Web application firewalls deliver higher protection at lower TCO
Free NSS Labs report: Web Application Firewall Comparative Analysis Download
75% of attacks take place at the application layer.
Protecting against these new breed of attacks is not an option.
Security is moving up the stack
Security has always been a concern for the Enterprise. A lot of time, technology and money have been spent to sure up the perimeter and filter out unwanted, potentially malicious, traffic. While the packet filter and stateful inspection firewall still have a part to play in IT security, the simple demarcation of trusted and untrusted traffic is no longer sufficient to protect a company’s digital assets. Cyber criminals have shifted their attention “up the stack” to the application layer. In a sense the very dedication that IT has shown in building strong network defences has driven the attacks to the application.
Gartner estimate that 75% of attacks take place at the application layer. It seems that writing good code is incredibly hard and extremely rare hence applications are riddled with holes. Vulnerabilities can be exploited to carry out a variety of attacks on the applications, data and the network. Protecting an organisation from these new breed of attacks is necessary and requires special tools and skills
Application layer firewalling is a must!
As malicious code traverses the network masquerading as normal application content, it will not be noticed by standard security measures at the perimeter. Indeed, it will only manifest when it is at the site where it can do the most damage. This is why application layer firewalls that can catch these attacks are necessary.
Application firewalls look deep into a packet’s and a conversation’s details to assess whether it is recognised as an attack and if it complies with the known application protocols (HTTP). Only once the stream is deemed safe is it passed on to the application server for fulfilment.
What should an application firewall protect against
The first approach is to ensure that your systems are firstly protected against the common application attacks. The Open Web Application Security Project (OWASP) monitors application security and produce a top 10 list of application attacks. This is a list of the top threats categories that affect application security. These change with time but currently the most prevalent attacks are Injection attacks
- Broken authentication and session management
- Cross-site scripting
- Insecure direct object references
- Security misconfiguration
- Sensitive data exposure
- Missing function level access control
- Cross-site forgery
- Using known vulnerable components
- Unvalidated redirects and forwards
- Going into detail on all of these is beyond the scope of this article but more information can be found here.
Considerations for an application firewall
When choosing an application firewall, consideration must be given to how effective the default rule-set is and how customisable the device can be for particular environments. That is to say, how it will perform out of the box and how well it can be tuned. Another factor of course is how easy the device is to use and understand and of course the total cost of ownership in relation to the protection it will provide.
It should go without saying that any application firewall ought to protect against all of the threats identified by OWASP in their top ten list. An application firewall ought to come with both a negative (signature inspection) and positive (application learning) security model. The inspection of signatures is fast and can be used to “clean up” many of the well known bulk attacks in the wild. This is supplemented by the more restrictive and more CPU-intensive advanced mode which will determine whether traffic should be passed to the application based on its compliance with the protocols and application structure.
Obviously much of this advanced protection must be learnt for each application. Rarely are applications completely compliant so the right amount of rule relaxation must be present to avoid false positives. This is obviously easier if the firewall can report the things it would have blocked while in the learning mode in an easy to understand human-readable format.
Performance is another factor in selecting the right application firewall. There should be no added latency in a connection because of inspection so the processing power of any device needs to be sufficient to cope with the projected needs of the organisation. There should be enough power to inspect and protect fully without diminishing the user experience.
Combined functionality adds to the value
Because of their position in the network and application-level intelligence, Application Delivery Controllers are adding application firewall functionality to their arsenal. This is a better solution as it allows a more holistic approach to security than a stand-alone device (or devices). Combining the availability, scalability and performance of an application with the authentication and application security onto a single device allows it to carry out the right level of security in a single pass and report accordingly. This approach is becoming the norm. It makes a lot of sense both from a security and cost perspective and should be considered.
Citrix NetScaler Application firewall
Citrix has been involved in securing enterprise applications and data from the start. NetScaler Application Firewall offers multi-gigabit protection against 100% of application layer attacks – including the OWASP top 10. The application firewall is fully integrated with the rest of NetScaler’s capabilities making it very easy to add application security to any policy. The application firewall is also well positioned to protect against outbound data leakage – for example credit cards details – which means that the enterprise and customer data is suitably safeguarded.
The device is very easy to use. Enabling attack protection for any application is easy. Simply select the application and click “protect”. The advanced learning engine automatically learns the behaviour of any application, even complex ones with extensive client-side Java Script and can make human-readable policy recommendations. These recommendations can be easily accepted to tailor the security policy for the application. The NetScaler visualiser provides a unique tool for deploying and visualising application deployments and security.
The NetScaler application firewall is ICSA certified and aids in compliance with information security regulations such as the Payment Card Industry (PCI) Data Security Standard (DSS). The application firewall is deployable as a stand-alone device or as an integrated module as part of the NetScaler application delivery controller.
Recent tests by NSS labs gave a recommended status to NetScaler as an Application Firewall. Their report tested several of the leading vendors and found that NetScaler blocked 99.8% of known attacks “out of the box” – much the same as most of the other vendors. However, NetScaler really came to the fore when the TCO for the solution was examined. The Citrix device had the lowest cost for protected connections per second.
This award shows that the NetScaler has the power at the right price to provide the security necessary for high traffic volumes.
NetScaler differs from its competitors in that it is an appliance built upon an architecture that is optimised to perform on merchant silicon. This lack of reliance on specialised ASICs yields an advantage in that it is able to carry much of its functionality in a single pass, which reduces latency. Further, this software-first design means that NetScaler is available as physical, virtual and multi-tenant devices with exactly the same functionality across the range.
These different form-factors allow complete flexibility in deployment. Spin up virtual instances in the cloud or deploy physical units in the datacentre and migrate seamlessly from one to another as your requirements change. In all instances the ease of use and interchangeability of configuration means that your applications will always have the highest levels and best value security available.