Building application firewall rule bases

A recent Gartner Inc. study highlighted this risk by estimating that 75% of today's successful attacks occur at the application layer. It made an even more frightening prediction: by the year 2009, 80% of enterprises will fall victim to an application-layer attack.

Why are these attacks so successful? The answer is quite simple: they bypass all of the network-centric controls that security personnel have implemented over the last ten years, such as port blocking. Consider Web application attacks, for example. Traditional firewalls protecting a Web server contain rules that block all sorts of unwanted traffic, only allowing TCP traffic to traverse the firewall via ports 80 or 443. Unfortunately, the firewall can't distinguish desirable port 80 traffic from undesirable port 80 traffic.

This is where application firewalls come into play. These firewalls perform application-layer inspection of HTTP traffic before it reaches the Web server. The devices are able to inspect a connection and analyze the nature and type of commands that users are providing to the application. They can then analyze the traffic for signatures of known attacks or deviations from profiles of standard utilization.

While application firewalls have great potential, the process of deploying them should be slo...

Once an organization is ready to move the product into the production environment, it's time to think about a solid firewall rule base. Here's a step-by-step approach for building and deploying application firewall rule bases in an organization:

1. Have an adequate adjustment period. Modern Web application firewalls have sophisticated capabilities that monitor traffic and learn patterns of normal activity. Over time, the firewall is "trained" to recognize these patterns and block anomalous traffic. The firewall, however, needs to be trained over a long enough period of time so that the rule base reflects periodic and seasonal trends in network activity. For example, an ecommerce retailer wouldn't want to train the firewall protecting its Web site during the slow summer months, and then deploy the rule base during the busy winter holiday shopping season.
2. Develop custom rules to supplement vendor-provided signatures. Knowledge of an organization's infrastructure is important, and customizing a firewall to meet a company's unique needs can dramatically improve the tool's effectiveness. For example, if only one Web application in an environment should accept file uploads, a rule should be set that completely blocks PUT commands (the HTTP command used for file uploads), to all other systems.
3. Begin with an initial run in passive mode. Testing out a rule base often requires a "soft launch." With such a strategy, the firewall is placed online with all of its proposed rules. It is then run in monitoring mode without actually blocking any traffic. Before the firewall is actually put into active mode, time should be spent evaluating the traffic that violates the firewall's rules. Those in charge of implementation should also tune the false positive rate before going into production. Since programmers never like it when security systems break their applications, this will go a long way toward improving relations with your developers!
4. Monitor, monitor, monitor. Once the firewall is deployed in active mode, it should be watched carefully. The logs created by blocked traffic will tell an important story. Records of the blocked attacks can show management the return on their security investment. There may also be additional false positives, and they can further assist in the fine-tuning of the rule base.

About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Network Security: Tools, Products, Software,   Network Firewalls, Routers and Switches,   Enterprise Network Security,   Application and Platform Security,   Application Firewall Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network Firewalls, Routers and Switches How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls? Application Firewall Security Web application firewall use goes beyond compliance, company finds Best Application Security Products Common PCI questions: Web application firewalls or source code review? IT pros find corporate firewall rules tough to navigate PCI compliance requirement 1: Firewalls Comparing an application proxy firewall and a gateway server firewall Citrix virtual desktop, app delivery controller includes security benefits How to choose between source code reviews or Web application firewalls Check Point adds virtual firewall appliance Web application firewall deployments gain traction RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.