTML content can also be defined such as providing access to

images.

This application provides real-time attack notifications. The user has the

option to choose from three alert mechanisms i.e. email, HTTP and network

notification. Most other configurations such as the maximum number of

simultaneous connections, keep-alive-timeout, hide server identity, etc can be

done. One important feature is the application manipulation protection which

includes checks like HTML form field validation, cookie validation and others.

It also informs about the nature of attacks, whether they are form field

tampering, buffer overload, cookie tampering or others.

Piyush Dhingra and Swapnil Arora