Review: Analyzing the Effectiveness of Web Application Firewalls

On November 15, Larry Suto published a report analyzing how effective WAFs and IPS products are at protecting Web applications against external attack.

Overall, Imperva performed well in the review. Imperva finished as the top performing WAF vendor.  In fact, according to the profile of Imperva SecureSphere (on page 7):

Imperva has a high quality protection engine with a very robust set of basic policies. It is also one of the easier WAFs to configure and provides the most value straight out of the box…it became clear that it was a very effective solution.

A few observations:

  • This report highlights how WAFs are an important application security technology.  Most tuned WAFs managed to block more than 60% of what a vulnerability scanner threw at them.   Though many WAFs required extensive tuning, a few hours of work meant you could dramatically decrease the odds of an application breach.
  • Not all WAFs are created equal.  Some required a lot of tuning, some didn’t.  The reviewers tested Imperva as well as Barracuda, Citrix, DenyAll, F5, ModSecurity, Sourcefire, and an unnamed IPS. Imperva SecureSphere mitigated more vulnerabilities than any other solution, both with and without virtual patching. Without tuning, SecureSphere blocked 88% of vulnerability exploits and 89% with tuning.  By contrast, some blocked 26% or less without tuning and could block 82% or less with tuning.

A few critiques:

  • The testing methodology for virtual patching wasn’t optimal.  The main tool that was used to test the efficacy of virtual patching was the same tool that created the virtual patching policies. This methodology is questionable because there isn’t variation in the way the vulnerability is tested from one scan to the next.  As a result, most WAFs and IPS products simply applied a single RegEx policy per vulnerability to remediate the way that the scanner looks for the vulnerability. In the real world, URL encoding and other evasion techniques could circumvent these RegEx policies in most cases, so relying on a single RegEx signature to block advanced attacks like SQL injection would result in a high rate of false positives or false negatives, depending on how one constructed the RegEx. Imperva imports vulnerability results from scanners, but then it applies its own security policies to stop vulnerabilities. Instead of simply relying on a single RegEx to mitigate a vulnerability, Imperva has developed advanced security engines that normalize and inspect Web requests. Imperva’s security engines score requests based on application profile violations, HTTP protocol violations, attack keywords, and attack signatures to correctly identify attacks. We believe that our approach is much more accurate, more difficult to evade, and less likely to generate false positives.

    What is the proper way to test WAFs?  To test WAFs, you should NOT JUST generate attack traffic.  The most effective method would be to generate both attack and legitimate traffic. This approach makes it possible to test the ability of a WAF to detect malicious traffic and also to distinguish malicious traffic from good traffic. It provides a real world testing scenario in which the WAF must block attack traffic, and avoid blocking good traffic (i.e., generating false positives).

  • Conflating WAFs and IPS.  According to a recent 451 Group market study (registration and purchase required) from August 2011, WAFs are the fastest growing segment in application security.  IPS vendors, hoping to get in the action, have begun to claim WAF-like functionality.  In reality, to secure Web applications, organizations must be able to stop technical attacks, business logic attacks, and Web fraud.
    • Technical Attack Protection (SQL Injection, XSS, Directory Traversal): Imperva SecureSphere offers advanced protection against technical Web attacks. SecureSphere normalizes data to protect against evasion techniques. SecureSphere can also defend against session-based attacks like cookie poisoning and session replay. IPS products must rely on RegEx signatures created by a scanner to stop technical attacks. These RegEx signatures would be easy to circumvent by using comments and encoding. In addition, an IPS would not be able to stop session or cookie tampering.
    • Business Logic and Automated Attack Protection (Scraping, App DDoS, Parameter Tampering, Brute Force): Web Application Firewalls like SecureSphere can protect against business logic attacks. An IPS product is not designed to stop advanced business logic attacks that could lead to a data breach or application downtime.
    • Web Fraud Prevention (Zeus, SpyEye, Gozi): The SecureSphere Web Application Firewall can protect against Web-based fraud caused by malware. An IPS cannot detect or stop fraud malware.

Other considerations when considering WAFs
In addition to security coverage, businesses must consider the operational aspects of deploying a Web application security solution. Businesses should evaluate the accuracy of the solution, ability to protect dynamic applications, monitoring, and management.

  • Security Accuracy: Imperva has gone to great lengths to provide advanced Web application protection. Correlating Web profile violations with protocol anomalies, attack keywords and attack signatures greatly reduce false positives and false negatives. This is one of the main reasons why Imperva SecureSphere is a widely deployed Web application firewall—because organizations know they can trust Imperva to block attacks while limiting the number of false positives. Alternatively, the RegEx expressions created by an application scanner would generate false positives by triggering violations on any attack keywords.
  • Protection of Dynamic Applications: SecureSphere can protect dynamic applications. In contrast, it would be difficult for a scanner to virtually patch Web application elements that are dynamically created—like dynamic URLs or restful applications.
  • Monitoring and Forensics: Imperva SecureSphere provides detailed security alerts with the entire Web request, the server response code, and the user name of the attacker. It even shows the exact string in the request that triggered the violation. Comprehensive alerts, as well as a powerful reporting framework, make it easy for organizations to investigate Web application attacks. IPS products are not designed for Web application security and will not display the entire Web request in security alerts.
  • Scalable Management:  Imperva SecureSphere offers centralized management. The MX Manager can centralize all policy control, application profile information, signature updates, monitoring and reporting for multiple Web Application Firewalls. For extremely large-scale deployments, Imperva offers the SecureSphere Operations Manager which centrally manages multiple MX Managers. Most IPS solutions are not designed for large scale deployments to protect critical Web applications.