Filling the Security Gap between the Network and Applications
By Mark Bouchard and Ken Salchow Jr.

Confronted with steadily maturing network-layer defenses, attackers are increasingly turning their attention to the application layer and the corresponding business applications that are being served. At the same time, organizations have been increasing their reliance on web applications, in particular to meet the needs of the extended enterprise – that is, the growing population of distributed users. These range from an organization’s own employees to a variety of business partners and customers, as e-commerce continues a period of resurgence and escalating growth. Indeed, e-commerce currently represents approximately 2 percent of all retail revenues, and should exceed 10 percent by the end of the decade.

The intersection of these various trends clearly indicates the need to establish robust web application security defenses. Not surprisingly, the web application firewall is emerging as a primary component of such defenses. However, what constitutes best-of-breed from a technology perspective and best-practice from an implementation perspective remain somewhat vague.

The statistics regarding web application vulnerabilities exemplify the growing problem:

1 From 1Q04 to 1Q05 there has been a 20 percent rise in the number of application-specific vulnerabilities identified (SANS Institute)
2 Over 50 percent of all new vulnerabilities being identified on a weekly basis are attributed to web applications (SANS @RISK, “The Consensus Security Vulnerability Alert”)
3 Greater than 80 percent of all malware that emerged in the past year has focused on exploiting application-layer vulnerabilities (estimate compiled from various sources).

The statistics being published are sufficient to support a couple of general conclusions. Specifically, it is increasingly clear that: (1) applications have their share of weaknesses and (2) currently deployed safeguards are not effectively preventing these vulnerabilities from being exploited.

The first of these conclusions is fairly intuitive and does not warrant further discussion. However, the second one does deserve additional attention, particularly in light of widespread claims by vendors that their formerly network-focused security products now also provide application-layer protection. To be clear, these claims are not inaccurate, but they are a bit misleading.

Strictly speaking, products such as network firewalls and intrusion prevention systems do provide application-layer protection, typically by enforcing standards-compliant usage of the various protocols associated with the application layer of the OSI reference model (e.g., http for web, smtp for email, ftp for file transfer). However, this degree of capability is far from sufficient to prevent the types of attacks referenced.

Application vulnerability scanners are useful and complementary tools. However, it is important to recognize that such tools will never be able to catch every weakness and that subsequent remediation is not included as part of the solution. Furthermore, remediation for some vulnerabilities may not even be possible or practical. Thus, while useful, a web application vulnerability scanner should not be construed as a replacement for a web application firewall, which is in fact capable of providing protection for both undiscovered and un-resolvable vulnerabilities.

In summary, organizations are clearly at risk due to the existence of numerous application-specific vulnerabilities, the prevalence of associated attacks, and the inability of currently deployed safeguards to control either of them.

A Proportional Response – The Web Application Firewall
Web application firewalls pick up where conventional safeguards leave off. Indeed, it is the ability to account for the code and logic of utility and business applications that makes a web application firewall such an appropriate and complementary control when it comes to achieving application security – at least for the most dominant type of application (i.e., web) in use today.

Much like with conventional firewalls, it is appropriate for web application firewalls to include signatures and other mechanisms to prevent known attacks. However, such negative security models are never sufficiently effective. They depend on the near impossible task of identifying everything that could go wrong with an application session. The result is a significant maintenance effort, yet very little protection from zero-day threats.

Arguably much more powerful and practical, and in any case highly complementary, is the use of a positive security model. This entails identifying the finite universe of allowed interactions with an application and the subsequent denial of all activities that lie outside this scope. In this case, effectiveness depends on the completeness and granularity with which allowed interactions are enumerated, while practicality depends on being able to do this automatically – or at least with only a modest amount of administrative involvement.

It is also important to recognize that each application being protected requires its own, individual policy model. Furthermore, the degree of thoroughness, accuracy, and automation will be impacted by different technologies and architectural elements used with different applications. For example, not all web application firewalls can account for embedded JavaScript at the client or dynamic content generation at the server.

A brief summary of the top security and management features to consider when selecting a web application firewall follows.

Security
1 Attack filters (negative model) prevent generalized attacks.
2 A positive security model focuses on preventing targeted attacks, such as cross-site scripting, SQL injection, forceful browsing, cookie poisoning and invalid input. Ideally this should also include the ability to account for (a) dynamic code/content at both the client and server ends of the application, (b) the state and context of the user’s session, and (c) bi-directional traffic flows.
3 Content protection blocks the exodus of private/sensitive data, such as credit card numbers, patient health information, and social security numbers.
4 Cloaking keeps potentially useful system information from being exposed to outsiders. Related to this would be the use of a reverse proxy architecture and the ability to cloak actual data by decrypting inbound sessions for inspection and then optionally re-encrypting them before forwarding them on to the appropriate web servers.

Management
1 Thorough and accurate policy generation is necessary to maximize the ability to block real attacks while minimizing the likelihood of blocking legitimate sessions. Instrumental to achieving this objective is the use of multiple “discovery” techniques.
2 A visual policy editor facilitates operator understanding and adjustment of auto-generated rules. In addition, pre-defined security levels corresponding to different degrees of protection and granularity of the policy model are useful to help strike a balance among the degree of protection, the potential for false positives, and the degree of operator involvement
3 Virtual systems capabilities and role-based administration effectively partition logical instances of the web application firewall and related management functions to support protecting multiple applications from one physical instance of the product.

For all its benefits, the web application firewall is only a “proportional response.” In other words, it is tightly focused on overcoming the security-oriented shortcomings of conventional safeguards when it comes to protecting web applications. However, what good is security if the applications that are being protected are not available in the first place, or if they are operating so slowly that it seems that way in any event? The point is that application security is in fact part of the larger challenge of application delivery. As such, a more optimal response would be one that simultaneously addresses all three of the key issues that comprise this challenge, ensuring not only the security of applications, but also their availability and performance.

In Search of an Optimum Response
Having established the need for application security and for some of its chief features, what still remains is identifying the best location and manner in which to implement them. Ideally, this would be done in such a way as to minimize the impact on current infrastructure investments and to minimize the resulting management overhead.

One option would be to combine application security functionality directly into existing network infrastructure devices, such as the routers that act as the initial gateways from the Internet into an organization’s own computing environment. While seemingly attractive in terms of being the first point of entry, these devices are otherwise ill-suited to the task. Fundamentally, they are architected to deal with packets, quickly assessing some basic characteristics and deciding where next to send each of them. They do not generally possess the capability for application-layer processing or application-layer intelligence. Nor, in most cases, do they represent a good location for the compute-intensive process of decrypting traffic. Accommodating all of these other functions would ultimately require a complete re-architecting of the network device, and even then would tend to detract from its primary objective: routing.

A second option would be to build the required security capabilities into the applications themselves. Eliminating vulnerabilities at their root by implementing secure coding techniques has the potential to be imminently effective. However, various practical challenges render this a long-term objective – and, in fact, one that may never actually be sufficient, or relatively efficient. These include:

1 Making security a priority among application developers (both internal and external) who have traditionally been focused solely on functionality (and somewhat on performance) will require a wholesale cultural change – not to mention a significant amount of training.
2 It is impractical to expect security to be retro-fitted into the tens to thousands of applications that organizations have already deployed (especially when they don’t even have rights to the source code for many of them).
3 Managing many security capabilities at the level of each application introduces complexity and scalability, many of which can be alleviated by leveraging centralized resources for these services.

Finally, even if elements of security are embedded within each application, adhering to best practices will still require a defense-in-depth strategy. In other words, it will still be prudent to implement a separate application-aware security system to account for any oversights or errors introduced in the secure application development process.

That brings us to yet a third option for placement of necessary application security capabilities: the network firewall. This location actually has a fair degree of merit. The required application awareness could be added relatively easily, especially for the subset of firewall products that are based on application-proxy architecture. SSL processing is not an unreasonable stretch, particularly given the fact that most firewalls already tackle the intensive operations and sensitive key management functions associated with IPSec VPNs.

Specifically, application delivery involves not only application security but also application optimization and availability. These latter two functions are the domain of what the industry currently refers to as application front ends (AFEs), which are essentially an evolutionary follow-on to the merger of server load balancers and SSL offload/acceleration devices.

AFEs incorporate a widening array of features for ensuring not only that the application sessions have a viable path between client and server, but also that the optimum path is used (when choices exist) and that the sessions themselves are optimized to reduce both latency and infrastructure loading. Not surprisingly, they are also ideal platforms for hosting web application firewall capabilities.

They reside in close proximity to the applications they are serving. They are increasingly application aware, particularly as optimization and availability techniques are being extended up the stack. They already perform SSL decryption, and optional re-encryption, obviating the need for redundantly doing so elsewhere. They are based on architectures and hardware that are geared toward high performance, both in terms of throughput and latency.

If the respective capabilities are integrated properly, the result can be a unified and simplified approach to policy management, with availability, optimization, and security attributes all addressable simultaneously and “in context” on a per application basis.

Application Services Infrastructure
Whether operating standalone or embedded in a single device, the combination of AFE and web application firewall capabilities can appropriately be referred to as application services infrastructure. The point of this term is to convey a centralized and comprehensive set of “helper” services that can easily be (re-) used across an entire population of applications. Such a solution enables all applications – not just web apps – to essentially subscribe to those services that are available and will in fact improve their condition. Indeed, it can be expected that over time the breadth of services provided will expand.

Overall, the value of an application services infrastructure is that it effectively delivers all of the benefits of having better performing and more secure applications in an efficient and economical manner. Application development and deployment cycles can be shortened by virtue of taking advantage of external security capabilities. The overall network and systems infrastructure is dramatically simplified through consolidation of related services. And operational management efforts are reduced based on having fewer total devices and an integrated system for policy management, troubleshooting, and auditing functions.

In short, implementing an application services infrastructure is the optimum response for addressing the application delivery challenges confronting today’s organizations. Not only does it tackle the clear and present danger of inadequate application security, but it also addresses the complementary requirements pertaining to application availability and optimization.

About the Authors
Mark Bouchard is an independent consultant focused on information security and risk management strategies. Ken Salchow Jr., is a security systems architect with F5 Networks, Inc. He can be reached at kj@salchow.name.

<< Previous Page