Thursday, June 26, 2014

Web Application Firewalling – Great in Theory, Poor in Execution

One of the biggest issues in network security is securing web applications and sites.  According to a 2014 Gartner study, 70% of ALL threats are at the Web Application Layer.  In the past, traditional stateful firewalls and signature-based Intrusion Prevention Systems (IPS)/ Intrusion Detection Systems (IDS) were the primary means of protecting your network-based applications. 

Today’s Next-Generation Firewalls (NGFW) attempt to improve on those protection mechanisms by adding Layer 7 Application Firewalling, Content Filtering, and enhancements to IPS / IDS.  Even adding in a dedicated Web Application Firewall (WAF) does very little to prevent Web Application Attacks.  Sure, the level of protection increases with each layer, but how much are you actually increasing the security level by building on a poor foundation?  That “poor” foundation is based on a set of flawed premises. 

The biggest of these flaws is that IPS / WAF are signature-based.  Signature-based protection is completely reactive when it comes to dealing with threats.  The entire process for a signature to be published is time consuming, not to mention that the vulnerable system is exposed or taken offline until that process is complete.  

The fact is most IPS and WAF implementations are running in “monitor only” mode due to the high level of false positives.  To avoid blocking legitimate users and potential clients, these devices might be configured to alert or simply log anything considered suspicious and nothing more.  This leaves your web applications exposed and vulnerable.  It also puts your security in a reactive state. 

Juniper’s WebApp Secure (JWAS) changes the game by being proactive in dealing with threats to web applications.  The concept is simple - Intrusion Deception.  Provide false information that a normal user is either not going to see or is going to ignore, but that an attacker can’t resist.  The moment they act on that false information, the attackers are classified and finger-printed. From there, they can have various levels of counter-measures applied to them, up to and including blocking.  JWAS deals with Bots and automated attacks as well by providing false information.  The goal is to make hacking a site or application so time consuming and cost prohibitive that attackers will simply move on.

Enter Juniper’s Spotlight Secure.  Spotlight is an online repository of attackers that have been finger-printed and classified.  JWAS uploads this information to Spotlight where other JWAS users can retrieve this information and automatically classify known attackers based on their fingerprint.  So even if the attacker moves on to another site or web application, every JWAS implementation subscribing to Spotlight can proactively take action against them at their first connection to a protected system, up to and including implementing a “block” action immediately if configured.

In conclusion, while firewalls, NGFWs, IPS and WAF offer protection against known threats and attacks, JWAS and Spotlight Secure take this to a whole new level of protection by proactively mitigating threats, both known and unknown, allowing security professionals to focus on other potential attack vectors.  Security professionals can sleep at night knowing their web applications are protected and secured.


No comments:

Post a Comment