Application Firewall Reality Check
The web application firewall (WAF) market has exploded recently. As companies transfer more and more of their critical business applications to the web, application-layer attacks are becoming more sophisticated and prolific. These attacks are not easily prevented with network firewalls and intrusion prevention systems alone, leaving important and vulnerable web applications exposed to the "wild west" of the Internet.
Enter the web application firewall, a specialized group of security devices that target the application layer exclusively. The industry has kicked out a large number of such products that range in complexity, technology, and cost. When implemented and maintained correctly, application firewalls provide some specific security advantages. Unfortunately, there is an overwhelming tendency by vendors to market these products as silver-bullets for securing web applications from top to bottom. In this respect, these products can never fully live up to the marketing hype. Although WAF products can provide better application-level protection than network firewalls or intrusion prevention systems, they only allow an organization to treat the symptoms of application vulnerabilities, leaving the underlying problem to fester.
Application vulnerabilities are the result of code that does not implement security practices correctly. Of course, the correct way to address these security flaws is to re-write the application code to enforce critical security practices like access controls, session maintenance, authentication, and data validation. Obviously, an application firewall cannot actually fix the problem in the code. In this respect, application firewalls should never be used as a substitute for secure development practices.
While application firewalls don't fix the problem, they can defend against several kinds of attacks aimed at exploiting software that has security issues and therefore reduce the exposure of security flaws. Ideally, the flaws would be resolved. But in many real-world environments, the right solution is not always an option. For example, a company using third-party software may not have the option of fixing the true cause of identified vulnerabilities. Likewise, a company seeking to retrofit an application with security restrictions may require an interim security solution if the changes will take long to implement. Finally, some companies simply prefer having an additional layer of security in front of highly sensitive web applications and are willing to pay for the added protection.
Application firewalls can provide a valuable layer of defense if used appropriately and within their means. If you are thinking of employing a web application firewall to limit application security risk, be aware of the limitations of this technology. Here are a few important points to offset the silver-bullet marketing slicks.
WAF devices reduce risk exposure, but do not fix flaws. It may seem like a semantic difference, but when possible it is always better to address a security hole than to coordinate a scheme to compensate for it. Remember that WAF products are effective at reducing the exposure of vulnerabilities in an application, but do not remove the vulnerability itself. An organization's security strategy should include applying code fixes and patches to address the problems at their source. When used this way, there are no false assumptions about the potential for risk.
WAF products create increased maintenance costs. Every web application is different. A request that must be allowed for one application to function properly may constitute an attack to another. WAF devices must be customized to each individual application and in many cases, this customization can be time and labor intensive. Furthermore, the WAF must be reconfigured whenever the application is updated to ensure that new vulnerabilities are not exposed or new functionality is not blocked. This creates a continual maintenance cost for companies employing a WAF device and this should be included in the estimated total cost of ownership for any WAF solution.
A WAF cannot prevent 100% of attacks. Web application firewalls are relatively good at preventing common, simplistic attacks. This helps protect the application against automated tools and deters easily frustrated attackers. But because a WAF must make all its decisions without access to the application logic, it will never be able to identify attacks with 100% certainty. Depending on how it is configured, the device will tend to either block some valid application functionality or allow some attacks to get through. This could create risk to the application or present a usability issue.
Identifying the drawbacks as well as the benefits of any solution is an important step to making an informed decision. The marketing for web application firewall products is full of reasons you should buy them. By also keeping in mind the limitations to the solution, you will be better equipped in considering whether a web application firewall is the right choice for your enterprise.
Written by Tom Stripling and the Security PS Application Security team.
Article content copyright Security PS 2011 and may not be reproduced without permission.