Business line managers are bringing back-end applications to the Internet in increasing numbers. These applications represent important revenue generating and marketing opportunities for the company, and the CSO drives the strategy for securing the availability of the applications and integrity and privacy of the data. You know that traditional perimeter and intrusion detection system technologies do not sufficiently reduce the risk of an attack against Web applications. WAG appliances sit in front of Internet-facing applications to repel attacks before they reach application or Web servers. This week's column examines Web Application Gateways for enterprise deployments.
Web Application Gateways examine outbound application traffic and draws inferences on responses, minimising the need for IT to configure and manage updates. For example, an application HTML form asks for a credit card number, which causes the WAG to check that the reply has no more than 15 digits. A longer reply could generate a buffer overflow or an alphanumeric response could generate an application fault. WAG appliances prevent a variety of intrusions, including:
—Cookie tampering —SQL injection —Parameter tampering —Buffer overflows —Forceful browsing —Malformed packets —Datatype mismatch —Known vulnerabilities
Web Application Gateways are high-performance devices deployed inline on the application data path to protect the integrity of the application environment by ensuring that users conform to established security policies.
Web Application Gateways are positioned as replacement technology for host intrusion-detection systems and as alternative technology to HIP products. WAG appliances are dedicated devices built for performance and application-level security. Alerting IT on detected threats is not enough-application intrusion prevention goes the extra mile to prevent detected attacks from reaching critical web servers.
The majority of application attacks arrive through ports 80 (HTTP) or 443 (SSL), thus WAG deployments are most prevalent with Web-facing applications relying on HTTP or SSL protocols. WAG vendors such as KaVaDo, Sanctum and Teros are winning sales at the expense of IDS. ForeScout has interesting technology to redirect suspicious traffic before it passes through the enterprise network. Finjan is a security vendor that is refocusing from host intrusion prevention to WAG appliances. Web Application Gateways actually carry a lower false positive rate than many of the popular IDS products, and thus offer an improved TCO for stretched budgets (though the Yankee Group recommends that you use IDS capability as part of a regular assessment program).
WAG appliances are just emerging; some products have been available commercially for less than a year. This youthful technology has a rosy future as WAG vendors learn to reduce the amount of IT work required to configure application security policy. Over the next 5 years, the Yankee Group predicts that WAG functionality will join other blade implementations for firewall, anti-virus, Web service security, and content filtering as part of an integrated termination point for secure network connections.
Ease of management: IT can deploy a dedicated security appliance without having to install and configure an OS. Upgrades and patches from OS and security vendors do not require coordination, and application performance is less affected by time spent on error paths. The end user just needs to stick the WAG device in a rack, connect to the network, set security policy and turn out the light.
Enhanced application fault diagnosis: IT can diagnose any application server error without side effects from the WAG system. It is much easier to trace faults and performance bottlenecks through the network when security is isolated in a black box.
Improved scale: WAG appliances co-exist with load balancers in providing intrusion prevention for a number of downstream application servers. IT can add business application servers as needed, without having to reconfigure security products.
Integrate WAG blades with firewalls: WAG needs to terminate Internet traffic to decrypt SSL sessions or to reassemble stateless traffic such as HTTP. Develop WAG blades that work with products from Nortel, Check Point, Crossbeam, F5 Networks, NetScreen, SonicWALL, Symantec, and WatchGuard to give customers a common point of termination to manage and provide a ready-made channel for selling into the firewall installed base.
Interface with content filters: It is still critical to filter traffic identified by other classes of security technology as dangerous to applications. Interface with-or integrate into the appliance-anti-virus, active code inspection, and URL filtering technologies to offer the customer a more complete solution.
Expand protocol support: WAG appliances focus on HTTP and SSL protocols. The technology also needs to offer application layer protection for databases, e-mail servers and Web services.
Evaluate WAG products as part of a Web-facing application deployment. The Yankee Group recommends that all Internet-facing applications incorporate a layer of intrusion prevention. Evaluate WAG and HIP products in test labs over 2 to 3 months to be sure the solution is manageable and effective in thwarting intrusions.
Earmark 2003 intrusion prevention in your IDS budget. Plan to deploy WAG products in 2003 to thwart attacks that firewalls and IDS systems cannot prevent. Dedicate time and resources to train your IT staff so they can work to prevent application intrusions.
Conduct application security assessments. Enterprises should use security assessment (also known as vulnerability assessment) technologies to identify any holes in the current application or Web servers. Patch these systems first and then add WAG technology as the active blocking technology for future threats.
Web Application Gateways are an important innovation in protecting Web servers, and companies are deploying the technology now. Take a look, it may save your company a lot of headaches down the road.
Eric Ogren is employed in the role of Analyst, Securities, Services and Solutions at the Yankee Group