Web application firewall to buy time for patching attacks

Installing a Web application firewall in the right place means you can have a buffer time to patch your attacks according to your plan, and it is different to rush to modify the attack that is causing the application to stop or to pay extra for the emergency that the developer and tester are experiencing.

"That's the real return on investment," says Mark Kraynak, head of Imperva's product marketing department. Mark Kraynak also made a great contribution to the Web Application Security association's recently published Web application firewall assessment standards.

As one of many firewalls, the association gives the Web application firewall the definition "of an intermediary device that resolves the attack information from the layer Seventh application layer in the OSI model, based on security policy, between the Web client and the Web server." Web application Firewall protects the Web server from attack security devices.

"The goal of the WAFEC project is to help companies and organizations evaluate Web application firewalls," said Ivan Ristic, founder of the London Thinking Stone Web Application Security company and head of the Web application Firewall evaluation standard Project.

According to the association's instructions, WAF does not require the transformation of the source code. WAF can use a broker-based framework, or it can use a framework based on packet detection or both. WAFEC does not need a specific framework.

"The goal of the project is not to promote new features, but to give a way to compare different firewalls," says Jeremiah Grossman, chief technology officer, founder and project leader of Whitehat security company in Santa Clara, Calif. Documentation does not mean that all standards are required. Companies, organizations can refer to these standards, according to their own needs to create a more concise list of their own. Ristic said, "You cannot achieve everything listed in the document, many of the requirements are contradictory, that is to say, or the right choice, not all."

Many of the categories listed in the document include deployment frameworks, HTTP and HTML support, probing techniques, protection technologies, logging, reporting, management, performance, and XML.

WAFS Target is the application tier, not the network layer

Kraynak said that "WAFS is different from the network firewalls that focus on the perimeter of the network, but it has different concerns but more." A standard network fire wall does not search for cookies, it does not understand the meaning of URL parameters, which is another problem.

Ristic emphasizes the importance of a layered security model that has different security controls at different levels. "Place the Web application firewall in the right place, and you can watch, monitor, and view the attack signals." If you don't have a Web application firewall set up before your application, you don't know what's happening and you can't control what's going on. ”

Ristic also said that WAF is not omnipotent. "The application needs to start safely, which is very difficult." Web apps are definitely not always 100% secure. We should use security policy and achieve tiered protection. ”

Grossman added: "We have a network firewall for decades, and no one dares to declare that they can stop all attacks." Similarly, Web application firewalls are unlikely to prevent all attacks, and still require us to do something manually. ”

WAFS is still shaky.

Yankee, based in Boston, believes the WAF market is "ripe" but is not being properly guided. In 2005, WAF had a $40,000,000 market and grew at a rate of 10%. But in the past five years, the overall security market has been growing at a pace of 20% to 30%.

The Yankee company predicts that the WAF market will be dominated by a larger market, including the existing market, in the next few years, and that this larger market includes application assurance platforms, which will integrate WAFS, database security, XML security gateways and application blocking management.

Since companies are discussing whether they need WAF now, Forrester has given three suggestions:

1. Calculate the value of the asset that needs to be protected and the expected costs of a sector

2. Get the copy of the test version of the product and deploy it in the test environment

3. List only products that meet or exceed current and intermediate stages of demand

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/