[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Date: Wed, 26 Mar 2008 14:07:01 -0000

The short answer is no, they aren't obsolete; because they enforce
appropriate controls at the appropriate place.

There is a worrying trend to view application layer firewalls as some
sort of a magical solution to a poorly written application; they aren't
(other than a useful short term fix whilst the application is
refactored).  The place to enforce application layer controls is in the
application, not a gateway.  A gateway doesn't understand context until
you specifically tell it, and even then the options are hopelessly
limited.  Filtering input character-sets doesn't help with an escaping
problem in a broken application; it just damages the user experience
unnecessarily.

As a company, Corsaire spends hundreds of man-hours every month
assessing web applications and services, and the current trend is for
the majority of them to be deployed in a solution with a web app
firewall in the mix.  Without very detailed configuration and tuning
(which I have *never* seen in a production environment) they do almost
nothing to stop attacks against the application.  Actually, to be fair,
there was one occasion recently where a client was adamant that they
would fix the application errors by tweaking a WAF.  The result was four
rounds of assessment whilst they got the configuration correct, and
afterwards, an application that you couldn't use an apostrophe in any
name fields without generating a security violation.  Not a success
story.

Like IDS/IPS, these products require a lot of love to produce any value,
which inevitably they do not get in the real world.  

On the specific subject of tunnelling; this can be happily delivered
through any data path.  You can block some obvious stuff (as long as you
know what you are looking for), but it isn't possible to stop it (unless
you stop all data passing).  I delivered a paper at a couple of closed
conferences last year that outlined a POC tool I had written that
tunnelled data through HTTP in arbitrary parts of the header (such as in
a cookie).  I haven't done an extensive analysis, but so far there
hasn't been an occasion that I haven't been able to use this through a
WAF/proxy/firewall etc.

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
  - From: william fitzgerald

Prev by Date: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Next by Date: [WEB SECURITY] Pangolin v1.2.590 - The best SQL injector you've ever seen
Previous by thread: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Next by thread: [WEB SECURITY] Pangolin v1.2.590 - The best SQL injector you've ever seen
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site