Because of their complexity and the fact that they process and work with user data, web applications are an attractive target for data hijack, distribution of malicious code and a good basis for further penetration of internal resources. One of the solutions for the risk reduction resulting from those kind of unwanted situations is a firewall for protection of web applications.
Cyber attacks on the company’s resources are focused on the systems’s weaknesses which can be easily exploited. Taking into account that hacker groups and malicious individuals function like any money making entity, the attacks that take too much time and effort are mostly avoided. Those days when the web based attacks where easily executed are behind us, mostly thanks to firewalls. They are easily configurable and managed, have broader and better possibilities of protection and traffic control. Besides the advanced firewalls there is a whole spectrum of technologies which can protect the areas and resources exposed on the internet, and most of them concerned with the control and protection of net traffic flow on the network level. Next Generation Firewall is one of the technologies which has a possibility to inspect and control the traffic on the applicative level (HTTP, HTTPS), but it’s functionality and possibilities when it comes to web traffic control can’t be matched with the specialized Web Application Firewall devices. Since most of the companies implemented some or most of the standard security technologies used to protect their publicly exposed resources, the focus of malicious attacks has shifted towards the web applications which have become the so called “low hanging fruit” since they lack adequate protection. That means that criminals can achieve great and highly profitable results with minimum effort and time. A good example of that kind of an attack was “Sony Online” in 2011. when the initial point of entry, their web service, was used to steal the data of their 77 million users.
The firewalls for web applications are solely dealing with protection and control of the application traffic (HTTP, HTTPS) and offer the broadest spectrum of possibilities and technologies for their protection and control. We would need a lot more then this blog entry to cover all their features so we will only cover the most important ones – those being two segments according to their purpose: security and protection is the first and the second segment is optimization and the quality of delivery.
Security and protection
In order to protect web applications we need to know how they function, their structure, size of the field and form, their static and dynamic content, average and usual user actions and identify deviations and anomalies from the usual traffic. When we take into account all those needs, you easily come to a conclusion that web application protection is a complex task. Web application firewalls track all actions and operations occurring on the web application and according to them create security rules which can be easily modified by the user or even create new ones. In example, it is very easy to deny an web field entrance containing more then 3 characters and 6 numbers and in that way create a simple entry validation.
Knowing the functionality and the structure of the web applications, firewall provides protection from the 10 most critical web application security risks, known as OWASP (The Open Web Application Security Project) Top 10. Some of the most serious and frequent OWASP Top 10 threats and problems are SQL injections, poorly implemented methods of registration and the well known Cross Site Scripting (CSS).
One of the really important security functions of the device Web Application Firewall (WAF) is the protection from the DOS (Denial of Service) and the DDoS (Distributed Denial of Service) attacks which cause the overload of the server and the network throughput making the web services unavailable to users. Sophisticated mechanism are able to recognize the user behavior and differentiate him/her from the automatized tools used for DOS and DDoS attacks. One of the interesting methods to check whether an automatized tool or a user is on the other side includes placing a JavaScript popup in the HTML traffic on which the user must manually react if he doesn’t want his connection terminated. Of course, there are standardized methods of DDoS and DOS attack detection, such as monitoring of the number of connections, tracking of IP’s and identifying their possible connection to a botnet, and tracking cookies.
Since one of the most popular firewalls, Microsoft TMG, was discontinued, an opening for reverse proxy functionality was created. Reverse proxy devices enable authentication offload, which means that the device can first authenticate users using RADIUS, LDAP, Active Directory or some other directory service before it allows traffic towards the web applications. In that way reverse proxy devices additionally protect web applications because the traffic can’t pass unless the user uthenticated themselves with valid user information.
Some WAF devices enable anti-virus check of data which are placed on the administration web pages and in that way ensure that users don’t upload malicious files. Furthermore, all the traffic which goes through WAF devices can be decrypted using SSL inspection.
Optimization and quality of delivery
Besides the numerous features for protection from malicious acts, WAF devices can drastically speed up the performance, the quality of work and the delivery of the web applications reducing the usage of network bandwidth, server’s processors and memory and in the end can result in cost reduction because of minimization of hardware requirements and number of working hours connected with the management and maintenance of the web farms.
One of the most important functionalities in the delivery area is definitely allocation of traffic according to the publicservers, i.e. web applications (load balancing). For larger web farms and applications which intensively use SSL encryption, SSL offload is a feature which will reduce the server load since all the traffic which is returned to users can be encrypted on the web application firewall. Depending on the needs and desires of the users, that same firewall can be also used for decryption. It is also possible to reduce the usage of Internet bandwidth by compressing the traffic going through the WAF device.
A safe code is still essential for any application security but many of the programmers don’t put great effort into security when making applications because of various reasons. That is why the tools like the web application firewalls are a good solution for that issue. It is important to mention that some of the organizations which process bank card transactions and store user bank card information must be in accordance with the PCI DSS standard, and the web application firewall can help in gaining compliance with some of the standard requirements. Of course, it is important to note that the web application firewall, like any IT security solution, is not a silver bullet which can eliminate all the risks and threats.
Web application security check – Consulting@CROZ
Web applications are a critical and a key factor for doing business in the modern environment, but at the same time not enough attention is given to their security, data protection and prevention of unauthorized access.
Experienced team of our experts will help you with this consulting package to duly notice security flaws, reduce risks and solve problems tied to unsecured web applications in time.
Web application security check includes a detailed analysis of the vulnerability, a penetration test of selected applications and suggestions on how to improve your web application security – from development, testing to execution environments.