Web Application Firewalls review
- — 01 December, 2011 13:45
Web site targeted attacks have increased over the recent years. Where once it was all about the notoriety, today, a more motivated breed of hackers has emerged.
These individuals are increasingly part of organised crime targeting financial goals, but there are also ideological-driven hackers intent on making a statement, and other who are sponsored by a state or company seeking confidential information.
Many attacks are aimed specifically at web applications - rather than the hardware or operating system beneath. Traditional security technologies such as firewalls and intrusion prevention systems, which often only work at the network level, does not always cover this scenario.
Web Application Firewalls (WAF) are designed to operate at the application layer, controlling the input and output to and from a web site, preventing attacks that are missed by a firewall or intrusion prevention system.
Web Application Firewalls are well suited to protecting web sites where a security fix might otherwise take too long to be implemented. Even if a web site has been developed securely and includes robust protection mechanisms, it is advisable to have this security layer in place.
Apart from protecting web sites from malicious attacks, many WAFs provide additional features such as load balancing, SSL offloading and web acceleration capabilities.
This review considers five Web Application Firewalls. These products broadly represent a snapshot of the current marketplace primarily focusing on the SMB sector. The features and functionality highlighted in this review reflect the main points that a potential WAF customer should consider.
Each was evaluated as close as possible to its out-of-the-box configuration for its fundamental security. Each WAF was set up as per the documentation provided with it.
The focus of this evaluation was to compare each product’s negative-blacklist security model. To test, each WAF was configured to protect a website that had multiple input vectors which were vulnerable to Reflected Cross Site Scripting and SQL injection attacks. The web site was then attacked using predefined, verified, attack-test-cases to assess the capability of the WAF in defending it.
Applicure dotDefender is a software-based Web Application Firewall, which is installed as a web-server plug-in. It works cross-platform, and supports Apache or Microsoft IIS web-servers. It’s also suitable for shared, hosting environments with central management capabilities.
Applicure provides 32-bit and 64-bit binaries for both Windows (2003 and 2008) and Linux (Debian, Generic and RPM-based) operating systems. For testing, we used Debian and Apache as the host platform and web-server.
Installation required executing a setup program, then following several prompts. The only prior knowledge needed is the path of the apache executable and configuration file. The installer programme proceeded to setup and configure the plug-in, including (optionally) making any required changes to the apache configuration file.
After putting the license file in the correct place and restarting the Apache service, dotDefender was successfully up and running.
It should be noted that the default operation mode is protection, which can lead to issues if websites hosted on your web-server have not been previously tested with dotDefender. Typically, dotDefender will operate in monitoring-mode for several days when deployed with a new site. This allows exclusions to be created as needed.
dotDefender relies on multiple security engines for website protection. It uses a pattern recognition engine to detect actions that could indicate an attack, and a session protection engine to deal with session spoofing and DoS attacks. It also ships with a signature database to detect known attacks. Its feature list is boosted by file upload protection, server masking and information leakage engines. Its pattern recognition and signature engine both support custom entries.
The plug-in is managed via a virtual directory, created on the web-server. All security settings can be configured from this interface, including rule updates, global settings, security profile templates and specific policies for the websites being protected. Logs can be viewed directly from this interface. The log viewer displays information related to security events, while changes are made to policies via the administrative interface.
Our vulnerable, test website was configured to use the default security profile template that came with dotDefender. It defaults to protection-mode, actively blocking any detected attack.
dotDefender successfully stopped the majority of our cross-site scripting and SQL attacks. However, users should customise and optimise the software to suit their own environment.
dotDefender doesn’t seem as configurable as some of the other products. For example, its session protection mechanism only has a few settings that can be changed by the administrator. It also has quite basic reporting features, offering only a negative-blacklist, security model.
This apparent lack of options could be viewed either as a positive or as an area needing improvement.
Experienced users might expect more, but many would probably welcome its straightforward configuration and deployment.
Armorlogic Profense Web Application Firewall
The Armorlogic solution is a software product which can be installed on standard hardware or in a virtualised environment. It includes its own hardened operating system, which is based on OpenBSD, and can be installed on bare-metal (no operating system needed). For a quick deployment, Armorlogic also provides a pre-installed virtual appliance for VMware virtualisation products.
Profense operates as a reverse proxy, so traffic for a protected website is re-directed through the Web Application Firewall. It can also be deployed in a high-availability configuration with another Profense system.
Installation is straightforward, the installer only seeks confirmation to wipe the hard-disk, and the IP address used for the network interface(s). After installing the operating system and software it prompts you to reboot to complete setup.
Following the reboot, you connect to a web interface to activate your license and complete some basic configuration. A helpful to-do list is displayed on the main screen, with any steps listed that need to be completed.
Profense supports negative and positive security models. The negative model is signature-based with the capability for creating manual signatures. The positive model uses an adaptive learning mode - as the product learns more about the website, it moves toward a more positive, white-list, security arrangement.
It also boasts technologies to prevent data leakage, check for HTTP header compliance, cloak and isolate web servers, validate sessions, protect against CSRF attacks, and mitigate DoS attacks.
Apart from it security capabilities Profense also offers web-server load-balancing and web acceleration capabilities.
Profense’s interface is clear and to the point. It is divided into two primary sections, an options pane down the left and current activity on the right. The options pane is split into four further sections, Dashboards, Services, System and Help.
The dashboard provides a quick overview of system activity - including graphs. The services section contains actions that configure and manage website proxies, policies and other services offered by the system. The system sections contains actions that pertain to the system itself, such as interface and DNS settings, while the help section contains copies of the admin/user guide and getting started guide.
Deny and access logs can be viewed via a virtual website, which includes options to export in XML or RAW formats. HTML reports can also be generated for logs and the current access policy in use.
Console access is also provided, which enables the administrator to change system settings - this can be done via SSH (if configured) or via a connected monitor and keyboard.
For testing, our vulnerable website was added as a virtual web-server using the default initial configuration template. This includes a protection policy which is signature-based but also has learning mode enabled.
Profense performed well defending against our cross-site, scripting-based attacks. However, it didn't perform so well blocking SQL injection-based attacks. We’d recommend configuring the device further, which may help to improve its effectiveness.
This product has a nice interface which is easy to use and navigate. It has a large feature set and its policies are highly configurable, enabling more experienced administrators to feel in control of the system.
Imperva SecureSphere Web Application Firewall
Imperva’s SecureSphere solution is extremely flexible. It can be deployed as a physical appliance, virtual appliance or as a managed service. It can also be deployed as a transparent bridge or as a reverse proxy, and when deployed out-of-band, it operates as a sniffer, detecting and alerting but not protecting against attacks.
With a second appliance SecureSphere can be deployed as a high availability solution in either active/active or active/passive modes. When configured in bridge mode, the physical appliance interfaces fail-open to deliver fail-over in case of problems.
For testing the solution was deployed as a physical appliance, configured as a transparent bridge. Transparent bridge mode has an advantage because it can be deployed without having to change web-server configuration or domain name records.
After connecting via a serial console to configure credentials and an IP address, we were able to access the appliance via its web interface, completing the installation with minimal fuss.
SecureSphere features a negative security model (based on signatures) as well as a positive security model based on a learning mode which learns application and user behaviour.
Stand out features include ThreatRadar, which uses reputation data to help block malicious IP addresses, botnet attacks, phishing URLs, anonymous proxies and TOR Networks. It also integrates with web application vulnerability scanners to provide virtual patching capabilities. Using signatures, SecureSphere can protect underlying infrastructure by detecting application, web service, server, and network attacks. To increase accuracy SecureSphere also employs a Correlated Attack Validation engine, which analyses data points from other system components.
The web interface is split between two main panels. One across the top contains multiple navigation bars, and one below which takes up most of the interface. The bottom panel displays the current action or tasks being performed.
At any one time there could be three navigation bars shown across the top of the screen, with the bottom navigation bar(s) showing links related to items chosen from its parent bar above. The top navigation bar, which is always displayed, contains links to the Main, Admin, Preferences and Tasks sections plus Logout and Help links.
The Main section, in which an administrator will spend most of their time, contains functions to automatically discover web-servers, to setup and configure websites, create security profiles, view, edit and create policies, generate reports, monitor events and alerts and view ThreatRadar information.
As mentioned earlier, serial console access is provided and SSH access can also be configured.
After configuring the vulnerable website as a protected resource on the appliance, it inherited the default policies assigned to the Data Centre, Server Group, Service and Application objects.
By default, it performed well against our cross-site scripting attack test. It also successfully performed the enviable feat of block all SQL injection-based attacks - right out of the box.
It took a while to become accustomed to its web interface. It seems to be very complicated to use and navigate at first, but over time we came to appreciate it little more. On the technical side, the product has an advanced feature set, for example, its ability to import scans from website vulnerability scanners to help build policies is a great idea. The reporting interface is extremely configurable, including the ability to build completely custom reports.
Astaro Security Gateway
Astaro’s Security Gateway solution can be deployed as a hardware, software or virtual appliance. While the Astaro OS (installed on each appliance) comes with fundamental security features such as a firewall and VPN capabilities, by purchasing extra subscriptions the secure gateway can be enhanced with Network Security, Mail Security, Web Security, Wireless Security and Web Application Security technologies. Its Web Application Security application uses reverse proxy technologies.
For testing we used a hardware appliance set up supported by a subscription to use the Web Application Security technology.
Like other appliances tested here, this unit came with some preconfigured network settings which were easily changed via the web interface.
Astaro’s Web Application Firewall application feature set includes Form Hardening technology, which protects against form rewriting by signing the original structure of a web form, rejecting any forms submitted with different tokens. It can also use up to two antivirus products to scan uploads and downloads. It also provides a URL Hardening feature which is a positive-based model that only allows access to specified URLs. Cookie protection defends against attackers manipulating cookies. It also includes filters for blocking SQL injection and XSS-based attacks. Lastly, it can also utilise reputation blocking based on GeoIP and real-time black hole information.
Astaro uses a web interface to manage its product. The main entry points into configuring the system and features are found down the left side of the screen. The interface looks striking with grey, black and orange, but is not as responsive as other products’ interfaces. SSH console access can also be enabled if desired.
There are not many configuration options apart from turning it on and off, managing Firewall profiles and setting the cookie, URL hardening and form hardening secrets. To protect a website a real web-server object needs to be created, followed by a virtual web-server object. When creating the virtual web-server object you are able to choose which firewall profile is used. A firewall profile is a simple list of the detection/protected technologies listed above with a checkbox to turn the technology on or off. There is no advanced configuration available.
This WAF application has its own entry under the Logging and Reporting section. This shows usage graphs and statistics for requests, warnings and alerts on a daily, weekly, monthly and yearly basis. It also allows a more detailed view showing top entries for specific criteria. These are exportable to PDF, Excel or as graphs.
No default profile was offered, so to protect our vulnerable website, we chose the Advanced Protection Firewall Profile.
Impressively, Astaro managed to block most of our cross-site scripting attacks, while also achieving one hundred per cent against our SQL injection attacks.
Its striking and friendly web interface comes at a cost, we found Astaro sluggish at times. We were also a bit disappointed with its lack of advanced options for the Web Application Firewall application – we could not even add our own signatures or attack patterns. Nevertheless, the default protection capabilities were really impressive, supported by a range of advanced, useful functionality.
ModSecurity with Core Rules
ModSecurity is an embeddable Web Application Firewall engine for the Apache web-server, protecting websites being served from the same server. With Apache the only dependency ModSecurity will run on a range of operating systems including Linux, Windows, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and HP-UX.
ModSecurity works equally well when used with Apache configured as a reverse proxy, enabling the protection of websites not hosted on the same physical server.
ModSecurity has no built in default rule sets, rules must be downloaded separately. for testing we used the OWASP ModSecurity Core Rule Set. This free certified rule set is provided by Trustwave SpiderLabs. Trustwave also provide a commercial rule set which complements the free rule set, offering an additional 13,000 rules targeting specific applications and vulnerabilities.
Once again, for our testing we used Debian as the host platform. The most current version available from the Debian package repository was installed. The latest version of the OWASP ModSecurity Core rule set was downloaded and unpacked on the system. After enabling the ModSecurity module, configuring it from within the Apache configuration files and restarting Apache, ModSecurity was protecting our vulnerable website.
The ModSecurity engine provides the following features: it enables full HTTP transaction logging to help combat attacks carried out via POST requests (not normally logged); it can monitor HTTP traffic in real-time, it can employ both negative and positive security models; and it can detect known weaknesses and vulnerabilities.
The OWASP ModSecurity Core rule set builds on the flexible rule engine that is provided by ModSecurity, adding the following features: detection of HTTP protocol violations; real-time blacklist lookups; web-based malware detection using the Google Safe Browsing API; defence against HTTP based flooding and DoS attacks; common web attack protection; automation protection, including bot, crawler, scanner activity, sensitive data tracking and trojan protection. It is also capable of disguising error messages sent by the server.
Unless you use a third-party tool of some kind the management of the ModSecurity plugin and rule set is done entirely through the modification of text files. Configuration and rule creation can be complex at times so it’s not for the faint hearted. As you might have guessed there are no built-in reporting features, you will have to roll your own or use third party utilities.
For testing, we used the OWASP ModSecurity Core base rule set.
ModSecurity block all cross-site scripting and SQL injections attacks - impressive.
ModSecurity is really configurable and can be extended or changed as needed. All this comes at a price, not everybody will have the time or patience to install, configure and use the product. It is mainly geared toward Apache based web-servers.
As noted during the introduction, the technical test methodology we used concentrated on the negative security model employed by each product. This review highlights how a default allow-based security model has drawback – a product can only ever be as good as its signature database.
A more secure approach would be to employ a default deny-based model, which significantly reduces the attack surface of a website. Three of the products reviewed - Profense, Armorlogic and ModSecurity - offer a positive security model option. The main issue with the positive security model is that it can take a large amount of time to build (manually) a profile of what is good. Profense and Armorlogic offer learning modes which can be used to help create a good profile by automatically observing what’s valid over a training period. A few, if not all, of the cross-site scripting and SQL injections attacks would have been blocked if the input vectors in the vulnerable website had been specifically locked down by a positive security model. ModSecurity does not offer an equivalent automation tool, but there are tools under development which in time could provide a solution. Until then, it still has to be done manually.
To differentiate themselves from competitors, some solutions offer real-time blacklist support, which can stop traffic from malicious sources reaching a protected website by automatically creating policies to block them. Astaro, ModSecurity and Imperva all use this technology in their products. This is a good addition to a Web Application Firewall’s arsenal - botnet attacks and worm propagation through website vulnerabilities are unfortunately a way of life on the World Wide Web these days.
So which product to choose? If you use Apache and have the time, patience, and skillset to invest in learning about a new product then ModSecurity maybe the answer. However, if you have the budget, need support and system flexibility, and want a powerful solution running quickly, then Imperva or perhaps Armorlogic the way forward. The Astaro and Applicure products are also very good options for those users wanting simpler configuration and are happy with less flexibility.
The bottom line is to select a product for your unique purposes, web technologies, support requirements, and budget. Each of the products in this review will provide different benefits to different people, depending on your environment.