Cybersecurity specialists are realising more and more the growing danger of application layer threats to a network. While there is no denying the need to remain aware of distributed denial of service (DDoS) attacks, application layer attacks are very difficult to detect and provide little or no advanced warning before attacking your applications. This is according to Simon McCullough, Major Channel Account Manager at F5, the specialist in application delivery networking and technology for the delivery of web applications, as well as security and network and cloud resources.
McCullough says, “Administrators and security teams are finding it increasingly difficult to keep up to date with the latest attacks and protection measures. Applications are the gateway to data and data is what hackers are after. In an attack on applications, traditional network firewalls are not a defence. Here, you need a web application firewall (WAF).
“As we become increasingly aware of the dangers posed by application layer threats, it is useful to revisit the F5 White Paper, Key Considerations in Choosing a Web Application Firewall, which notes that a robust WAF is a requirement of network security. This has come about in a cyber landscape in which enterprises are extending their businesses by using more web-based and cloud-hosted applications, which in turn are inviting increasingly sophisticated attacks that threaten enterprise data.”
McCullough says the White Paper offers a number of useful considerations in choosing your WAF. He notes that the first consideration is the choice of WAF deployment model, which includes: hardware WAF appliance to protect critical applications maintained in a traditional data centre; deploying a WAF as a software-based virtual edition (VE), which is a cost-effective option for small-to-medium-size businesses or those wanting to deploy protections closer to the app; and cloud-based WAF (WAF as a Service) to intercept web traffic before it enters the network or reaches the server in the cloud.
He says, “The White Paper distinguishes between initial basic considerations when deploying a WAF, and further advanced considerations.”
Basic considerations when deploying a WAF
Network architecture and application infrastructure
Web application firewalls are designed to watch and respond to HTTP/s traffic. They are most often deployed as appliances in the line of traffic between the requester and the application server, inspecting requests and responses before forwarding them. Inline deployments tend to be most effective in actively blocking malicious traffic based on policies and rules that must be applied judiciously to avoid dropping legitimate traffic. A WAF can also be deployed ‘out of band’, which allows the WAF to observe traffic from a monitoring port. This non-intrusive ‘passive’ deployment option is ideal for testing the WAF without impacting on traffic, yet still enabling the WAF to block malicious requests.
Security effectiveness and detection techniques
Today’s leading WAFs employ a combination of techniques to ensure accurate detection coverage that does not block legitimate traffic. Traditionally, the most widely used WAF configuration has been a negative security model, which allows all transactions except those that contain a threat/ attack.
In recent years, positive security models have become popular. This approach blocks all traffic, allowing only those transactions that are known to be valid and safe. The positive approach is based on strict content validation and statistical analysis.
An integrated positive and negative approach can also be implemented.
Performance, high availability and reliability
WAF capabilities should include these features:
• Caching copies of regularly requested web content to reduce repeated requests to back-end servers.
• Automatic content compression to provide for more efficient network transport.
• Hardware-based SSL acceleration to speed SSL processing and reduce the burden on back-end web servers.
• Load balancing web requests across multiple back-end web servers to optimise performance.
• Connection pooling to reduce back-end server TCP overhead by allowing multiple requests to use the same back-end connection.
Virtual patching and scanner integration
Although developers apply best practices in secure coding, and perform adequate security testing of applications, all applications are prone to vulnerabilities. Additional tools are needed to detect, validate and patch software exposures until a new application code is made available.
Virtual patching requires no immediate changes to the software, and it allows organisations to secure applications immediately upon dynamic application testing. Virtual patches are a key component of a strong WAF, often requiring integration with a vulnerability scanner.
PCI DSS compliance
Malicious attacks designed to steal sensitive credit card information are increasing, with more and more security breaches and data thefts occurring daily. The PCI DSS requirements have been revised in an attempt to prevent these types of attacks and keep customer data secure.
Protection against application attacks
With the continued growth of multi-layered attacks, IT managers need a strong WAF solution. A good WAF ensures application security and availability by providing comprehensive geolocation attack protection from layer 7 DDoS, SQL injection, Open Web Application Security Project (OWASP) Top Ten application security risks, cross-site scripting, and zero-day web application attacks. It also can prevent execution of fraudulent transactions, stop in-browser session hijacking, and secure AJAX applications and JSON payloads. When evaluating a WAF, make sure you understand the full scope of protections it offers to ensure that your business receives the best coverage.
Data classification of protected applications
More and more attackers are encrypting their attacks, therefore your WAF solution needs to be able to understand the application and the data that it is protecting. If that data is encrypted, your WAF must be able to decrypt the information and then classify the data within the apps in order to provide additional protection. A strong WAF can terminate SSL traffic, expose what is inside it, and make security decisions based on the encrypted data.
Visibility and reporting
Reports provide visibility into attack and traffic trends, long-term data aggregation for forensics, acceleration of incident response, and identification of unanticipated threats before exposure occurs. Many WAFs also integrate with database security products to give administrators a real time view into the operation of their websites, and provide reports on web-based attempts to gain access to sensitive data, subvert the database, or execute denial of service (DoS) attacks against the database.
Advanced considerations when deploying a WAF
McCullough notes further advanced considerations when deploying a WAF, as set out by the F5 White Paper:
• Automatic attack detection to identify more evasive bot sequences that may escape traditional detection methods, and identify unauthorised, automated attacks upon the first attempt to access an application.
• Device ID and fingerprinting in order to identify a client.
• SSL offload to other network resources, allowing applications to dedicate important CPU resources to other processing tasks, which can improve performance.
• Behavioural analysis to understand volumetric traffic patterns and scan for anomalous behaviour, as well as assess average server response time, transactions per second, and sessions that request too much traffic – to use as a baseline for determining whether an attack has commenced.
• Security operations centre. A responsive security team should include experts who analyse threats and malware, and who reverse engineer code to uncover how attacks work and how to mitigate them. The WAF vendor should work with you to mitigate threats as they arise, as well as enhance your organisation’s own security practices.
• Anti-fraud capabilities. More advanced WAF solutions integrate with web fraud detection services to simplify deployment, streamline reporting, and strengthen the overall application security posture by thwarting requests from validated fraudsters.
• Ease of management. You should be able to deploy your WAF with security policies that immediately address common attacks on web applications, including HTTP(s) attacks.
• Scalability and performance. Organisations need to ensure application availability, even when under attack.
• Vendor release cycle. With the threat landscape changing so quickly, vendors that offer more frequent releases can help decrease your window of exposure and reduce the risk of your applications becoming compromised by a new or emerging threat.
Anton Jacobsz, Managing Director at Networks Unlimited, a value-added distributor of F5 in Africa, concludes, “Application attacks have definitely been increasing over the past few years, due to the increasing proliferation of useful web apps which, concomitantly, increase a network’s vulnerability. Web application firewalls detect and block malicious attacks woven into safe-looking website traffic that may have slipped through the traditional security solutions by examining incoming HTTP requests before they even reach the server.”
The White Paper can be accessed here.