In what way are these products firewalls? I realize that there is precedent for using the term “firewall” loosely.
Using the Virtual Patching Challenge presentation by Ryan C. Barnett of Breach Security at Black Hat DC 2009 as an authority:
A Web Application Firewall analyzes traffic and enforces the Virtual Patching Logic so that malicious traffic never reaches the web application.
That could describe an input validation filter. He goes on to say that a Web Application Firewall (WAF) “is more than an ‘attack blocking device.” A WAF can also identify and correct Application Defects. A WAF can be used as an HTTP Auditing device.” He added that Virtual Patching can expedite the implementation of mitigation and provide protection for apps that can’t be updated.
“Virtual patching of web applications” appears to be the technology implemented on web application firewalls. Virtual patching would include filters that drop input that looks like SQL injection or cross site scripting attacks. Virtual patching should include additional approaches which modify output; in effect, wrapping the application to give the effect that the application problem has been fixed A web application firewall would be the device which implements virtual patching.
I need a better, simpler example. The PCI Security Standards Council Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified [pdf] includes the clarifications:
WAFs are designed to inspect the contents of the application layer of an IP packet, as well as the contents of any other layer that could be used to attack a web application.
Increasingly, WAF technology is integrated into solutions that include other functions such as packet filtering, proxying, SSL termination, load balancing, object caching, etc. These devices are variously marketed as “firewalls,” “application gateways,” “application delivery system,” “secure proxy,” or some other description.
The Web Application Security Consortium has developed and continues to clarify its Web Application Firewall Evaluation Criteria.
Web application firewalls (WAF) are a new breed of information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can’t, and they do not require modification of application source code.
That did not help, either. Identify your problem before selecting your solution. Your solution may be an additional technology marketed as a WAF. Bring the evaluation criteria to discussions.
For a critique of WAF inadequacies, see Shocking News In PHP Exploitation by Stefan Esser November 2009. For additional examples, see Bypassing Web Application Firewalls with SQLMap Tamper Scripts by Roberto Salgado, August 26, 2011.
Effectiveness of Web Application Firewalls, by Larry Suto, concludes that WAF and IPS implementations will benefit significantly from tuning, including using Dynamic Application Security Testing (DAST) software product generated filters.
Web Application Firewall products:
- ModSecurity, with a rule set such as this one from Trustwave SpiderLabs
- Imperva SecureSphere
- Breach WebDefend
- F5 Application Security Manager
- Citrix NetScaler
- Barracuda Web Application Firewall
The Whitewash module allows Ruby programs to clean up any HTML document or fragment coming from an untrusted source and to remove all dangerous constructs that could be used for cross-site scripting or request forgery. All HTML tags attribute names and values, and CSS properties are filtered through a whitelist that defines which names and what kinds of values are allowed.
[...] See Web Application Firewall (WAF) [...]