Securing Web Applications
There is some confusion regarding the differences between these two technologies. IPS vendors often add to the confusion by claiming that their solutions provide complete Web application protection. This paper examines the essential differences between Web Application Firewalls and IPS solutions, especially with regard to Web application protection.
Application Protection – Technology Comparison
The Barracuda Web Application Firewall fully terminates and proxies every connection. Because the firewall has complete visibility into the application layer constructs, it can apply strict security checks on the decoded request content. It also provides the flexibility to tighten or relax the security policies for individual elements, a requirement for securing complex Web applications.
Application State AwarenessSecuring against certain attacks, such as cookie tampering, session hijacking and hidden form field tampering requires that application constructs such as cookie or session be understood, and that their values be monitored to prevent tampering.
Since IPS products work at the network level and have no application state knowledge, they are incapable of blocking these application layer attacks. The Barracuda Web Application Firewall understands the Web traffic constructs and keeps track of the application state and client sessions. This enables it to enforce the full application state validation needed to secure the Web application.
Securing Encrypted or Encoded TrafficBecause most IPS products work at the network layer, they cannot validate encrypted sessions or interpret application encoding schemes. This prevents IPS technology from protecting the most mission-critical applications in a network.
Protection from Attack Variants and Zero Day AttacksMost modern IPS products share a common heritage with signature-based intrusion detection system (IDS) solutions. They watch incoming network traffic and compare it against a database of signatures describing all previously known exploits. If a close match is discovered, the traffic is blocked.
This signature-based approach requires each new threat to be discovered and added to the known threat signature database before it can be prevented. Even known signatures can escape detection by slightly modifying the attack signature.
The Barracuda Web Application Firewall, however, uses both a positive security model and a signaturebased model. It ensures that every user request and response conforms to expected application usage and allows only valid traffic, which prevents both known and unknown application attacks with no signatures and no false positives.
For example: On a page login.asp, the Barracuda Web Application Firewall can enforce the field loginid to only accept numbers [0-9] and a maximum value of 999999. This defeats all known and unknown injection attacks.
Outbound Data Leak PreventionIPS solutions cannot intercept and modify outbound responses from the Web applications. Hackers frequently attempt to simulate error conditions where the server response reveals sensitive information about the application, server or the database. The information gathered can be used to launch focused attacks subsequently. The Barracuda Web Application Firewall suppresses sensitive information in responses such as stack traces and debugging information to cloak the Web applications. It also removes headers like server banners that can be used to identify the servers. Additionally, the Barracuda Web Application Firewall ensures that sensitive information like credit card information or social security numbers are either masked or blocked to protect against data leaks.
Protection Against Forceful BrowsingOne of the most common hacker reconnaissance strategies is Web harvesting, either manual or using malicious robots and crawlers, in an attempt to gain access to resources that are not explicitly linked but may be easily attacked. One of the most common hacker reconnaissance strategies is Web harvesting, either manual or using malicious robots and crawlers, in an attempt to gain access to resources that are not explicitly linked but may be easily attacked.
IPS solutions have no defense against such forceful browsing attacks. Since they cannot control the server error responses, they are unable to effectively cloak the Web applications.
The Barracuda Web Application Firewall can automatically learn the precise application profile and its security policies from request and response traffic. This includes the application structure such as valid URL space, the FORM/query parameters allowed for each page, their maximum instances and allowed values. Any request for a resource outside the generated profile or violating the profile is denied by the Barracuda Web Application Firewall, thus protecting against forceful browsing.
Granular ControlA one-size-fits-all security model, as offered by IPS products, generates too many false positives when applications need to explicitly allow certain inputs that otherwise might be deemed as attacks. For example, an online email application may treat HTML input as valid, but the IPS would treat it as an XSS injection attack. A “name” parameter may be allowed a single quote (John O’Connor) but this will match SQL injection patterns.
The Barracuda Web Application Firewall allows administrators to selectively relax the security policy to allow such inputs where they are required, while continuing to apply them everywhere else. IPS products do not offer such fine-grained exception configuration.
Securing Customized Web ApplicationsIPS protection is limited to well-known applications and platforms such as Microsoft, Oracle or Apache. But as many as 75% of all attacks today target vulnerabilities in customized application code built on top of these platforms for which there are no signatures. As a result, IPS solutions are not effective in these cases. This problem often is compounded by the fact that custom Web applications themselves are dynamic and complex, so as new vulnerabilities get introduced they require a different approach to securing these applications.
Because it learns legitimate application behavior in real-time, the Barracuda Web Application Firewall is able to block both known and unknown attacks in standard platforms and customized application code.
Securing Web Services and Protecting against Web 2.0 AttacksThe adoption of Web 2.0 technologies such as Web Services, SOAP, AJAX, JSON, RIA and RSS/Atom has generated additional attack vectors that are being increasingly exploited by hackers. Examples of such new attacks includes XPATH injection, WSDL probing, XML poisoning and parsing attacks, as well as many others.
Existing attacks like XSS, CSRF and a combination of the two can be carried out in new ways with Web 2.0 application frameworks and are becoming very popular in the hacker’s toolbox. Using the new client side frameworks such as AJAX, hackers are bypassing same-origin policy to get cross domain access to the victim’s authenticated sites, thereby riding the victim’s sessions without his/her knowledge.
IPS products do not provide any protection from such attacks. The Barracuda Web Application Firewall uses advanced checks such as referrer checking and injecting unique session tokens in responses to thwart cross-domain session riding attacks. It also features a comprehensive XML firewall that denies attacks on Web 2.0 applications based on the new technologies such as AJAX and Web Services.
Architectural Limitations of IPS Products
|Deployment Flexibility||IPS/IDS Firewall||Barracuda Web App Firewall|
|Secure network partitioning||No||Yes|
|Integrated Load Balancer||No||Yes|
|Accelerated application delivery||No||Yes|
|TCP connection pooling||No||Yes|
|Application content based routing||No||Yes|
|Built in authentication engine||No||Yes|
|Multiple applications single sign on||No||Yes|
|Security||IPS/IDS Firewall||Barracuda Web App Firewall|
|Injection attack protection (XSS, SQL)||No||Yes|
|Normalize encoded traffic||No||Yes|
|Inspect HTTPS traffic||No||Yes|
|Session tampering/hijacking/riding protection||No||Yes|
|Forceful browsing prevention||No||Yes|
|Data theft protection, cloaking||No||Yes|
|Web services projection||No||Yes|
|Virus/malware upload protection||No||Yes|
|Application layer DoS protection||No||Yes|
|Rate control protection||No||Yes|
|Request, response rewrite||No||Yes|
|Application access logging and user audit trails||No||Yes|