Tag Archives: WAF

Surviving the Week – 11/18/2011

This week was a busy one for me, as I’m finally done traveling for awhile and and got back to working on NTOSpider6 and our growing team. I should be able to keep up with this weekly post again, and will keep you all informed about the important news in web app security.


Response to WAF/IDS/IPS Effectiveness Report

For those of you who know me as well as Dan, you know that we have spoken quite often on our podcast (Information Security Place Podcast) about the effectiveness of today’s current technologies used by Web Aware Firewalls (WAFs) and Intrusion Detection/Prevention Solutions (IDS/IPS).  I’m rarely one to say “I told you so”, but Larry Suto’s latest report on the effectiveness of these technologies, does  kind of do that for me.

For more information about the study:

In the WAF effectiveness report, Larry illustrates the need to properly train a WAF solution on the application it is protecting to gain effective or consistent protection from the app.  According to the report, it took an average of 3.5 hours by a WAF savy technician to train or tune the WAF solution to get an effective level of protection for the test application.  As noted in the report, this is significantly more time spent, than the average organization spends on their production WAF installations.

One issue to note, is that many WAF solutions are leveraged to protect more than one application once they are in production, so can it be safe to say that an organization should plan to spend 2-3.5 hours per application they plan to place behind a WAF to gain that consistent level of protection for all their applications? It could be a safe assumption since many applications are not identical or leverage completely different technologies.

One element of the report I really think Larry does an effective job at illustrating is the lack of effectiveness that a traditional IDS/IPS brings to the table.  Since these technologies are not designed to specifically look for your application’s vulnerabilities they require custom rulesets to be created to be effective at protecting your applications.

As announced earlier last month, NT OBJECTives released NTODefend to assist organizations in creating those custom rule sets for both WAF and IDS/IPS solutions. In the report, Larry was able to illustrate the effectiveness of NTODefend at creating custom rulesets that are unique to each of your organizations applications. In both instances, the rules created by NTODefend provided a substantial improvement for all of the platforms that can currently leverage our technology. Note, in some instances the IDS/IPS solutions actually became just as effective if not more effective than some of the WAF solutions, after applying our rules.

All in all, the report goes to show that even with these technologies in place, organizations are still required to perform ongoing testing to find vulnerabilities and then train their WAF or IDS/IPS solutions to protect their applications. Thankfully, at NT OBJECTives we have solutions to help you do just that… NTOSpider and NTODefend.

Is your WAF effective? Independent research study

There has been a lot of discussion, articles and analyst reports about WAF’s over the years (some listed below). The truth is that WAF’s aren’t perfect, but I believe that they are an essential part of a comprehensive application security defense strategy. The WAF technology has been maturing and improving over the last few years. There is even more good news in a just-released in-depth study, by Larry Suto, security consultant, where he tested six WAF’s and two IPS’s for their effectiveness at blocking application vulnerabilities.

Two of the most interesting findings in the report are:

  • A properly tuned IPS can be as or more effective than WAF solutions at blocking security vulnerabilities. After seeing the results of this study, the IPS vendors have agreed that their devices can, in concert with NTOSpider/NTODefend be counted as a WAF for PCI compliance purposes.
  • Automatically generated filters from dynamic application security tools (DAST) can improve vulnerability blocking effectiveness by as much as 39% for a WAF and as much as 66% on an IPS.
Why are WAF’s Essential?
For me, the bottom line is that we can’t ignore the fact that there are known vulnerabilities in production applications. Ideally, these would all be fixed in the source code, but the reality is that they can’t always be fixed immediately, they might take months to fix or they might not be able to be fixed at all in the foreseeable future. In these instances, a WAF is very practical solution as a temporary patch for the vulnerability. I mean, if someones sitting out there in public with no pants, someone please hand them a towel!
The other painful truth about WAF’s is that they take time to train and configure. Most security teams are short on time and short on resources. The people on the front lines whom I speak with tell me they would love to be able to better train their WAF’s more quickly. Here’s the good news
  • With about 3.5 hours of expert tuning, most WAF’s can perform fairly well.
  • When you add DAST generated custom filters, both WAF’s and IPS’s are excellent at blocking vulnerabilities
  • One of the things, that makes NTODefend unique is the ability to confirm that the filters are blocking unwanted traffic and allowing desired traffic. During his study, Larry was able to play with this false positive detection functionality in NTODefend. He was pleased to see that it does in fact shows if the WAF/IPS is blocking good traffic – pardon the promotion :-)
As you would expect, a handful of other vendors (including NT OBJECTives)  provided tools for Larry to use to complete the report. Anyone who has every tried to do a study knows that it takes a lot of work, and Larry does not receive any payment from any vendor to complete these studies. No study is perfect, but given his finite amount available time and resources, I believe Larry tried to implement the fairest study he could.
For more information about the study:
Good articles that discuss the use of WAF’s & IPS’s

“Perfect-Fit” Virtual Patching for WAF/IPS with NTODefend

Recently NT OBJECTives announced NTODefend and its ability to generate “perfect-fit” custom patches for WAF & IPS. This marketing term “perfect-fit” has been the cause of some questions. People are wondering how our “perfect-fit” rules differ from what other DAST vendors are doing, as well as solutions like ThreadFix (aka Vulnerability Manager) from Denim Group. Those who know me, know that I don’t like when vendors overstate their capabilities, and I make sure NTO does not do this either, so I think this term deserves some explanation.

The other solutions that are able to generate virtual patches work from pre-defined templates based on categories of attacks, such as SQL Injection, Cross-Site Scripting, OS Injection. So if a given input is vulnerable to SQL Injection, then the SQL Injection template will be used to generate a virtual patch for the vulnerable input.

NT Objectives’ approach differs in that NTODefend is able to generate rules based on deeper intelligence about the input. This extra information comes from two key features in NTOSpider:

  1. NTOSpider‘s input population technology works to determine the intended legitimate data. For example, the input population technology will determine if the input only accepts numbers, or is intended for a phone number, email address, street address, etc.
  2. NTOSpider’s attacking engines detail specifics about the attacks that worked, with information such as usable characters and escape sequences.

By leveraging details about the attacks, NTODefend can generate more specific and aggressive rules to function as counter-measures to the attacks that the input was vulnerable to. This can include making rules that only allow numerical values, or maybe blocking single quotes but not double quotes, or allowing parenthesis but not dashes. NTODefend can also decide which canned filters to include to make sure the input is well protected.

The key point is that each rule is generated custom to the input AND custom to the ways it can be exploited.

After installing the virtual patches into the solution, NTODefend provides the ability to re-test all the inputs with both attack traffic and good traffic (modifiable database included with each data type NTOSpider can detect). It then generates a report to show which of the good request and bad requests got blocked. This provides users with the ability to quickly understand how effective the virtual patches were and hopefully alerts them to any virtual patches that could be blocking good traffic.

We do not claim that these generated virtual patches will always be 100% accurate to all situations, but we are confident that they will be useful and that we provide solutions for users to quickly deal with discovered vulnerabilities.

I welcome discussion and questions on this topic.

NT OBJECTives announces NTODefend, automatic WAF & IPS rule generation

Do your WAF and IPS rules fit like a custom suit or an off the rack one?

Announcing NTODefend

NT OBJECTives is excited to announce the general availability of NTODefend, a software solution that enables enterprise security teams to quickly, easily and automatically create “perfect-fit” custom rules to patch Web Application Firewalls (WAF) or Intrusion Prevention System (IPS) against web application vulnerabilities discovered in automated NTOSpider scans.

Read the full NTODefend press release.
Visit NTODefend’s web page for additional details.

NTODefend goes beyond standard, one-size-fits-all WAF rule generation to create stronger customized rules, while also allowing for rule modification. It combines NTOSpider’s knowledge of the application functionality with an understanding of specific vulnerabilities to be the first tool to create “perfect-fit” custom rules that effectively block bad traffic while letting the good traffic flow through. With these rules, NTODefend also tunes an IPS to behave like a WAF.

A comprehensive application security approach addresses the entire software development lifecycle, from development through production. Security teams use two primary kinds of tools to help them identify, patch and resolve application security issues in production applications, dynamic application testing products and web application firewalls (WAF). The ideal production solution includes a dynamic application testing tool that understands your WAF so the two can share information to automatically patch vulnerabilities that haven’t yet been fixed in the source code.

NTODefend Product Features

  • Automated Custom Rule Generation for WAF/IPS Quickly and easily generate custom rules, and if needed modify these rules, to patch vulnerabilities on WAF/IPS, using the results from NTOSpider scans.
  • Vulnerability Report Selection – Quickly select which vulnerabilities to patch and automatically generate the highly targeted filters for the user’s particular WAF/IPS solution.
  • Re-scan Ability to Confirm Effectiveness – NTODefend enables security teams to conduct a quick re-scan applications to confirm the trained WAF/IPS effectiveness. Now, teams can quickly confirm that target vulnerabilities are patched and that good traffic can continue to flow through as expected, eliminating the risk of false positives & false negatives and dramatically reducing QA time.
Visit NTODefend’s web page for additional details.

WAF != Firewall

A “Web Application Firewall” is not a “Firewall”!

Why are “Web Application Firewall’s” (WAF’s) called “Firewalls”? I think the term firewall was initially used by vendors because it was something already allocated in their potential customers’ budgets and WAF vendors wanted to avoid association with what they truly are – Intrusion Prevention System (IPS) for HTTP/WebApps.

Firewall [Wikipedia]

“a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.”

A firewall is clear and focused. It blocks traffic according to very clear and concise rules and does not really understand the content. It just decides if traffic from Computer_A/PortX should be allowed to communicate with Computer_B/PortY.

Intrusion prevention system (IPS) [Wikipedia]

“network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.”

This more accurately describes what so called WAF’s really do. A WAF is simply an HTTP specific IPS. They should be more accurately named one of the following:

  • WAIPS: Web Application Intrusion Prevention System
  • WIPS: Web Intrusion Prevention System
  • HIPS: Http Intrusion Prevention System
  • AIPS: Application Intrusion Prevention System
  • HAIPS: Http Application Intrusion Prevention System

Over the last few decades, Firewalls have become a trusted solution to improve security, for the layer its used to protect. IPS’s on the other-hand have a long history of being viewed with some skepticism. I think the modern high quality IPS’s solutions have overcome most of the false positive/negative issues of the past, and tend to be very good and when organizations implement them. However, due to their history, customers have a clearer understanding of what it is they are actually implementing and what to expect, as understand the need to maintenance and tuning.

All too often, I see that the years of trust built up in Firewall’s ability to be installed, configured and then forgotten has transferred to WAF’s, and people are implementing them with the same faith that they would a traditional Firewall – not with open eyes to the fact that WAF’s require care and feeding like they do when implementing an IPS.

Please don’t get me wrong, I am not criticizing the value of implementing a WAF in your organization. On the contrary, I believe they actually can be a very important and effective part of your Layered Security & Defense in Depth strategy especially when trained to understand the malicious traffic.

When we work with our customers on their application security strategy, we try to help them understand what their WAF is and what it isn’t so that they have reasonable expectations and can build an effective application security strategy.

I would love to hear some of your opinions… Is a WAF a firewall?