Any discussion of Web Application Firewalls must be preceded by a review of the problem they aim to solve: the web application security problem.
Nothing, including computer software is perfect. A software malfunction results in an unexpected behavior of the applications, something we refer to as a bug. Such a bug causes damage similar to a security breach including disruption of service or damage to information integrity. When exploited intentionally by an interested party, such a bug becomes a security breach and the potential damage may include also loss of confidentiality. Naturally once exploited intentionally the damage inflicted by a bug can be much more severe than if accidentally inflicted. Bugs that are suitable for intentional exploitation are called vulnerabilities.
Web applications greatly extended the scope of the issue. First and foremost such applications are Inherently exposed. Once everything became connected sometime in the last decade of the 20th century, the firewall (referred to here as a "network firewall") became the de facto solution for ensuring that only necessary services are exposed outside of the perimeter of the organization. Web applications are one of those services that need to be exposed to serve their purpose.
However web applications are much more exposed than other externally connected applications. Other servers such as mail and FTP servers are based on software written by software companies and are relatively static. The same mail and FTP servers, sans security updates, serve us for more than a decade. The number of vulnerabilities is getting smaller the more mature the application is. Stability also means that security becomes more important than additional functionality and makes it easier to follow an orderly development life cycle and ensure proper testing.
Finally, being widely installed, many people can test the security of such servers before the hacker finds the vulnerability.As a result, the prevailing security measurement for public facing servers have been the intrusion detection and prevention system. Such systems are based on signatures that match known attack vectors limiting exposureto only the time frame between the time the vulnerability becomes known to hackers and the time the signature or patch is issued, which is short if not negative.
For further discussion of intrusion detection systems refer to the relevant chapter.
Web applications are very different:
- Web applications are unique to the organization, each one exposing its own vulnerabilities, reducing the effectiveness of known vulnerabilities signatures.
- Web applications can be and are changed frequently to adapt to the business objectives of the organization, making maintenance of an orderly software development cycle hard.
- Web applications are complex, objectively and subjectively. Web applications are event driven due to the web paradigm of client server interaction and many programmers just don't understand the flow well enough. On the other hand web development is considered simpler and therefore less experienced developers get to do it.
As a result vulnerabilities in web applications account for a huge part of real world information security incidents and virtually all those related to the data center security.
The next section describes possible solutions and places web application firewalls within the solution sphere.