Understanding Web Application Firewalls – Part One!
Thursday, June 25, 2009 0:20
This article covers a somewhat complex and lengthy security topic so I am breaking it into two parts. The first part will discuss web applications, what they are, and the basics of website security including web application firewalls. The second part of the article will go into more detail regarding web application firewalls, the PCI standard pertaining to web application firewalls, and, lastly, UTM and web application firewall capabilities.
Web Applications
Before we even look at web application firewalls, I want to make sure everyone understands what a web application is. A web application is basically a software application that is accessed or used by a web browser over a network (usually the internet) but also over an internal network or intranet. For example, when you are accessing your bank account via the internet, you are using a web application. Also, if your employees access their payroll information via a web page they are usually using a web application. Even registering for a college class can usually be done using a web application. You can look at this website to find a list of web applications . Web applications allow users to use their web browser to access and run an application running on a server. There are many benefits to using web applications, but there are also security risks associated with them. If you look at any of the many software vulnerability lists that are on the internet, you will see that the category with the most security vulnerabilities is usually web applications.
Website Security
What can you do to protect your business website if you are using web applications? There are a couple of different options to protect websites in general that include vulnerability scanning of the site to help discover any known vulnerabilities on your site. Another and somewhat similar option is to perform or hire a third party to perform penetration testing on your website. This takes some expertise and, for most businesses, hiring an experienced third party tester would be a good idea. Code review and/or scanning is another option. Code review is one of the options listed in PCI standard for securing web applications. The option I want to talk more about today is the use of Web Application Firewalls. A Web Application Firewall is a device or software that sits between the website and the user. Its purpose is to look at and analyze HTTP traffic (which covers most website traffic), then block attacks or prevent other methods of information leakage. Hardware devices are usually preferred over software such as filters or plug-ins when implementing a web application firewall, but, as in all security measures, you will have to fit it to your needs and network setup.
The reason that a web application firewall is beneficial is that your on-line applications are basically the access door to any sensitive information you are storing, such as credit card numbers or social security information, etc., and the web application firewall is built to help protect this type of web traffic. If you want to discover how to find out if you have sensitive information on your computers, read the recent article I wrote about sensitive information on your computers. You might wonder why you need a firewall specifically for web applications if you already have a basic firewall. Most firewalls are made to protect the perimeter of your network and do not have the capabilities to take an in-depth look at the HTTP traffic on your website in order to determine if the application is behaving the way it was programmed or built to behave. You might also have an intrusion detection system protecting your network. Most intrusion detection systems are signature- based and/or anomaly-based, meaning they will detect known types of attacks or behavior that is out of the normal but do not have the capabilities to look at the traffic in-depth. I am not saying that the firewall and intrusion detection systems are not good, just that each one of the technologies has it place. None are a silver bullet that will 100 percent protect your business or your customers.
Don’t forget to get the rest of the article in part two!
Related posts: