While many companies are deploying Web application firewalls (WAFs) to comply with the Payment Card Industry Data Security Standards (PCI DSS), other firms are beginning to realize alternative benefits of the devices.
To get security news and tips delivered to your inbox,
Chad Lorenc, an information security network and application security architect at Agilent Technologies Inc., has overseen his company's WAF deployment. Unlike many firms with Web facing applications, the company did not deploy the technology as part of a major compliance initiative; instead Lorenc said his firm had a goal to gain better visibility into its various applications, which were accessed by partners, contractors and customers.
Agilent, a manufacturer of scientific instruments and analysis equipment, does business globally and as a result the company outsourced most of its environment from applications to the OS and network. A large number of Web servers, application servers and databases were separated and had separate security policies. Some were Web facing, while others were used internally, but traffic from the applications was tapping into the company's internal databases and core systems. The company has a mixture of Web facing systems including Oracle, Siebel Systems and SAP, as well as AJAX coded programs and a system that sits on PHP and does a function for business units -- applications that were customer driven and partner integrated components that were heavily accessed, Lorenc said.
Web application firewalls:
to choose between source code reviews or Web application firewalls: Michael Cobb explains how
to make the right choice between Web
application firewalls or source code security reviews.
Comparative Product Review: Six Web Application Firewalls: No longer can security managers focus only on perimeter and host security. The application has become the prime target for hackers
Gary McGraw on secure software development: Gary McGraw of Cigital Inc. explains why better secure coding could help thwart future Web 2.0 attacks. He says the industry is making progress.
"We started trying to really understand the basic data flow in our environment and try to figure out how to secure these applications," Lorenc said. "We were really looking for something that could give us full visibility into how the applications were functioning on our network."
Lorenc said his company is somewhat unique in that most of its systems are centralized. The company's primary data center hosts most of the applications and cloud services are used to distribute them out to clients. The firm deployed four Imperva WAFs and is also taking advantage of Imperva's integration with database activity monitoring. As a result, additional appliances are monitoring back-end databases, Lorenc said.
In addition to firewalling to block nefarious traffic targeting application flaws, alerting teams to respond to problems or a mixture to both, WAFs can be used to categorize sensitive data and determine where it resides and how it flows on the network. It is also helpful in profiling to understand how users interact with the applications and how those applications connect to the underlying databases. How an organization uses a WAF depends on the size and skill level of the enterprise IT team.
"Fundamentally we're talking about taking everything at the database and everything at the Web application and bringing it together centrally to find those needles in the stacks of needles," said Brian Contos chief security strategist at Imperva. "Sometimes one suspicious plus another suspicious equals a malicious, so [a WAF] really helps connect the dots."
Despite the benefits they offer, WAF deployments are being driven by PCI, according to recent surveys. The technology moved from a best practice to a requirement in 2008 to protect credit card data flowing through Web-based applications. A survey of 50 organizations conducted by the Open Web Application Security Project (OWASP), found that 40% said compliance drove Web application security spending.
WAF technology can be network-based or host-based and in some cases are integrated with larger vendor products. Imperva competes against Breach Security Inc., Protegrity Corp., Barracuda Networks Inc. and other vendors offering an integrated network-based WAF. Vendors that sell a host-based WAF include Fortify Software Inc. and eEye Digital Security Inc. Companies can also chose ModSecurity an open source WAF that is both host and network-based and is supported by some vendors (Breach Security).
Agilent previously used reverse proxies in place with ModSecurity, but over time it created a lot of headaches for the application teams.
"It's a brilliant product if you have a lot of brilliant people to manage and support it, but it becomes very difficult to maintain over time," Lorenc said.
Lorenc and other experts say the technology also helps bridge the divide between security pros, network teams, software developers and database administrators. Getting all the various teams on board is difficult in the initial stages of a deployment, but the end result is a greater focus on software security, Contos said.
"A lot of people want to use it not for just monitoring production environments, but also development," Contos said. "Having a unifying technology like WAF that can be appropriately used by your Web application developers, leveraged by your DBA team a little bit to link together communication with the Web apps, as well as the operational team really helps in the software development lifecycle. It ensures that you are writing good code, you understand the parameter links and you understand what's being passed and the input and output filtering that needs to be leveraged."
The market for WAFs remain strong, driven by the fear of external attacks and data leakage caused by coding errors, according to the Burton Group. But Burton Group analyst Ramon Krikken warns companies that the technology is not a silver bullet to Web application security risks.
"They can be a good part of a defense-in-depth strategy," Krikken said. "If used properly, they can take a lot of work, but the benefits result in a more secure environment."
While constant maintenance is a factor, Agilent saw an immediate benefit to address code errors in legacy applications through virtual patches directly on the WAF. The company also didn't turn on blocking for all its applications right away. The company's application team took a step by step process, addressing each application and the various problems signaled by the WAFs. The teams also monitored the performance of the applications to improve the way certain applications are distributed to the cloud to provide end users with better performance.
Lorenc said his company had to do a lot of fine tuning to eliminate false positives. For example, dynamic applications constantly returned alerts because they sometimes change the profile of users. Agilent had to deploy a plugin to address the issue. But for Lorenc and the various teams that use the WAFs, the data is used constantly to conduct analysis, respond and make changes.
"It's difficult to call something a false positive in the WAF environment because of the importance of the data that you are collecting," Lorenc said. "It's really all data that you want to see."