Management often has a skewed perception that all is well on the network as long as there’s a firewall. This misconception is only exacerbated by vendor marketing slicks, which promote WAFs as the silver bullet solution -- even as the answer to fulfilling PCI DSS requirements. Realistically, as with any perimeter-centric security device, if WAFs are not properly configured to protect everything that counts -- both externally facing and on the LAN -- they’re likely to create a false sense of security.
WAFs can keep Web-based malware from ever getting a foothold in your environment. They can also keep the bad guys from manually exploiting flaws at Layer 7, which, in turn, can prevent further intrusion into your network. However, there are a number of misgivings about WAFs.
The problem with using Web application firewalls
The most notable issue with WAFs is that they don’t block certain kinds of attacks that they’re given credit for blocking. WAFs are said to detect attackers using penetration testing tools such as Metasploit to obtain a remote command prompt on an unpatched Web server or to simply download and compile exploit code that can trigger a buffer overflow in an instance of OpenSSL. This is not necessarily the case -- especially when the attack is carried out over SSL.
WAFs can also be misused to cover up known security problems without actually solving them. For instance, I recently came across a situation where someone wanted to deploy a WAF to plug an SQL injection hole. That’s fine in the short-term, but relying on virtual patching doesn’t fix the actual vulnerability. In fact, such an approach can lead to a culture of covering up the issues and ignoring bigger security problems in the long term.
Are there alternatives to Web application firewalls?
If you’re contemplating adding a WAF to your environment, consider what you have at your disposal first. Using yet another physical device is likely to add complexity, which is the enemy of security. Many basic firewalls have HTTP inspection built in. Find out if you can simply turn on WAF-like capabilities. I have seen cases where WAF functions are already on and the user just doesn’t know about it. It’s also sometimes possible to add WAF functions as a separate module to an existing firewall.
Measures to take in using Web application firewalls
Simply turning on WAF features will not protect the last mile of your network. In order to best tweak your configuration, you’ve got to clearly understand the platforms on which your Web-based systems are running (including systems that someone else manages and that you may not be privy to). You also have to understand the business logic of your Web applications. Whitelisting and behavior analysis technologies found in certain WAFs are great for creating granular application profiles, but the process can be tricky and complex.
A good way to fine-tune protection is to acquire a Web vulnerability scanner such as Acunetix Web Vulnerability Scanner or WebInspect and set up test cases with and without WAF protection. Once everything is set up, it’s best to set up an all-out Web vulnerability assessment consisting of automated scans and manual analysis.
Overall, it’s important to keep things simple. This may mean using WAF controls in your existing firewall(s), or it could require up-front time playing around with several different vendors’ solutions to see what works best for your style and business needs. It may also mean no WAF at all -- at least for the time being.
About the author
Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 21 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored eight books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and the newly-updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.
This was first published in February 2011