A while back I presented in an OWASP chapter meeting in Israel a controversial topic: “Why WAFs fail?”. While it is easy to explain the importance of WAFs, they remain a market niche, with revenues of 50 to 100 million dollars a year[1].
One reason that the WAFs market remains small is relative lack of innovation in the field. WAFs still fight last year's war: they protect well from SQL injection and cross site scripting. However for those attacks alternative solutions such as intrusion prevention systems and secure coding offer comparable results.
This is why I was delighted to be briefed about the new release of ASM, F5’s WAF. This version offers some new security features which are both important in today’s market place and can be uniquely solved by WAFs.
The most innovative new feature is a denial of service protection module. While WAFs started recently offering protection from rate based attacks, F5 offers two new elements that make the DoS protection module promising: firstly, in addition to measuring rate, the new module detects a DoS situation by measuring the web server latency which is a better indication of such a condition. The attack thresholds can be absolute or relative to the norm offering some degree of learning.
Secondly, F5 now offer mitigation options that are suitable for DoS attacks: in addition to throttling, an obvious reaction to DoS, ASM also includes an innovative JavaScript injection feature. The WAF appends a script to the outgoing pages which challenges the client ensuring it is a human user and not an automated program. Such a technique was suggested in the past by me[2] and others[3],[4], and ModSecurity has the infrastructure for doing so, but I think this is the 1st time it is offered in a commercial product.
Using the same technology used for protecting from DoS, F5 also offers rate bases brute force mitigation. Protection from DoS and brute force attacks is not trivial but we see it as the new frontier for WAFs. F5 bold move into the space show promise and its innovative script injection technology will become important in protecting from these as well as other automated attacks. Adaption of such innovative technology takes time and we would love to hear from you how the technology actually performs in the field.
In addition to this security enhancements, the new ASM version also runs on F5 blade based appliance, Viprion, which offers a threefold increase in performance compared to the highest end box available up to now.
[1] For lack of better numbers I will refer to Gary McGraw analysis. While Gary does not elaborate on how he got to his numbers regarding WAFs, my analysis is similar.
[2] JavaScript Agent Injection, Ofer Shezaf, OWASP Israel, September 2007
[3] Protecting Web Applications from Universal PDF XSS, Ivan Ristic, OWASP AppSec EU 2007
[4] Defeating Web 2.0 Attacks without Recoding Applications, Amichai Shulman, OWASP Israel 2007
Hi Ofer :
About the Javascript Injection feature to prevent HTTP DDOS, I found Citrix Netscaler had this feature even before they bought Teros. We've tested it at least one year ago, and contains in their L4 Switch features, not WAF (so you don't need their buy their WAF to do it :P) . So I think F5 is not the first commercial product offer this feature, but I'm not sure if any other hardware/soffwares did this before them?
Lu.
Hi Ofer,
I'm a little surprised to find you saying: "WAFs still fight last year's war: they protect well from SQL injection and cross site scripting. However for those attacks alternative solutions such as intrusion prevention systems and secure coding offer comparable results." You're kidding when you that IPSes give you the same protecting against application-level attacks, right? Thanks.
Unfortunately I am far from kidding. While I covered in details the differences between WAFs and IPSs in my article "Alternative Operational Solutions", too many WAFs in the field operate more as an HTTP aware IPS than a real WAF.
A good example would be the rising popularity of ModSecurirty, demonstrated well by the recent surge of traffic on the ModSecurity mailing list. Most users use ModSecurity out of the box with the core rule set without defining a positive security envelope, thus reducing it to an HTTP aware IPS. I would argue that any WAF that does not have a learning mode for positive security rules is usually used as an IPS.
We also see recently announcements of solutions lableled as WAFs that support only signature based blacklisting. An example is NEC's new WAF announced in the US during RSA.
They all can get away with it because positive security and learning are often not used even when available due to the high cost of maintaining the positive security model when compared to its added value.
Thanks for the clarification. I guess what I originally understood from your article was that IPSes can basically give you all the capabilities of a typical WAF whereas your comment basically says that most WAF users typically use their WAF as an IPS. Am I right? Thanks.
I think that you summed it just right.
Hi Ofer,
That's interesting news. Can you say more about the defense against rate based attacks? You mention latency.
Are they able to detect a client that attempts to slow down a webserver (thread) with slow submission of requests? Big File Uploads to Ressources that do not even exist...?
Where can I find more information?
Cheers,
Christian
Christian
Information on the feature can be found here: http://www.f5.com/pdf/white-papers/intelligent-layer7-protection-wp.pdf
I am presenting tomorrow in an OWASP meeting in Israel about the subject and will publish my presentation afterwards. Stay tuned.