Comparative Product Review: Six Web Application Firewalls


This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."

Download it now to read this article plus other related content.

About this Review

Barracuda Networks Web Application Gateway NC1100

Bee Ware iSentry IS200

Breach Security WebDefend

Citrix Application Firewall

F5 Networks Big-IP 8800 Application Security Manager

Imperva SecureSphere Web Application Firewall
Information Security deployed six application firewall appliances from Barracuda Networks, Bee Ware, Breach Security, Citrix, F5 Networks and Imperva.

Each product was installed in our test lab between a network firewall and in front of or alongside the application servers (see "Inside The Lab," below), which included an Apache Web server and Microsoft Internet Information Server, each hosting a variety of applications including Web mail, an online forum and a Web site with shopping cart capabilities.

Client machines subjected to attack included systems running Microsoft XP SP2 with Internet Explorer and Linux (Debian 3.1) with Mozilla Firefox. We focused on common attacks against applications including

    Requires Free Membership to View

buffer overflows, cookie tampering, SQL injection, session hijacking, cross-site scripting (XSS), cross-site request forgeries (CSRF), forms tampering, remote code execution, malicious code (Internet worms), denial of service, brute force login and forceful browsing.

Additionally, we configured application-side security features, such as Web site cloaking, and attempted to gain network and application configuration via nefarious reconnaissance practices such as identifying operating systems and Web server details through HTTP header data and scanning utilities like Nmap.

Breach's WebDefend was deployed in an out-of-line mode next to our Web servers using a span port.

--Sandra Kay Miller

Inside the lab
All application firewall appliances were deployed as reverse proxies (except for Breach Security's, which was attached to a span port) on a network between a traditional stateful inspection firewall and a variety of applications servers, including Microsoft IIS and Apache Web servers, Microsoft SQL, e-commerce applications with credit card transaction capability and an online forum. Browsers included Internet Explorer, Firefox, Netscape and Opera.

This was first published in March 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: