 |
|
|
In a recent survey commissioned by VanDyke Software, some 66 per cent of the companies who responded said that they perceive system penetration to be the largest threat to their enterprises. The survey revealed that the top eight threats experienced by those surveyed were viruses (78 per cent of respondents), system penetration (50 per cent), DoS (40 per cent), insider abuse (29 per cent), spoofing (28 per cent), data/network sabotage (20 per cent), and unauthorised insider access (16 per cent). Although 86 per cent of respondents use firewalls (a disturbingly low figure in this day and age, to be honest!), it is apparent that firewalls are not always effective against many intrusion attempts. The average firewall is designed to deny clearly suspicious traffic - such as an attempt to telnet to a device when corporate security policy forbids telnet access completely - but is also designed to allow some traffic through - Web traffic to an internal Web server, for example. The problem is, that many exploits attempt to take advantage of weaknesses in the very protocols that are allowed through our perimeter firewalls, and once the Web server has been compromised, this can often be used as a springboard to launch additional attacks on other internal servers. Once a “rootkit” or “back door” has been installed on a server, the hacker has ensured that he will have unfettered access to that machine at any point in the future. Firewalls are also typically employed only at the network perimeter. However, many attacks, intentional or otherwise, are launched from within an organisation. Virtual private networks, laptops, and wireless networks all provide access to the internal network that often bypasses the firewall. Intrusion detection systems may be effective at detecting suspicious activity, but do not provide protection against attacks. Network-level (and some generic application-level) attacks can be prevented by the new breed of Intrusion Prevention Systems (IPS), but these are unable to detect or prevent subversion of application logic. The Internet has brought about a dramatic shift in the way business applications are deployed. In the past, our business applications were run on private servers by our own employees. Today, those business-critical applications are Web-based, running on public-facing servers and being used by external entities, such as customers and business partners. This has created new and more complex security threats. Traditional approaches such as firewalls, Virtual Private Networks, Public Key Infrastructures and Intrusion Detection/Prevention Systems often cannot protect the application layer, which is the least secured and most vulnerable layer. These security products are designed to keep out or monitor the external entity, whereas the whole point of our Web applications is to welcome in external users and provide limited and controlled access to our corporate data. Once the perimeter firewall has permitted the HTTP traffic as it has been instructed to do via its applied security policy, there remains a wealth of tactics to be employed by the malicious user in order to subvert the back-end application via the seemingly innocent HTTP protocol. It is thus possible for the Web hacker to target application-level vulnerabilities without running foul of perimeter firewalls - there will be no mangled, fragmented or oversized network packets, no mismatches between address and content. Instead, these application-level attacks employ subtle changes to otherwise valid commands, cookies that have been tampered with, or changes to hidden form fields. Applications for the Web thus require a full range of security solutions designed to not only protect the host and network, but also the applications that run on them. The security measures must protect privileged information, whilst enabling the organisation to manage its environment and external users to access the application and its supporting data. While the lower layers of the OSI model are well defined, the application layer provides a wide range of disparate network services. Although TCP/IP specifications are known worldwide, no two applications implement the same business logic and the same technology. Therefore no single “signature-based” approach can secure an application against its unique application-layer vulnerabilities. Applications typically require both read and write access to one or more databases, often with full privileges, and corporate databases can be sabotaged by inserting or concatenating various SQL commands to input fields or messages. The Web Application Firewall thus works at the application layer - much higher than traditional solutions such as firewalls and IPS - to intercept all incoming and outgoing traffic to and from applications, validating and securing requests before they are allowed to pass through to back-end servers. These products understand the application logic, and have a detailed knowledge of the acceptable rules of engagement between the external client and the internal application server. They are thus capable of inspecting the content of each request and response and applying a complex set of rules in order to ensure that the client is not doing anything untoward. The Web Application Firewall is also designed to regulate each application to prevent manipulation and defacement, providing a safe environment for corporate data. The NSS Web Application Firewall Test As part of its extensive Web Application Firewall test methodology (see section on Testing Methodology later in this report for details) The NSS Group subjects each product to a brutal battery of tests that verify the stability and performance of each device tested, determine the accuracy and effectiveness of its security coverage, and ensure that the device will not block legitimate traffic. If a particular device has been designated as NSS Approved, customers can be confident that the device will not significantly impact network/host performance, cause network/host crashes, or otherwise block legitimate traffic. To assess the complex matrix of IPS performance and security requirements, the NSS Group has developed a specialised lab environment that is able to exercise every facet of a Web Application Firewall product. The test suite contains hundreds of individual tests that evaluate these products in three main areas: performance and reliability, security effectiveness, and usability. This thorough review should give readers a complete perspective of the capabilities, maturity and suitability of the products tested for their particular needs. Click here to return to the Web Application Index Section |
Security Testing |
Send mail to webmaster
with questions or
|