Professional Documents
Culture Documents
White Paper
Web applications have lowered costs and increased revenue by extending the enterprises strategic business systems to customers and partners. However, Web applications also expose these critical systems to continuous threats from both internal and external sources. Defending Web applications is one of the most challenging aspects of information security. Because Web applications constantly change to meet business requirements, the security model must adapt as changes are made to the applications. In addition, because data centers are highly optimized, deploying an application security solution must require minimal changes to the existing infrastructure. Unfortunately, first generation Web Application Firewalls are too inflexible for most customer environments, too intrusive to deploy and too costly to maintain. This paper provides an overview of the Web application threat environment and presents Impervas SecureSphere Web Application Firewall an integrated approach that meets stringent data center requirements for security, monitoring, performance, deployment, operations, and regulatory compliance
There are many more examples of Web application vulnerabilities and attacks. And most Web applications have vulnerabilities. For more information, see the research by Impervas Application Defense Center (ADC) located at http://www.imperva.com/application_defense_center.
Network Firewalls
Network firewalls provide network layer access control and attack protection services. They have been uniformly deployed at the network perimeter and in front of critical internal enterprise resources such as Web applications. As a component of overall Web application security architecture, network firewalls provide necessary protection against network-layer attacks. They also provide a barrier against the spread of worms from employee desktops to internal Web servers. While network firewalls prevent network-layer attacks and worm propagation, firewalls must allow all HTTP and HTTPS traffic to Web servers. Over time, the hacking community has learned to use this fact to their advantage by embedding attacks into Web traffic. Code Red and Nimda are
Imperva White Paper
<
>
examples of Web worms that easily traverse network firewalls via HTTP protocol-compliant communications. Similarly, SQL injection and cross-site scripting represent two targeted Web application attacks (among many) that are ignored by network firewalls since they comply with network and HTTP protocols. As long as attacks are carried out via commonly allowed application protocols, network firewalls are ineffective.
Although some IPS solutions claim to prevent application attacks like SQL injection and cross-site scripting, they rely on signatures commonly used in SQL injection or cross-site scripting attacks. These signatures, however, look for words such as union, select and script. They are prone to false positives since the words commonly appear in normal Web site content. Therefore, these signatures are usually not enabled, leaving the application exposed to attack. Even if these signatures are enabled, they can be easily circumvented using well-known evasion techniques.
<
>
Deployment Requirements
Application threats are not the only unique challenges of Web application security. Web applications must maintain exacting service levels, so they have stringent requirements related to deployment and operations. Specific issues include performance, deployment risk, availability, and centralized management.
Performance Web applications are designed to handle high throughput and transaction rates. The performance of Web application security solutions must match or exceed other elements of the application infrastructure or they will degrade performance. Deployment Risk Web applications are finely tuned and extremely sensitive to change. Any change to the network, Web server operating system, application software, or back-end databases introduces risk to availability, performance, and security. Therefore, Web application security solutions should require little to no changes to existing infrastructure. Availability Web application downtime and unmet service levels have a negative impact on revenues, customer satisfaction and productivity. Therefore, Web application security solutions must incorporate high availability capabilities. Centralized Management Web application infrastructure is often distributed across the globe. Security managers need to manage devices without connecting to each device separately. Therefore, a centralized management server that automatically aggregates management of distributed devices is a necessity. Also, rolebased management to enable creation of custom administrative roles and groups is a critical aspect of Enterprise class management.
<
>
Security
With Dynamic Profiling, Correlated Attack Validation, protection against known attacks from the application to the network layer, and regular security updates, SecureSphere delivers comprehensive security with pinpoint accuracy.
PCI Compliance
SecureSphere helps meet 8 of the 12 PCI DSS requirements, including the section 6.6 application security requirement which allows a choice between source code review and application firewalls. While most security experts agree that both code review and application firewalls are important parts of an effective defense in depth solution when compared to an application code review, the SecureSphere Web Application Firewall enables organizations to take immediate action to improve application security and meet PCI requirements. SecureSphere deployment can also greatly reduce the pressure on code review projects as the immediate protection allows developers to work within normal release planning.
Deployment
Leveraging Impervas Transparent Inspection technology, SecureSphere offers a broad range of network options, enabling drop-in deployment without network or application changes. Kernel-based Transparent Inspection also delivers multi-gigabit performance, sub-millisecond latency and options for high availability that meet the most demanding data center requirements. SecureSphere may also be deployed in transparent reverse proxy mode if there is a need for content modification; it will not require any DNS or network changes.
Operations
Dynamic Profiling not only augments security, it also forms the cornerstone of SecureSpheres automated operational model. Dynamic Profiling eliminates the need to manually create and update an application white list. In addition, SecureSphere provides unparalleled ease of operations through its carrier-grade centralized management architecture and its intuitive Web user interface. A security dashboard, detailed alerts and graphical reports further underscore SecureSpheres operational efficiency. The following sections describe in detail how Imperva SecureSphere alone meets the security, deployment, and operations requirements of todays Web applications.
Security
Dynamic Positive Security Model
Dynamic Profiling is the foundation of SecureSpheres automated approach to security. Dynamic Profiling automatically examines live traffic to create a comprehensive model (profile) of an applications structure and dynamics. The profile serves as the baseline for a positive security model governing detailed application-layer behavior. Valid application changes are automatically recognized and incorporated into the profile over time. SecureSphere employs Dynamic Profiling to create a positive security model of the application structure and elements, including URLs, parameters, form fields, cookies, and SOAP actions, for Web and Web Services applications. By comparing profiled elements to actual traffic, SecureSphere is able to detect all types of malicious activity, not just known attacks.
<
>
Dynamic Profiling overcomes the biggest drawback of other application firewall solutions manual rule creation and maintenance. A Web application firewall with a manual white list security model must be painstakingly configured and then updated every time the application changes. Every URL, every form field, form field value, cookie, and HTTP method must be defined in the Web application firewall. In addition, most Web application firewalls require manually defined regular expressions to account for the expected behaviors of client-side scripts. Any script change requires a parallel rule change to avoid false positives. Considering that many operations and security managers are not kept abreast of every application change and some may not have the application expertise to evaluate application changes, manual rule maintenance is an untenable solution. Dynamic Profiling, on the other hand, delivers completely automated security with no need for manual configuration or tuning. With SecureSphere, security administrators can manually review and edit the dynamically-created application profile or build the entire application profile from the ground up.
<
>
Web and Web Services Attack Protection Thousands of Web application attack signatures from the Imperva ADC and external resources help detect and thwart known Web attacks. SecureSpheres Web services attack signatures protects against attacks targeting XML, SOAP and WSDL applications. HTTP Protocol Compliance SecureSphere protocol validation ensures that Web traffic conforms to RFC standards. SecureSphere checks HTTP requests for malformed URLs, abnormally long URLs, abnormally long header lines, and many other protocol anomalies. Zero-Day Web Worm Profiling SecureSpheres Web Worm Profile defends against zero-day Web worms by detecting the specific combinations of attributes that uniquely characterize Web worm attacks. Network Firewall SecureSpheres integrated stateful network firewall protects against unauthorized users, dangerous protocols, and common network layer attacks.
<
>
Deployment
Flexible Deployment Options
SecureSphere provides complete and accurate application security without forcing organizations to redesign their Web applications, change IP or DNS settings or update authentication schemes. SecureSphere provides multiple deployment options:
Transparent Layer 2 Bridge for drop-in deployment and industry-best performance Layer 3 Router for network segmentation, routing and network address translation Reverse Proxy for content modification, such as cookie signing and URL rewriting Transparent Proxy for fast deployment of content modification without network changes Non-inline Monitor for zero-risk monitoring and forensics
Transparent Inspection
Impervas Transparent Inspection processing architecture allows SecureSphere to be completely transparent to the surrounding data center. SecureSphere deployment requires no changes to the network or application infrastructure, supports multi-gigabit network performance, and offers a host of high availability options.
INTERNAL USERS
INTERNET
SECURESPHERE MANAGEMENT SERVER
SecureSphere includes both security gateway and management server components. Gateway appliances are deployed in the path of Web servers where they can identify and immediately block attacks. The MX Management Server provides centralized management for multi-gateway deployments.
From a security perspective, inspecting the upper layers of the OSI model and beyond is required to deliver protection. From an operational networking perspective, the chief desire is for seamless, transparent operation. As such, from the perspective of how a device functions as a networking node, operating at lower layers is desirable for application security solutions. Transparent Inspection allows SecureSphere to operate as a transparent bridge, a network router or a reverse proxy. SecureSphere intercepts traffic at the kernel level and reconstructs all layers of the application stack in order to inspect application behavior. The benefits are as follows. High Performance SecureSphere performance is an order of magnitude faster than competing approaches. Because SecureSphere security processing is done at the kernel level, it requires far less processing overhead than competing reverse proxy products that must do security processing in user space. Performance Metric
Throughput Request/Sec Latency
SecureSphere
2 Gbps 44,000 <1 millisecond
<
>
No Changes to Applications - Since network traffic passes through SecureSphere without modification, SecureSphere is transparent to the traffic endpoints (the client and the Web servers). This means SecureSphere can easily drop into any enterprises data center without changing carefully optimized Web application infrastructure. No Changes to Existing Network - SecureSphere can be flexibly deployed in the network as a transparent inline bridge, an inline proxy, an inline router, or a non-inline network monitor. Because of this flexibility, deployment requires no changes to the existing network architecture, including network routers, load balancers and servers.
High Availability
SecureSphere supports a broad range of options to ensure maximum uptime and application availability.
Imperva High Availability (IMPVHA) protocol provides sub-second failover for two or more SecureSphere gateways deployed in bridging mode. Virtual Router Redundancy Protocol (VRRP) provides for failover when SecureSphere is configured as a router or proxy. Redundant gateways can be deployed in environments with redundant system infrastructures. SecureSpheres transparent deployment modes support both active-active and active-passive fail-over configurations when using external HA mechanisms. Inline fail-open network interfaces ensure availability in the event of software, hardware, or power failures. Non-inline monitoring configuration offers transparent deployment with no single point of failure.
Operations
Automated Web Application Security and Monitoring
Ongoing manual configuration is often the most significant component of a Web application firewalls total cost of ownership. It is not practical to expect individuals from different departments to jointly tune a security product every time the application changes. Dynamic Profiling eliminates manual tuning by automatically adapting to Web application changes as they are rolled out. The result is comprehensive security without burdensome operational processes.
<
>
Unified Real-Time Alert Monitoring Real-time alerts are collected, prioritized and presented to the administrator in a single unified view. Alerts notifications can be sent via email, phone, SNMP, or syslog message. Alerts include the complete HTTP request, the server response code, a description of the violation and a link to the corresponding SecureSphere violation rule.
SecureSphere identifies Web attacks and can generate alerts only or block attacks
< 10 >
Graphical Reporting SecureSphere includes flexible graphical reporting capabilities, enabling customers to easily understand security, compliance and content delivery concerns. Both pre-configured and customizable reports provide immediate visibility into performance, regulatory compliance, security events, application vulnerabilities, database usage anomalies, and application changes. PCI specific compliance reports are included in the product. With a valid support agreement, new application security defenses and reports are automatically provided either on a weekly basis or more frequently for critical security updates from the ADC.
Intelligent Attack Summaries Intelligent attack summaries improve administrator productivity by intelligently aggregating a sequence of events caused by complex attacks into a single actionable alert. For example, thousands of related scanning events extending across multiple gateways are aggregated into a single attack alert. This highly focused information allows administrators to quickly respond to immediate threats. Aggregated alerts preserve underlying component alert information for detailed forensics.
Summary
The SecureSphere Web Application Firewall is designed from the ground up to meet the unique security, deployment and operational requirements of enterprise Web Applications. It integrates the capabilities of a traditional Web application firewall, with Web Services protection, application and operating system attack signatures, and a network firewall. Impervas Dynamic Profiling technology enables a completely automated security model with no need for manual configuration or tuning. Transparent Inspection technology delivers multi-gigabit performance, rapid deployment, and multiple high availability deployment options. Finally, the MX Management Server delivers the multi-gateway management capabilities necessary to support the largest Web application environments.
< 11 >
Imperva North America Headquarters 3400 Bridge Parkway Suite 101 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com
International Headquarters 125 Menachem Begin Street Tel-Aviv 67010 Israel Tel: +972-3-6840100 Fax: +972-3-6840200
Copyright 2008, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-SSWAF1008rev1