This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
Overall Security Effectivenesss|
The Web has opened a multitude of new avenues for hackers to exploit Internet protocols and the applications that utilize them. The core functionality of all the products delivered comprehensive security for HTTP, HTTPS and FTP applications and XML services. In our test rail, all the products delivered a core set of security features, most notably Web site cloaking, protection against common Web vulnerabilities and exploits and data protection.
Our battery of attacks included but was not limited to SQL injections, buffer overflows, cookie tampering, forms tampering, session hijacking, cross-site scripting, remote code execution, malicious code (Internet worms), denial of service, brute force logins and forced browsing. We launched a Java-based Web crawler in an effort to fingerprint the applications and hosted sites behind the product under testing. Additionally, we purposely set up insecure pages that provided access to restricted data (credit card numbers, fake, of course) and attempted to gain access. Each product performed satisfactorily, and all are worthy of enterprise installations.
Given the massive amount of information stored in databases that are touched by Web-facing applications, we found that Imperva's application and database security provided the closest thing to a silver bullet security managers could
| institute. Using a combination of whitelists, blacklists and adaptive learning ("Dynamic Profiling Technology"), the device examined traffic and behavioral patterns of applications and databases to differentiate between valid traffic patterns and our attacks.
Barracuda uses a combination of Web ACLs, positive and negative security models and Dynamic Application Profiling to identify acceptable traffic. The included signatures for the negative model blocked all the common attacks (SQL, buffer overflow, tampering, etc.), while the positive model locked down all traffic unless defined through the powerful ACLs. We set a variety of ACLs that delivered superior security for our test sites.
Similarly, F5 employs both a positive security model, and a negative model for common attacks, with heuristic analysis of all traffic through the Adaptive Learning and Tuning engine. We credited the strong positive security model for initially blocking some of our legitimate traffic and returned to the transparent mode until we had established a traffic baseline through F5's automated policy builder. Our second attempt at enabling blocking resulted in flawless operation, with all attacks stopped while allowing permitted traffic to proceed.
The granular traffic movement controls allowed us to limit access to applications through customized traffic flow policies.
We started our Citrix testing in bypass mode; while we understood the validity of not filtering in this state, we would have liked to been able to at least log traffic for a comparison once the device was switched to operating mode. Our initial testing was met with a number of false positives requiring us to disable Adaptive Learning and do some manual tuning.
Adaptive Learning made suggestions that we could accept, deny or customize. We found this especially helpful whenever any changes were made to our applications, such as the addition of new sites or pages within sites, especially those containing vulnerable aspects such as forms, logins and dynamic links. All our malicious attacks were blocked in operating mode.
This was first published in March 2008