For those of you who know me as well as Dan, you know that we have spoken quite often on our podcast (Information Security Place Podcast) about the effectiveness of today’s current technologies used by Web Aware Firewalls (WAFs) and Intrusion Detection/Prevention Solutions (IDS/IPS). I’m rarely one to say “I told you so”, but Larry Suto’s latest report on the effectiveness of these technologies, does kind of do that for me.
In the WAF effectiveness report, Larry illustrates the need to properly train a WAF solution on the application it is protecting to gain effective or consistent protection from the app. According to the report, it took an average of 3.5 hours by a WAF savy technician to train or tune the WAF solution to get an effective level of protection for the test application. As noted in the report, this is significantly more time spent, than the average organization spends on their production WAF installations.
One issue to note, is that many WAF solutions are leveraged to protect more than one application once they are in production, so can it be safe to say that an organization should plan to spend 2-3.5 hours per application they plan to place behind a WAF to gain that consistent level of protection for all their applications? It could be a safe assumption since many applications are not identical or leverage completely different technologies.
One element of the report I really think Larry does an effective job at illustrating is the lack of effectiveness that a traditional IDS/IPS brings to the table. Since these technologies are not designed to specifically look for your application’s vulnerabilities they require custom rulesets to be created to be effective at protecting your applications.
As announced earlier last month, NT OBJECTives released NTODefend to assist organizations in creating those custom rule sets for both WAF and IDS/IPS solutions. In the report, Larry was able to illustrate the effectiveness of NTODefend at creating custom rulesets that are unique to each of your organizations applications. In both instances, the rules created by NTODefend provided a substantial improvement for all of the platforms that can currently leverage our technology. Note, in some instances the IDS/IPS solutions actually became just as effective if not more effective than some of the WAF solutions, after applying our rules.
All in all, the report goes to show that even with these technologies in place, organizations are still required to perform ongoing testing to find vulnerabilities and then train their WAF or IDS/IPS solutions to protect their applications. Thankfully, at NT OBJECTives we have solutions to help you do just that… NTOSpider and NTODefend.