Comparative Product Review: Six Web Application Firewalls
This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
|About this Review|
Barracuda Networks Web Application Gateway NC1100
Bee Ware iSentry IS200
Breach Security WebDefend
Citrix Application Firewall
F5 Networks Big-IP 8800 Application Security Manager
Imperva SecureSphere Web Application Firewall
|Information Security deployed six application firewall appliances from Barracuda Networks, Bee Ware, Breach Security, Citrix, F5 Networks and Imperva.
Each product was installed in our test lab between a network firewall and in front of or alongside the application servers (see "Inside The Lab," below), which included an Apache Web server and Microsoft Internet Information Server, each hosting a variety of applications including Web mail, an online forum and a Web site with shopping cart capabilities.
Client machines subjected to attack included systems running Microsoft XP SP2 with Internet Explorer and Linux (Debian 3.1) with Mozilla Firefox. We focused on common attacks against applications including
| buffer overflows, cookie tampering, SQL injection, session hijacking, cross-site scripting (XSS), cross-site request forgeries (CSRF), forms tampering, remote code execution, malicious code (Internet worms), denial of service, brute force login and forceful browsing.
Additionally, we configured application-side security features, such as Web site cloaking, and attempted to gain network and application configuration via nefarious reconnaissance practices such as identifying operating systems and Web server details through HTTP header data and scanning utilities like Nmap.
Breach's WebDefend was deployed in an out-of-line mode next to our Web servers using a span port.
--Sandra Kay Miller
Inside the lab
All application firewall appliances were deployed as reverse proxies (except for Breach Security's, which was attached to a span port) on a network between a traditional stateful inspection firewall and a variety of applications servers, including Microsoft IIS and Apache Web servers, Microsoft SQL, e-commerce applications with credit card transaction capability and an online forum. Browsers included Internet Explorer, Firefox, Netscape and Opera.
This was first published in March 2008