March 21st, 2005

Web Application Firewalls.

Posted by Richard Stiennon @ 5:49 pm

Categories: Spyware

Tags:

Anyone who has worked as a security auditor, sometimes called a “white hat hacker� , knows that most organizations have gotten pretty good at configuring their firewalls and patching their externally facing servers. Doing a scan with tools such as nessus reveals very few exploitable vulnerabilities. But, if the target organization has a significant web presence invariably there are weaknesses in the way they deploy web applications. For targeted attacks the web page is the open front door for a hacker.

A quick example. Have you ever seen the following inside the URL window of your web browser: http://www.somewebsite.com/index/startpage.asp?SID=00134 ? Note the “SID� or session ID. Sometimes this is even a UID, or User ID. Many times all you have to do is decrement the session or user ID by 1 and you immediately hijack the session of the person who logged in just before you. It is rare but still possible to find for-pay subscription sites that expose session ID’s in this way. Once a session is hijacked a hacker can navigate to the “profile� section of the website and permanently take over a victims subscription by changing the login password.

Although there are usually good programming practices that can avoid most web application snafus some of the harder bugs to counter are in a business process. Two examples. ChoicePoint was seriously whacked by a gang of identity thieves because they assumed that only good guys would sign up for their service. Choicepoint made it very easy for fictional organizations to get credentials and start to pilfer their online databases of credit histories. Several high cost subscription services of legal and research data make available a subscription option that is meant for short term use. A “try before you buy� ploy. So a hacker pays the $250 for a months access and executes an automatic program to download the entire contents of the site’s data base. Both of these scenarios are easily addressed but changes to the business process are required.

In order to counter all of these types of attacks a web application firewall is required. These are network devices that reside in front of the web servers. They counter attacks against underlying vulnerabilities in the web server, OS, and web applications. They also provide a control point were additional rules can be enforced such as password and session management, or denying requests beyond a certain threshold.

I have seen three ways for web application (WA) firewalls to be designed. The first generation WA firewalls would scan your web apps for vulnerabilities and generate a set of rules that would protect those vulnerabilities. Kavodo and Sanctum are good examples of this first generation. Sanctum branched out into offering its web vulnerability scanner as a separate product.

The next generation of WA firewall represented by NetContinuum and Teros maintains a very sophisticated “state� for every web session. By keeping track of all outgoing information it is possible for these firewalls to enforce a deny everything except that which has implicitly been allowed. In other words, a visitor to a website is only allowed to go to internal links that have been sent out during that session. No more changing SID’s or typing in unreferenced addresses like www.somewebsite.com/test. This technology can also be used to block leakage of information such as Social Security Numbers or account info.

The third generation of WA firewall uses a scanner as well but scans and maps a website to create a “deny everything except that which is explicitly allowed� rule set. This is the technology that Magnifire developed and is now sold by F5 Networks.

One common prognostication is that WA firewalls will eventually become a component of traditional firewalls. However, as web based business processes become more and more decoupled from the rest of an organization’s Internet connectivity there is an argument to be made that protecting web applications requires separate infrastructure. Companies like Checkpoint and Juniper offer web application defenses but only about 80% of the functionality of the purpose built WA firewalls.

PS. An open source WA firewall is available at ModSecurity.