Re: web appliaction security products (AKA application firewalls)

2002-11-22-13:24:32 Jason Childers:
> (5) Some tools require you to put them in "learning" mode so they
I'd like to expand on this thought a little bit.

A web proxy or other firewall component designed to improve security of webservers at the application level has to have some way of telling the difference between legitimate queries and attempts to burgle the server, perhaps via exploiting bugs.

The tightest config you can get comes when you manually configure the proxy to precisely define what are legal queries, with very precise specifications for every one, including minimum/maximum lengths, numeric scale ranges, exact parameter formats, allowed alphabets, the whole schmeer. This requires duplicating the front-end scanning process of your webserver, replicating its specification in the config language of your application proxy. This amounts to a security code review, which is a good thing. It's also labor-intensive, some shops are unwilling to expend that labor.

For such shops, a popular alternative is to have a proxy that can "train" to learn valid requests. The problem with this is that it's impossible for training to really teach such a proxy some details, e.g. the maximum permitted field lengths and permitted alphabets for various fields. So proxies that are configured only by training aren't going to be as strict as you can make a manually-configured parameter-checking proxy.

> If your website changes, then you have to put the tool back in

This concern I'm not completely in agreement with, however. It certainly applies in small "joe's bait shop and web hosting" type places, but serious shops have an intermediate stage between development and production, variously called quality assurance, or testing, or beta, or some such. This stage includes automated coverage testing, with automatic test suites that are carefully designed and maintained alongside the code to exercise every bit of it. If you're content with the weaker validity checking from training-configured proxies, you can train the new config in the qa pass, and push the updated config to the proxy servers along with the site update as part of the production release.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-Bennett