Alternative Operational Solutions

The path between the end user and the web server is full of security devices and at times it is hard to differentiate between them. This section compares those solutions to web application firewalls.

Firewalls

While being the closest name sakes to web application firewalls, traditional firewalls, or network firewalls as they are called in this book, perform a very different task. Like traffic cops, they decide which traffic is permitted to go where. Network traffic is designated by source and destination computers and the port on the destination to which it is designated. A typical firewall rule would allow mail traffic from anywhere in the world to the organization's mail server.

On the other hand network firewalls have no insight into the content of the traffic. In the previous example, the firewall would not check if an e-mail message contains a virus or is a spam message. This would be the job of the anti-virus software, commonly installed on the mail server. Likewise, a firewall does not have insight into the web application traffic.

Today, being the ubiquitous data center security solution, many network firewalls bundle additional security mechanisms, and therefore may have some functionality for inspecting the content of traffic.

Intrusion Detection and Prevention Systems

Unlike network firewalls, Intrusion detection and prevention systems are meant to inspect content and detect attacks within the traffic contet. This feature os sometimes referred to as "deep packet inspection".

WAFs differ from IPS in three main areas:

• Avoiding evasion.
• Handling false positives.
• Application layer specific security.

Avoiding Evasion

One of the challenges of an IPS is to avoid being evaded by attacks. By intinate understading of HTTP traffic WAFs better avoid evasio. This intimate understaind of HTTP includes:

• Decrypting SSL.
• Decoding common encodings used in HTTP traffic.
• Executing rules on paresed HTTP fields rather than raw traffic.

In addition, positive security based protection is less prone to evasion.

Reducing False Positives

As discussed later in this book, detecting application layer attacks is not trivial and rules often misfire. By using more complex rules WAFs may avoid false postives in the first place and in addition use more robust expcetion mechanism to enable granular handling of false positives. Systems who lack this granularity often require to remove an entire rule even if it triggers only in a very specific  locaiton in the application, leading to loss of security.

Enhacing Security

IPSes use signatures to detect attacks, however signatures may not be enough for detecting web application attacks. Some attack vectors can be mutated to prevent signature based detection. By using complex rules instead of signatures, WAFs can detect more variants of attacks.

Other attacks are not signified by vectors at all.The most common area that web application firewalls handle while IPS do not is session based protection, including protection from:

• Forceful browsing,
• Brute force attacks,
• Hidden parameters manipulation,
• Cookie tamperting & session hijacking,
• Site automation.

WAFs are capable of that because they understand and can track a web application session. By monitoring sessions, WAFs also provide valuable information about sessions such as the user associated with the session.

HTTP aware IPS/IDS

Some IPSes go a step further and understand HTTP traffic. For example such as IPS may decrypt SSL and perform some decoding of the HTTP content. These systems are referred to as HTTP aware IPS. Out of the differences between a WAF and and IPS, an HTTP aware IPS usually covers the 1st, intimate knowledge of HTTP. Many times the system is host based and utilizes the web servers HTTP parsing to run signatures on decrypted and decoded data. An HTTP aware IPS may also have some level of application layer rules suitable for parsed HTTP requests and replies.

Host Based Solutions

As descussed later in the deployment, WAFs can be deployed in the network or on the protected host. This is true also for the other solutions discussed here. The deployment option selected is important for the stability, redundacy and performance of the solutoin by does not significantly affect the security provided by it.

One exception to this observation is that host based IPS many times monitor traffic after it was decrypted and parsed by the web server and therefore is HTTP aware by definition.