Secure Web Apps Through Firewalls

Web applications are at the heart of businesses today due to numerous
advantages: improved efficiencies, cost reduction and more. However, their
security becomes an issue of paramount importance. Applications are vulnerable
to theft of sensitive data such as account numbers, personal information,
corporate data and financial records. A crucial security measure to prevent such
theft is through the deployment of a Web Application Firewall (WAF).

Web Application Firewall can either be software or hardware appliance based
and acts as a security layer protecting the web server from intrusion or
attacks. It works at OSI layer 7 and checks all requests and responses within
the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. The primary purpose of this
firewall is to restrict access to ports, services that an administrator would
want to protect. Common attacks include Cross-site Scripting (XSS) and SQL
Injection. In cross-site scripting a malicious code is injected into the website
generally in the form of a browser script. When this script gets executed on the
browser of the end user, it can access cookies, session tokens and other
sensitive information retained by the browser. Similarly in an SQL Injection
attack the attacker can access sensitive data from the database and modify it.
In order to prevent such attacks, a firewall should perform validation of all
headers, cookies, query strings and hidden fields. The validation should not
hamper the active content in any way. Network firewalls that operate at layer 3
are not capable of preventing these attacks. Some of you must be wondering that
employing an SSL would ensure that data is safe. However, SSL protects data
during transmission but not at the end points. A good thing about WAF is that
the source code need not be modified. It can be negative or positive model
based. The negative model works by checking for attack signatures from an
existing database of signatures, by performing pattern matching. In this case,
the update for signatures from the vendor is an important criterion. As a
positive model, the WAF checks for any irregular behavior that does not fit into
the regular traffic pattern. The security policies are enforced at the granular
level by building a model in such a manner that user interactions and the
unwanted traffic not adhering to policies is blocked. This model provides the
flexibility to the administrator to define rules according to the needs of the
application.

WAF can be implemented as an appliance based solution or as server side
software. In case of a server side solution, the software has to be installed on
each server and configured separately. This process is time consuming but one
can save costs on hardware. However, if the software crashes then the server
will also have to be shut down. When WAF is implemented as an appliance based
solution it consumes less time for deployment. A single appliance can protect
multiple servers after it has been configured. Also, in case the appliance
fails, it will not bring down the server with it and traffic can be re-routed
quickly.

WAF deployment

The deployment depends on whether the product is distributed as server side code
or as an appliance. It also depends on the requirements of the enterprise.
Another important point to remember is the user friendly interface and the
reports generated by the software. These will help an administrator to keep a
closer look on web activities. Let's look at some of the popular WAFs available:

Profense WAF

This is a feature rich web application firewall which comes with Load balancing
and web acceleration capabilities. It can be implemented as a filtering gateway
to validate requests to a web server. Profense also provides protection against
CSRF (Cross Site Request Forgery) and session hijacking attacks with the use of
validation through cryptographic tokens. The firewall uses web server isolation
and cloaking techniques to protect a web server, ie no direct requests are sent
to the original web server, it only forwards HTTP/HTTPS requests to the back-end
servers. Also from the responses sent from the backend servers, firewall removes
information such as the web server version, details of OS etc, before sending
responses to the client; as attackers often use this information to perform
targeted attacks. Another unique feature present in Profense is 'HTTP header
compliance checking, ' where you have two types of compliance checking, strict
header compliance and pragmatic HTTP headers compliance checking. In Strict
header, the firewall validates all requests coming from clients against a valid
list of HTTP headers; this helps to prevent attacks that aim to exploit web app
vulnerabilities. However, pragmatic compliance uses much lighter access policy
as compared to the Strict method, and allows non-standard headers to pass
through.

Profense web firewall supports both positive as well as negative security
models. The Positive security model protects against unknown threats by
determining only allowed requests and blocks everything else, whereas the
Negative security model can be used along with Positive model as it provides
protection against known attacks through signature matching.

Profense protects web apps by creating a virtual proxy for the web server and forwards only the required part of the requests to the web server.

Profense can be downloaded from http://www.armorlogic.com/download_software.html.
Currently it's available in a CD ISO image and virtual appliance format. We
booted the machine with the ISO image and found that the machine automatically
formats the hard drive and installs Profense web app firewall on it. During
installation it asked for IP addresses for network interface. Once installed,
Profense can be accessed through its web management interface. Initial
configuration of is easy and it first asks the user to define virtual proxy for
the original web server. Its web interface also has tools to test network
connectivity, take backups, reboot firewall, etc.

Modsecurity

A feature rich open source Web application firewall, it's available as a
hardware appliance and also as free software. It can act as a reverse proxy or
as an embedded Apache module. Just like most of the WAFs, Modsecurity
continuously monitors HTTP traffic to detect attacks. It can also operate as web
intrusion detection tool. One useful feature about Modsecurity is that it makes
HTTP Traffic logging possible, ie it logs everything from request to response.
This helps in detecting attacks which are carried through POST requests. It also
uses the Negative and Positive security model.

WebKnight

This open source Web application firewall is meant for the IIS web server. It is
basically an ISAPI filter, which secures web applications by blocking certain
requests. It scans all incoming requests and validates them based on filter
rules. By default, it comes with security filters for SQL injection, Buffer
overflow, directory traversal, etc. Configuring WebKnight is simple; it asks for
features you would like to enable, such as late scanning, scan secure,
non-secure ports, etc. Similarly, while doing incident handling, it allows users
to configure if the firewall should immediately respond to the client with its
default message or redirect the user to another URL. It also allows users to
configure request limits, authentication, robots, headers, cookies, etc.

In WebKnight, you can easily customize how the firewall should behave and set the frequency for detecting attacks on the web server.

WebWall

Of all the firewalls we tested in our Lab, this was the most easy to setup and
configure. It has a wizard driven configuration interface where you need to
provide information about your domain name, Web Server IP Address, web server
listening port and public listening port. Next, it asks you to choose security
levels; by default it supports 3 levels: low, normal and high. You can also
customize your security level configuration. Once you have chosen the security
levels, click on finish. On webwall's main interface, click on 'start webwall
firewall service' on the menu bar to start the webwall.

Webapp.secure

Webapp.secure is a web application firewall that can be deployed on any web
server. it is available for Windows 2000/XP, Linux, FreeBSD, Solaris and QNX. It
uses MMC compliant graphical user interface for configuring, staring/stopping
and other related activities. Multiple instances of this application can be used
to protect multiple IP-based virtual websites on the same server. Each instance
runs as a separate service with its own configuration and its properties are
logically grouped for easy access. A user can define policies for HTML content
like usage of wildcard characters for entry points and in certain cases the
entry point is available through an encrypted connection only. Similarly
policies for non-HTML content can also be defined such as providing access to
images.

This application provides real-time attack notifications. The user has the
option to choose from three alert mechanisms i.e. email, HTTP and network
notification. Most other configurations such as the maximum number of
simultaneous connections, keep-alive-timeout, hide server identity, etc can be
done. One important feature is the application manipulation protection which
includes checks like HTML form field validation, cookie validation and others.
It also informs about the nature of attacks, whether they are form field
tampering, buffer overload, cookie tampering or others.

Piyush Dhingra and Swapnil Arora