W
hite P
a
per
An Accurate and Effective Approach to Protecting
and Monitoring Web Applications
Web applications have lowered costs and increased revenue
by extending the enterprise’s strategic business systems to
customers and partners. However, Web applications also expose
these critical systems to continuous threats from both internal
and external sources.
Defending Web applications is one of the most challenging
aspects of information security. Because Web applications
constantly change to meet business requirements, the security
model must adapt as changes are made to the applications. In
addition, because data centers are highly optimized, deploying
an application security solution must require minimal changes
to the existing infrastructure. Unfortunately, first generation
Web Application Firewalls are too inflexible for most customer
environments, too intrusive to deploy and too costly to maintain.
This paper provides an overview of the Web application
threat environment and presents Imperva’s SecureSphere
Web Application Firewall – an integrated approach that meets
stringent data center requirements for security, monitoring,
performance, deployment, operations, and regulatory
compliance
Web Application Security
Web applications have become the backbone of business in nearly every segment of the economy. They
connect employees, customers, and partners to the information they need anywhere and anytime. This universal information accessibility has cut costs and dramatically accelerated the pace of business. Unfortunately, as the information accessibility has grown, so too has risk. Identity theft, data leakage, phishing, SQL injection, worms, application Denial of Service (DoS) attacks, and malicious robots increasingly target Web applications with consequences that impact brand, revenues, and regulatory compliance.
Attack Example - Identity Theft
Web application security solutions must provide protection against a range of attacks targeting vulnerabilities in both custom application logic and underlying commercial software platforms. Increasingly, these attacks also target vulnerabilities in Web services (XML, SOAP, etc.) components of application software. As the following example illustrates, a single threat such as identity theft may result from any number of vulnerabilities and associated attacks.
» SQL Injection attacks take advantage of input validation vulnerabilities in custom Web application code to send unauthorized SQL commands to a back-end database. For example, using SQL injection, an attacker may gain access to the entire contents of a backend database including identity information. SQL injection is usually carried out by an external attacker from outside the perimeter firewall.
» Cross–site Scripting attacks take advantage of script injection vulnerabilities in custom Web application code to redirect a customer’s login credentials to an attacker. Often used as part of a larger phishing scheme, cross-site scripting is usually carried out by an external attacker from outside the perimeter firewall.
» Cross site Request Forgery attacks exploit a server’s trust in a client that presents a valid session token. The attacker abuses this trust by invoking an action on behalf of the victim through malicious code in a hyperlink, image source tag, script, iframe or other content.
» Worm Infections take advantage of vulnerabilities in underlying operating systems and commercial software platforms. Code Red, Nimda, and MSBlaster represent just a few widely known worms targeting Web application platform software. In the case of identity theft, platform software vulnerabilities may be exploited by worms (or individual attackers) to install Trojan horse programs to enable back-door access to identify information.
There are many more examples of Web application vulnerabilities and attacks. And most Web applications have vulnerabilities. For more information, see the research by Imperva’s Application Defense Center (ADC) located at http://www.imperva.com/application_defense_center.
Assessing the Approaches to Web Application Security
The complexity of the Web application threat environment makes it different from other segments of the IT security landscape. Traditional network firewalls and intrusion prevention capabilities, while necessary, do not have insight into the higher level data layer activity necessary to protect against Web application attacks. Complete Web application security requires detailed understanding of the elements of legitimate user transactions within each Web application – including URLS, HTTP methods, session IDs, cookies, XML/SOAP schema, and more. Also, new application security hazards produced by Web 2.0 technologies, especially Rich Interface Applications, AJAX frameworks, and online forums like Wikis, blogs and social networking sites, can elevate the risk of cross-site scripting (XSS) injections, cross-site request forgery (CSRF), unauthorized access, and other Web-based attacks. This level of security can only be provided with advanced Web application firewall capabilities. This section analyzes the strengths and weakness of the individual security capabilities required for complete Web application security.
Network Firewalls
Network firewalls provide network layer access control and attack protection services. They have been uniformly deployed at the network perimeter and in front of critical internal enterprise resources – such as Web applications. As a component of overall Web application security architecture, network firewalls provide necessary protection against network-layer attacks. They also provide a barrier against the spread of worms from employee desktops to internal Web servers. While network firewalls prevent network-layer attacks and worm propagation, firewalls must allow all HTTP and HTTPS traffic to Web servers. Over time, the hacking community has learned to use this fact to their advantage by embedding attacks into Web traffic. Code Red and Nimda are
examples of Web worms that easily traverse network firewalls via HTTP protocol-compliant communications. Similarly, SQL injection and cross-site scripting represent two targeted Web application attacks (among many) that are ignored by network firewalls since they comply with network and HTTP protocols. As long as attacks are carried out via commonly allowed application protocols, network firewalls are ineffective.
Intrusion Prevention Systems (IPS)
The broader security industry has responded to the need for a deeper understanding of application layer behavior with intrusion prevention systems (IPS). IPSs look at the contents of a packet’s payload and compare it to a list of known attacks (signatures or other defenses) derived from documented vulnerabilities in commercial software. IPS technology may also enforce protocol restrictions to protect against known protocol related vulnerabilities in commercial software. Since virtually all worms are based on known software vulnerabilities, IPS can be an effective worm defense and therefore a useful component of a comprehensive Web application security architecture.
Unfortunately, IPSs are ineffective against targeted Web application attacks targeting unknown vulnerabilities in custom code1. Since the vulnerabilities are unknown, no signatures are available.
Monitoring Only Solutions
Monitoring only (“sniffer”) products do not ensure complete protection from Web application attacks. Because they are deployed out of line, these products may not block every attack that has been detected. Usually, these products use a TCP reset for blocking attacks. In some cases, the latency involved in sending the reset after the attack is detected allows certain attacks to reach the victim. Hence, monitoring only solutions can only provide “best effort” protection for Web applications.
Web Application Vulnerability Scanners
Web Application Vulnerability (AV) Scanners are tools used to automatically scan Web applications for potential vulnerabilities. Unfortunately, many vulnerabilities are only discovered during production run-time. Often, the application developers and the IT department are at odds, because while these vulnerability scanning tools enable visibility into application vulnerabilities, they do not alleviate or help reduce the time to production. Typically, there are multiple cycles of scanning, code fixes and testing with unscheduled “rush” fixes that are costly and potentially disruptive.
Application Code Review
While code review is a good idea, and is consistent with coding best practices, code review projects can entail significant ongoing personnel costs, lost of application deployment flexibility and resource allocation issues. In addition, considering that applications change frequently, there may be multiple code review and code fix-testing cycles for every application product release and this often implies the need for emergency fix and test cycles. Furthermore, if an organization is using third-party or legacy applications, the source code often will not be easily available or easily understood which makes the likelihood of quickly fixing the discovered vulnerabilities very low.
Web Application Firewalls
Web application firewalls parse Web application data and compare all requests to a white list of acceptable URLs, parameters, field values, cookies and methods. The biggest challenge to implementing a Web application firewall is building and maintaining an accurate policy over time. A policy for a single application firewall may contain thousands or even millions of variables that are unique to each Web application. To make matters worse, application developers change these variables on a regular basis. Given this degree of complexity and speed of application change, expecting a team of security, operations, and app development administrators to manually create and maintain application firewall rules is unrealistic. Any practical Web application firewall must incorporate both black list and white list security models. Also, the product must automate the creation and ongoing maintenance of the application profile. Unfortunately, most application firewalls have not adequately addressed this challenge. Instead, they unrealistically force administrators to manually configure and tune the entire application white list or profile.
1 Although some IPS solutions claim to prevent application attacks like SQL injection and cross-site scripting, they rely on signatures
commonly used in SQL injection or cross-site scripting attacks. These signatures, however, look for words such as “union,” “select” and “script”. They are prone to false positives since the words commonly appear in normal Web site content. Therefore, these signatures are usually not enabled, leaving the application exposed to attack. Even if these signatures are enabled, they can be easily circumvented us-ing well-known evasion techniques.
Application Delivery Solutions with Application Security Add-ons
Layer 7 content switches and first generation Web app firewalls share something in common: generally they both mandate deploying reverse proxies to modify and manage traffic. As a consequence, many application delivery vendors acquired Web app security technology and integrated it into their content switches. However, these joint solutions have retained all of the challenges of legacy Web app firewalls. For example, they often rely on manually defined white lists to validate Web requests. They protect session IDs by signing cookies and obfuscating URLs—intrusive measures that often have unexpected consequences. Combining Web application security and delivery also introduced many new challenges. The extensive regular expressions and content parsing in Web security significantly degrades the performance of application delivery products, upwards to 50%. And lastly, most application delivery vendors do not specialize in Web security, so they do not regularly research new application threats or automatically update security policies.
Web Services Firewalls
Traditional Web services firewalls protect only XML, SOAP, and WSDL protocols, while Web application firewalls protect HTTP and HTTPS protocol traffic. Today, many modern applications incorporate both Web and Web services content. A complete solution should be able to protect both Web and Web Services applications.
Deployment Requirements
Application threats are not the only unique challenges of Web application security. Web applications must maintain exacting service levels, so they have stringent requirements related to deployment and operations. Specific issues include performance, deployment risk, availability, and centralized management.
» Performance – Web applications are designed to handle high throughput and transaction rates. The performance of Web application security solutions must match or exceed other elements of the application infrastructure or they will degrade performance.
» Deployment Risk – Web applications are finely tuned and extremely sensitive to change. Any change to the network, Web server operating system, application software, or back-end databases introduces risk to availability, performance, and security. Therefore, Web application security solutions should require little to no changes to existing infrastructure.
» Availability – Web application downtime and unmet service levels have a negative impact on revenues, customer satisfaction and productivity. Therefore, Web application security solutions must incorporate high availability capabilities.
» Centralized Management – Web application infrastructure is often distributed across the globe. Security managers need to manage devices without connecting to each device separately. Therefore, a centralized management server that automatically aggregates management of distributed devices is a necessity. Also, role-based management to enable creation of custom administrative roles and groups is a critical aspect of Enterprise class management.
Summary of Web Application Security Requirements
Based on the shortcomings of legacy Web application firewalls and network-layer security products, it is possible to identify the key requirements for an effective, reliable, and usable Web application security solution. A Web application firewall must provide:
» Accurate Security to prevent all types of Web application attacks, thwart evasion techniques, ensure complete application protection and block all unauthorized activity with no false positives
» Operational Efficiency enabling organizations to effectively manage, monitor and maintain a single appliance or dozens of distributed appliances without introducing any IT overhead
» Practical Deployment allowing transparent installation with no changes to existing infrastructure, no changes to applications and no impact on performance while maintaining high availability for applications
SecureSphere Web Application Firewall
The SecureSphere® Web Application Firewall, the industry’s most accurate and effective Web application firewall, meets the security, operations, and deployment demands of today’s business applications. Imperva’s Dynamic Profiling technology automatically builds a model of legitimate behavior and adapts to application changes over time, providing an up-to-date defense against attacks without manual configuration.
Security
With Dynamic Profiling, Correlated Attack Validation, protection against known attacks from the application to the network layer, and regular security updates, SecureSphere delivers comprehensive security with pinpoint accuracy.
Deployment
Leveraging Imperva’s Transparent Inspection technology, SecureSphere offers a broad range of network options, enabling drop-in deployment without network or application changes. Kernel-based Transparent Inspection also delivers multi-gigabit performance, sub-millisecond latency and options for high availability that meet the most demanding data center requirements. SecureSphere may also be deployed in transparent reverse proxy mode if there is a need for content modification; it will not require any DNS or network changes.
Operations
Dynamic Profiling not only augments security, it also forms the cornerstone of SecureSphere’s automated operational model. Dynamic Profiling eliminates the need to manually create and update an application white list. In addition, SecureSphere provides unparalleled ease of operations through its carrier-grade centralized management architecture and its intuitive Web user interface. A security dashboard, detailed alerts and graphical reports further underscore SecureSphere’s operational efficiency.
The following sections describe in detail how Imperva SecureSphere alone meets the security, deployment, and operations requirements of today’s Web applications.
Security
Dynamic Positive Security Model
Dynamic Profiling is the foundation of SecureSphere’s automated approach to security. Dynamic Profiling automatically examines live traffic to create a comprehensive model (profile) of an application’s structure and dynamics. The profile serves as the baseline for a positive security model governing detailed application-layer behavior. Valid application changes are automatically recognized and incorporated into the profile over time.
SecureSphere employs Dynamic Profiling to create a positive security model of the application structure and elements, including URLs, parameters, form fields, cookies, and SOAP actions, for Web and Web Services applications. By comparing profiled elements to actual traffic, SecureSphere is able to detect all types of malicious activity, not just known attacks.
PCI Compliance
SecureSphere helps meet 8 of the 12 PCI DSS requirements, including the section 6.6 application security requirement which allows a choice between source code review and application firewalls. While most security experts agree that both code review and application firewalls are important parts of an effective defense in depth solution when compared to an application code review, the SecureSphere Web Application Firewall enables organizations to take immediate action to improve application security and meet PCI requirements. SecureSphere deployment can also greatly reduce the pressure on code review projects as the immediate protection allows developers to work within normal release planning.
Dynamic Profiling overcomes the biggest drawback of other application firewall solutions – manual rule creation and maintenance. A Web application firewall with a manual white list security model must be painstakingly configured and then updated every time the application changes. Every URL, every form field, form field value, cookie, and HTTP method must be defined in the Web application firewall. In addition, most Web application firewalls require manually defined regular expressions to account for the expected behaviors of client-side scripts. Any script change requires a parallel rule change to avoid false positives. Considering that many
operations and security managers are not kept abreast of every application change and some may not have the application expertise to evaluate application changes, manual rule maintenance is an untenable solution.
Dynamic Profiling, on the other hand, delivers completely automated security with no need for manual configuration or tuning. With SecureSphere, security administrators can manually review and edit the dynamically-created application profile or build the entire application profile from the ground up.
Dynamic Negative Security Model
SecureSphere’s dynamic negative security model includes a network firewall black list and Intrusion Prevention System (IPS). Network firewall black lists define specific IP address and protocol combinations that are specifically not allowed into the data center. For example, Telnet from corporate desktops might be specifically restricted. Similarly, signatures define patterns that match known attacks targeting commercial software platforms or Web applications. SecureSphere’s comprehensive negative security model includes:
» Intrusion Prevention System (IPS) – SecureSphere protects against known attacks targeting Web server, application server and operating system vulnerabilities. The Imperva Application Defense Center (ADC), an internationally recognized security research organization, continuously investigates new vulnerabilities reported around the world, analyzes exploit traffic from a diversity of real Web sites, and conducts primary vulnerability research to identify the latest threats. The results of this research are updated defenses at various layers within SecureSphere, including signature updates, protocol validation policies, and correlation rules.
» Data Leak Prevention - SecureSphere inspects outbound traffic to identify potential leakage of sensitive data such as cardholder data, social security numbers (SSN), Personally Identifiable Information (PII), National Provider Identifier (NPI) and Health Practitioner Index (HPI). SecureSphere can also identify other sensitive data via custom pattern matching. In addition to reporting on where sensitive data is used in the application, SecureSphere can optionally prevent this information from leaving the organization.
» Web and Web Services Attack Protection – Thousands of Web application attack signatures from the Imperva ADC and external resources help detect and thwart known Web attacks. SecureSphere’s Web services attack signatures protects against attacks targeting XML, SOAP and WSDL applications.
» HTTP Protocol Compliance – SecureSphere protocol validation ensures that Web traffic conforms to RFC standards. SecureSphere checks HTTP requests for malformed URLs, abnormally long URLs, abnormally long header lines, and many other protocol anomalies.
» Zero-Day Web Worm Profiling – SecureSphere’s Web Worm Profile defends against zero-day Web worms by detecting the specific combinations of attributes that uniquely characterize Web worm attacks.
» Network Firewall – SecureSphere’s integrated stateful network firewall protects against unauthorized users, dangerous protocols, and common network layer attacks.
Correlated Attack Validation
SecureSphere immediately blocks clear violations of the positive or negative security model. However, certain suspicious violations cannot be classified as either clearly good or clearly bad. These suspicious violations usually result from harmless application changes or user error – but they could represent dangerous attacks or attack reconnaissance. To handle these suspicious violations, Correlated Attack Validation evaluates events across multiple detection layers (malicious encoding, HTTP protocol violations, application profile violations, data leak prevention, signatures, Web worms, custom parameters) and over time. Based on Imperva’s deep understanding of attack strategies, information from multiple violations can be correlated to definitively distinguish attacks from harmless user error and application changes.
The figure below presents a specific example of Correlated Attack Validation in action. By basing security decisions upon multiple events, Correlated Attack Validation is able to detect attacks with a degree of accuracy that is not possible from a single event alone.
SecureSphere first identifies a malicious encoding attempt, followed by a profile violation such as parameter tampering (e.g. excessively long input entered into a form field or some type of parameter violation). This is then followed by malicious JavaScript code injection. By correlating these different suspicious aspects of the same request, SecureSphere concludes that this is a Cross Site Scripting attack and will block this attack.
Deployment
Flexible Deployment Options
SecureSphere provides complete and accurate application security without forcing organizations to redesign their Web applications, change IP or DNS settings or update authentication schemes.
SecureSphere provides multiple deployment options:
» Transparent Layer 2 Bridge – for drop-in deployment and industry-best performance » Layer 3 Router – for network segmentation, routing and network address translation » Reverse Proxy – for content modification, such as cookie signing and URL rewriting » Transparent Proxy – for fast deployment of content modification without network changes » Non-inline Monitor – for zero-risk monitoring and forensics
Transparent Inspection
Imperva’s Transparent Inspection processing architecture allows SecureSphere to be completely transparent to the surrounding data center. SecureSphere deployment requires no changes to the network or application infrastructure, supports multi-gigabit network performance, and offers a host of high availability options.
INTERNET
SECURESPHERE WEB APPLICATION FIREWALL
INTERNAL USERS DATA CENTER AND DMZ
WEB & WEB SERVICES APPLICATION SERVERS
SECURESPHERE MANAGEMENT SERVER
SecureSphere includes both security gateway and management server components. Gateway appliances are deployed in the path of Web servers where they can identify and immediately block attacks. The MX Management Server provides centralized management for multi-gateway deployments.
From a security perspective, inspecting the upper layers of the OSI model and beyond is required to deliver protection. From an operational networking perspective, the chief desire is for seamless, transparent operation. As such, from the perspective of how a device functions as a networking node, operating at lower layers is desirable for application security solutions.
Transparent Inspection allows SecureSphere to operate as a transparent bridge, a network router or a reverse proxy. SecureSphere intercepts traffic at the kernel level and reconstructs all layers of the application stack in order to inspect application behavior. The benefits are as follows.
High Performance – SecureSphere performance is an
order of magnitude faster than competing approaches. Because SecureSphere security processing is done at the kernel level, it requires far less processing overhead than competing reverse proxy products that must do security processing in user space.
Performance Metric SecureSphere
Throughput 2 Gbps
Request/Sec 44,000
No Changes to Applications - Since network traffic passes through SecureSphere without modification,
SecureSphere is transparent to the traffic endpoints (the client and the Web servers). This means SecureSphere can easily drop into any enterprise’s data center without changing carefully optimized Web application infrastructure.
No Changes to Existing Network - SecureSphere can be flexibly deployed in the network as a transparent inline
bridge, an inline proxy, an inline router, or a non-inline network monitor. Because of this flexibility, deployment requires no changes to the existing network architecture, including network routers, load balancers and servers.
High Availability
SecureSphere supports a broad range of options to ensure maximum uptime and application availability.
» Imperva High Availability (IMPVHA) protocol provides sub-second failover for two or more SecureSphere gateways deployed in bridging mode.
» Virtual Router Redundancy Protocol (VRRP) provides for failover when SecureSphere is configured as a router or proxy.
» Redundant gateways can be deployed in environments with redundant system infrastructures. SecureSphere’s transparent deployment modes support both active-active and active-passive fail-over configurations when using external HA mechanisms.
» Inline fail-open network interfaces ensure availability in the event of software, hardware, or power failures. » Non-inline monitoring configuration offers transparent deployment with no single point of failure.
SecureSphere Active-Active Configuration
Active-Active Fail-over ensures continuous data availabilitiy and security
Operations
Automated Web Application Security and Monitoring
Ongoing manual configuration is often the most significant component of a Web application firewall’s total cost of ownership. It is not practical to expect individuals from different departments to jointly tune a security product every time the application changes. Dynamic Profiling eliminates manual tuning by automatically adapting to Web application changes as they are rolled out. The result is comprehensive security without burdensome operational processes.
Centralized, Scalable Management
SecureSphere can be deployed as a standalone appliance or scale to protect large and/or distributed data centers, including mixed Web and database deployments. The SecureSphere MX Management Server offers a centralized configuration, monitoring, and reporting infrastructure to manage many appliances and many applications from a single console. Management of large enterprise and ASP environments is streamlined through hierarchical organizational groupings, granular administrative permissions, and a unique task- oriented workflow.
Unified Real-Time Alert Monitoring – Real-time alerts are collected, prioritized and presented to the
administrator in a single unified view. Alerts notifications can be sent via email, phone, SNMP, or syslog message. Alerts include the complete HTTP request, the server response code, a description of the violation and a link to the corresponding SecureSphere violation rule.
SecureSphere identifies Web attacks and can generate alerts only or block attacks
The MX Management Server automates the task of managing multiple gateways
Graphical Reporting – SecureSphere includes flexible graphical reporting capabilities, enabling customers to
easily understand security, compliance and content delivery concerns. Both pre-configured and customizable reports provide immediate visibility into performance, regulatory compliance, security events, application vulnerabilities, database usage anomalies, and application changes. PCI specific compliance reports are included in the product. With a valid support agreement, new application security defenses and reports are automatically provided either on a weekly basis or more frequently for critical security updates from the ADC.
Intelligent Attack Summaries – Intelligent
attack summaries improve administrator productivity by intelligently aggregating a sequence of events caused by complex attacks into a single actionable alert. For example, thousands of related scanning events extending across multiple gateways are aggregated into a single attack alert. This highly focused information allows administrators to quickly respond to immediate threats. Aggregated alerts preserve underlying component alert information for detailed forensics.
Summary
The SecureSphere Web Application Firewall is designed from the ground up to meet the unique security, deployment and operational requirements of enterprise Web Applications. It integrates the capabilities of a traditional Web application firewall, with Web Services protection, application and operating system attack signatures, and a network firewall. Imperva’s Dynamic Profiling technology enables a completely automated security model with no need for manual configuration or tuning. Transparent Inspection technology delivers multi-gigabit performance, rapid deployment, and multiple high availability deployment options. Finally, the MX Management Server delivers the multi-gateway management capabilities necessary to support the largest Web application environments.
Tel: +1-650-345-9000 Tel: +972-3-6840100
Fax: +1-650-345-9004 Fax: +972-3-6840200
Toll Free (U.S. only): +1-866-926-4678 www.imperva.com
