Web Application Firewall (WAF)

In what way are these products firewalls? I realize that there is precedent for using the term “firewall” loosely.

Using the Virtual Patching Challenge presentation by Ryan C. Barnett of Breach Security at Black Hat DC 2009 as an authority:

A Web Application Firewall analyzes traffic and enforces the Virtual Patching Logic so that malicious traffic never reaches the web application.

That could describe an input validation filter. He goes on to say that a Web Application Firewall (WAF) “is more than an ‘attack blocking device.” A WAF can also identify and correct Application Defects. A WAF can be used as an HTTP Auditing device.” He added that Virtual Patching can expedite the implementation of mitigation and provide protection for apps that can’t be updated.

“Virtual patching of web applications” appears to be the technology implemented on web application firewalls. Virtual patching would include filters that drop input that looks like SQL injection or cross site scripting attacks. Virtual patching should include additional approaches which modify output; in effect, wrapping the application to give the effect that the application problem has been fixed  A web application firewall would be the device which implements virtual patching.

I need a better, simpler example. The PCI Security Standards Council Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified [pdf] includes the clarifications:

WAFs are designed to inspect the contents of the application layer of an IP packet, as well as the contents of any other layer that could be used to attack a web application.

Increasingly, WAF technology is integrated into solutions that include other functions such as packet filtering, proxying, SSL termination, load balancing, object caching, etc. These devices are variously marketed as “firewalls,” “application gateways,” “application delivery system,” “secure proxy,” or some other description.

The Web Application Security Consortium has developed and continues to clarify its Web Application Firewall Evaluation Criteria.

Web application firewalls (WAF) are a new breed of information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can’t, and they do not require modification of application source code.

That did not help, either.

Identify your problem before selecting your solution. Your solution may be an additional technology marketed as a WAF. For example, you may have an application for which you will be unable to modify the code or replace the application in a reasonable amount of time. You may receive a set of applications as part of a merger and be unable to review the applications in the time available. Bring your evaluation criteria to product selection discussions.

For a critique of WAF inadequacies, see:

• Shocking News In PHP Exploitation by Stefan Esser November 2009
• Bypassing Web Application Firewalls with SQLMap Tamper Scripts  by Roberto Salgado, 26-Aug-2011
• Vulnerabilities in open source WAF ModSecurity by Ivan Ristic 18-Jun-2012

Effectiveness of Web Application Firewalls, by Larry Suto, concludes that WAF and IPS implementations will benefit significantly from tuning, including using Dynamic Application Security Testing (DAST) software product generated filters.

Web Application Firewall products:

• ModSecurity, with a rule set such as this one from Trustwave SpiderLabs or the OWASP ModSecurity Core Rule Set Project
• Imperva SecureSphere
• Breach WebDefend
• F5 Application Security Manager
• Citrix NetScaler
• Barracuda Web Application Firewall

The Whitewash module allows Ruby programs to clean up any HTML document or fragment coming from an untrusted source and to remove all dangerous constructs that could be used for cross-site scripting or request forgery. All HTML tags attribute names and values, and CSS properties are filtered through a whitelist that defines which names and what kinds of values are allowed.

OWASP ESAPI is an encoding library. If you must display user-supplied input back to the user, pass it through the ESAPI filter before sending it to be displayed. This will convert any dangerous characters into characters that are safe for their platform; e.g., characters that are safe for HTML rendering. You are avoiding cross-site scripting (XSS) attacks (both reflected and stored versions).

Microsoft Anti-Cross Site Scripting Library V4.2 (AntiXSS V4.2) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks.

Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP (32-bit) (64-bit) CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

Incapsula may be a worthwhile investment if you are looking to improve web site performance, establish a DDOS management mechanism, sign off on a PCI audit requirement and add WAF features.