web application firewall

10 WAF Q&A with Barracuda Expert Neeraj Khandelwal. 

George Mateaki, SecurityMetrics
By: George Mateaki
Web-facing applications remain a primary target for attackers, mostly due to the abundance of insecure coding practices in both in-house and third party app development. Even after a seemingly thorough code review, it’s difficult to protect against these successful cyber attacks. After all, humans write code. Humans review code. And humans are fallible.

SEE ALSO: Code Reviews: A Method to Reveal Costly Mistakes

The Payment Card Industry Data Security Standard (PCI DSS) requirement 6.6 suggests “installing an automated technical solution that detects and prevents web-based attacks” (e.g., a web application firewall) as one of two ways to address vulnerabilities to public-facing web applications.

Web application firewalls, also known as WAFs, rest in front of public-facing web applications to monitor, detect, and prevent web-based attacks. Even though these solutions can’t perform the many functions of an all-purpose network firewall, (e.g.,network segmentation), they specialize in one specific area: monitoring and blocking web-based traffic.

web application firewallA WAF can protect web applications visible or accessible from the Internet, including outward facing or intranet applications involving payment card acceptance. As per PCI DSS regulations, your WAF must be up to date, generate audit logs, and either block cyber attacks or generate a cyber security alert if an imminent attack is suspected.

SEE ALSO: PCI Compliant Firewalls: 5 Things You're Doing Wrong

To help explain WAFs in detail, I contacted expert Neeraj Khandelwal, Sr. Product Manager at Barracuda Networks, a data protection company that offers IT solutions like web application firewalls.

Q: What are the pros and cons of a web application firewall?

A: A WAF blocks attacks targeted on websites, web-based applications, as well as the web server infrastructure. Network firewalls blindly allow web traffic through to servers and intrusion prevention solutions only protect against a subset of web-based threats, so WAFs have become essential for defense in depth security.

Moreover, from the attacker's perspective, web applications are attractive, low-hanging targets as there are many attack tools easily available on the Internet. These tools can be directly targeted on the web applications without needing to first penetrate inside the victim's internal network. A compromise of web applications allows attackers to steal information from the connected databases or infect other users of the site with web-based malware.

Learn 5 ways your mobile device can become infected with malware.

All of this has contributed to the popularity of WAFs as purpose-built solutions to protect the application layer.

WAF pros:
  • Unlike application scanning tools that have to be re-run for every change and offer no remediation, WAFs offer immediate remediation of security flaws for all web applications—existing, new, and modified. 
  • Protection for third party modules used in web applications (e.g. open source modules, COTS software, and outsourced code) for which source code is often not even available.
  • Deployed as reverse proxies, WAFs secure the vulnerable network stacks of the application servers, including protocol related threats in SSL, etc.

WAF cons:
  • Web applications vary widely in terms of what’s acceptable input, so configuring a WAF requires more effort that network firewalls.
  • For securing customized applications, the WAF administrator might be required to work with the application development teams so they don’t break business critical functionality.
  • A WAF may present another "bump in the wire," and some networking re-configurations, depending on the mode of deployment.

Q: Which is better: application-based, network-based, or cloud-based WAF?

A: This depends on the organization, their risk appetites, and the presence of alternate compensatory controls.

Application-based WAFs (e.g. WAFs that are co-located on the application servers) have the benefit of being the closest to the web apps, so it is not easy to bypass them. They also require minimal networking changes. However, they contend with web apps themselves for the server's hardware and networking resources.

While they’re not intrusive on the network, they are intrusive to the servers themselves. A more serious issue is when the WAF has a bug, which could affect the availability of the application itself if the server is rendered unavailable by the bug. Another challenge with these WAFs is centralized policy management of a large number of WAF instances that are running on different servers.

Network-based WAFs on the other hand, are more intrusive to the network for initial deployment. They don’t have any footprint on the servers, so there are less cases of friction with server administrators. Many WAFs also have integrated application acceleration features like load balancing, SSL offloading, connection multiplexing, caching, and compression that can reduce the load on the application servers and deliver the applications faster to clients. Cost wise, these WAFs might represent the highest initial costs, but the maintenance costs are generally low.

Cloud-based WAFs have been gaining traction due to their SaaS model and ease of opting in, as well as backing out, by simple DNS changes. Another benefit most of these WAFs offer is an integrated CDN, which can be used to defend against DDoS attacks. Management overhead is also relatively low. However, these WAFs are often seen as a second line of defense after a primary origin-based WAF; they are far removed from the servers, so direct and insider attacks on servers are not fully addressed by cloud-based WAFs. For securing HTTPS traffic, these WAFs also require the organization to hand over their SSL certificates, which could affect compliance.

Q: What’s the best way to manage a WAF?

A: In most small to mid-sized companies, application firewalls are managed by IT or networking teams; however, larger enterprises have dedicated application security teams, which are the natural owners of WAFs.

It’s becoming common to outsource the WAF management to managed security service provider (MSSP) partners. These companies are often averse to additional spending on application security headcount and lack in-house expertise on the subject. Larger organizations, on the other hand, have centralized application security teams that can support several different business units.

Another trend here is organizations migrating their web applications to public infrastructure as a service (IaaS) clouds. Many people mistakenly think the cloud provider or hosting provider provides web app security. This is a myth. The cloud uses a shared security model where the infrastructure is secured by the cloud, but securing the applications and data that are put in the cloud is the responsibility of the merchant. Again, the merchants can do it themselves or outsource it to an MSSP, etc.

Q: How do firewalls currently interact with and decide what to do with encrypted traffic?

A: In order to inspect encrypted HTTPS traffic, WAFs require the SSL certificate of the protected website or application. They can then decrypt the traffic, inspect it, and optionally re-encrypt the traffic before sending it to the application. Without re-encryption, the process is termed as SSL offloading and with re-encryption, it’s termed SSL bridging, end-to-end SSL, etc. The former has the advantage that SSL, which is computer intensive, is offloaded entirely from the server so its resources can be used more judiciously for application related tasks. The latter provides a higher level of security against man-in-the-middle attacks from the inside.

SSL has also been the subject of a lot of attacks recently—Heartbleed, POODLE, CRIME, BREACH, FREAK. An additional benefit of reverse proxy WAF deployments is they’re sometimes already resilient to these threats and can quickly patch the rest with auto-updates. This plugs the "window of exposure" from the time the vulnerability is made public to the time the server vendors can provide fixes for their platforms.

SEE ALSO: SSL and early TLS no longer protect cardholder data.

Q: What’s the best way to integrate a WAF for compliance with PCI 6.6?

A: WAFs have a wide range of functionalities and features. Organizations with application security expertise can perform detailed evaluations and Proof-of-Concepts via the PCI DSS but others may not have the means.

In such cases, organizations should look out for independent certifications like from ICSA and NSS and ask the vendor to provide customer and analyst references within the banking and financial industry verticals. Solutions with built-in PCI reporting should be prioritized. Once deployed, these reports should be scheduled for periodic delivery to the stakeholders.

Q: What are the risks/challenges of web application firewalls?

A: Since traffic flows via the WAFs to the applications, the risk of false positives—blocking a genuine request due to over-aggressive policy— is one of the biggest risks. Preventing the WAFs from becoming a single point of failure or not being able to scale with increasing traffic are other potential risks that need to be mitigated. WAFs should be carefully evaluated for latency introduction as well. Many WAF vendors market a large number of IPS-style signatures but this defeats the basic premise of a WAF anomaly and behavior-based detection coupled with de-obfuscation layers that prevent signature bloat. A large number of simple signatures can often increase the processing latency with less security effectiveness.

False negatives are another risk when the security policy is too relaxed. Some deployment models also prevent the use of all the security policies, especially those that require rewriting of the traffic, e.g. CSRF protection. Span port deployments and cloud-based WAFs often suffer from these false negatives. Organizations should evaluate if these risks have alternate compensatory controls.

Q: What do you wish every business knew about firewalls and PCI 6.6?

A: Just deploying a WAF to secure your web applications is not enough. At the time of a PCI assessment, applications will be scanned by automated vulnerability scanning tools and pentesters. This requires that the WAFs capabilities and deployment model is considered thoroughly during procurement. Where either is lacking in the requisite security guidelines, compensatory controls will have to be considered. Finding these out reactively could be an unpleasant thing.

SEE ALSO: Pentesting vs. vulnerability scanning…what’s the difference?

New amendments in PCI require penetration tests to be carried out from outside the network as well as inside. Organizations often underestimate the impact of the latter. It basically means that the Qualified Security Assessor (QSA) gets inside the network and tries to attack the web applications. Offline or bridge mode WAFs or cloud-based WAFs may be bypassed and fail this requirement. Reverse proxies provide the right network segregation for the server network to meet this amendment.

PCI 6.6 Q: How do hackers work to bypass WAFs today?

A: Hackers often try to fingerprint WAFs based on certain strings of words that give away information about the WAF itself—for example in injected CSRF tokens or error messages generated by the WAF.

Post fingerprinting, hackers first try to look up the known vulnerabilities in that WAF or try out blind attacks, normally using attacks that have been made public recently. The idea is either there is no protection against these yet, or the organization has not updated their software.

Q: What’s different about Barracuda web app products?

A: Barracuda Web Application Firewall is a mature reverse proxy solution that has secured tens of thousands of customers for over a decade. It is an ICSA certified WAF since 2009 and is NSS recommended for its security capabilities.

Beyond the security required by section PCI 6.6, it has several advanced functions such as IP Reputation, client fingerprinting, application layer DDoS prevention, CAPTCHA challenges, application acceleration, and pre-authentication. It has a simple flat licensing model, and all the premium features are included when the hardware can support them at no extra charge. It is available in a wide range of form factors—physical appliances ranging from 25 Mbps to 4 Gbps, virtual appliance supporting all major virtualization platforms as well as in the public IaaS clouds—AWS and Azure.

It’s one of the easiest to deploy and use. Customer surveys reveal that most of them deploy it themselves without needing additional professional services and spend only a couple of hours per week on average for management.

Q: What is the future of web app firewalls?

A: By various estimates, the WAF market is supposed to grow between 20-30% over the next 5 years as applications become ubiquitous, but their security lags behind. With the explosion of mobile applications and the Internet of Things, WAFs could see additional growth since both use HTTP to talk to web applications on the server side, which are typically REST APIs. Many new companies today build their businesses around mobile and REST APIs rather than traditional websites (think Uber). Comprehensive protection of these mobile apps (server side) and REST APIs is an exciting new feature for WAFs.

Don’t forget to update

Neeraj brought up some great advice during our Q&A. I’d also like to add a quick note about how WAFs interact with the PCI DSS:
Just because you have a WAF, it doesn’t mean you’re automatically compliant with PCI 6.6.
As per PCI DSS regulations, organizations must review public-facing web applications at least once per year and after any changes are made to the system.

In addition, don’t ever assume the firewall, or even the service provider you contract with, is up to date on the latest security vulnerabilities or patches. As per the PCI DSS, it’s always the merchant’s responsibility to maintain security.

SEE ALSO: Security Patches in Your Business: Complying with PCI Requirement 6.1

To ensure you don’t get fined for a PCI DSS violation, keep up to date on security bulletins and take new industry threats seriously. Bring those threats up with your service providers, IT head, and QSA. If your service provider isn’t responsive, or doesn’t keep up to date on current industry threats, it may be a good time to look elsewhere, because you aren’t receiving the security your business needs.

SEE ALSO: Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.