ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.



Similar documents
SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

ICSA Labs Network Firewall Certification Testing Report Enterprise (VoIP) - Version 4.1x. SonicWALL, Inc.

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Where every interaction matters.

Spikes Security Isla Browser Isolation System. Prepared for Spikes Security

Information Technology Policy

05.0 Application Development

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Reducing Application Vulnerabilities by Security Engineering

FortiWeb 5.0, Web Application Firewall Course #251

A Decision Maker s Guide to Securing an IT Infrastructure

Certification Report

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

How To Protect A Web Application From Attack From A Trusted Environment

Payment Card Industry (PCI) Data Security Standard

Internet Security and Acceleration Server 2000 with Service Pack 1 Audit. An analysis by Foundstone, Inc.

Guidelines for Web applications protection with dedicated Web Application Firewall

IndusGuard Web Application Firewall Test Drive User Registration

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

PCI Security Scan Procedures. Version 1.0 December 2004

Barracuda Networks Web Application Firewall

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Playing with Web Application Firewalls

Firewalls. Chapter 3

How To Evaluate Watchguard And Fireware V11.5.1

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Achieving PCI Compliance Using F5 Products

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

GFI White Paper PCI-DSS compliance and GFI Software products

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Certification Report

Product Factsheet MANAGED SECURITY SERVICES - FIREWALLS - FACT SHEET

ensuring security the way how we do it

Playing with Web Application Firewalls

Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers

Integrated SSL Scanning

Basic & Advanced Administration for Citrix NetScaler 9.2

Attack Vector Detail Report Atlassian

SonicWALL PCI 1.1 Implementation Guide

SERENA SOFTWARE Serena Service Manager Security

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

74% 96 Action Items. Compliance

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

PCI Requirements Coverage Summary Table

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Inspection of Encrypted HTTPS Traffic

LogRhythm and PCI Compliance

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Application Firewall Overview. Published: February 2007 For the latest information, please see

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

F5 and Microsoft Exchange Security Solutions

2: Do not use vendor-supplied defaults for system passwords and other security parameters

What to Look for When Evaluating Next-Generation Firewalls

Windows Remote Access

Cyber R &D Research Roundtable

NSFOCUS Web Application Firewall

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

Did you know your security solution can help with PCI compliance too?

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Network Security Policy

Web App Security Audit Services

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

External Supplier Control Requirements

Administering the Web Server (IIS) Role of Windows Server

Web application security: automated scanning versus manual penetration testing.

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Implementation Guide

Certification Report

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

IBM Managed Security Services Vulnerability Scanning:

Beyond Remote Control Features that Take Remote Control Capabilities to the Next Level of Network Management

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

MS 10972A Administering the Web Server (IIS) Role of Windows Server

Cloud Security:Threats & Mitgations

March

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Networking for Caribbean Development

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

IBX Business Network Platform Information Security Controls Document Classification [Public]

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Consensus Policy Resource Community. Lab Security Policy

FireEye Threat Prevention Cloud Evaluation

Deployment Guide: Transparent Mode

10972-Administering the Web Server (IIS) Role of Windows Server

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Transcription:

ICSA Labs Web Application Firewall Certification Testing Report Radware Inc. V5.6.4.1 May 30, 2013 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 www.icsalabs.com WAFX RADWAREINC-2013-0530-01

Executive Summary Not every product can achieve ICSA Labs Web Application Firewall Certification. Only those products that meet the criteria after undergoing rigorous testing by network security experts at ICSA Labs earn this distinction. The criteria against which vendor-submitted products are tested is an industry-accepted standard to which a consortium of web application firewall vendors, end users, and the ICSA Labs staff contributed. This standard has evolved over the years into its present iteration version 2.1 (Corrected) of The Web Application Firewall Certification Criteria. The setting for testing is the Network Security Lab at ICSA Labs. During and following initial testing, products remain continuously deployed within this lab environment, which closely approximates the real Internet to ensure more realistic web application firewall testing. Products are available for and regularly subjected to supplemental testing as new attack techniques emerge and vulnerabilities become known. Successful web application firewall product testing culminates in the writing of a report that documents the results of each phase of testing. It also documents the product components submitted by the vendor, the configuration of the product as tested, and any patches or updates generated during testing. The goal of ICSA Labs is to significantly increase user and enterprise trust in information security products and solutions. For more than 20 years, ICSA Labs, an independent division of Verizon, has been providing credible, independent, 3rd party security product testing and certification for many of the world s top security product developers and service providers. Enterprises worldwide rely on ICSA Labs to set and apply objective testing and certification criteria for measuring product compliance and performance. ICSA Labs manages and facilitates technology consortia that focus on emerging, well-defined technologies. The consortia provide for information exchanges among industry leading developers, and for the development of product testing and certification programs and standards. For more information about ICSA Labs, please visit www.icsalabs.com. Product Overview Radware's is a Web Application Firewall (WAF) appliance that secures Web applications and enables PCI compliance by mitigating web application security threats and vulnerabilities. It prevents data theft and manipulation of sensitive corporate and customer information. Scope of Assessment The goal of ICSA Labs Web Application Firewall testing and certification program is to evaluate and certify products that implement security policy enforcement for the protection of HTTP and HTTPS Webbased applications. In conjunction with ongoing efforts in the industry to classify and categorize application security issues and mitigate potential vulnerabilities, the Web Application Firewall certification criteria was developed to provide security managers, application developers and others deploying web based applications with confidence in the products that secure vital application services from exploitation or attack. Summary of The Candidate Web Application Firewall Product met all the criteria elements in Version 2.1 (Corrected) of The Web Application Firewall Certification Criteria and therefore has attained ICSA Labs Web Application Firewall Certification. As mentioned above, the Candidate Web Application Firewall Product will remain continuously deployed at ICSA Labs for the length of the testing contract. In the event that the WAFX-RADWAREINC-2013-0530-01 Page 2 of 9

Candidate Web Application Firewall Product is found to no longer meet the criteria during a check, the Network Security Lab team will work with the vendor to resolve the problems in order for the Candidate Web Application Firewall Product to maintain its ICSA Labs Web Application Firewall Certification. A detailed overview of any issues found, and their resolutions, is located in the WAF Testing as well as the Criteria Violations and Resolutions section of this report Certification Maintenance The, like all products and product groups that are granted ICSA Labs Web Application Firewall Certification, will remain certified on this and future released versions of the product for the length of the testing contract. Future versions continue to be certified since the product is continuously deployed in the Network Security Lab and subjected to periodic spot-checks on the most current product version. Two circumstances will cause the to have its ICSA Labs Web Application Firewall Certification revoked: 1. Radware withdraws from the ICSA Labs Web Application Firewall Certification Program. 2. The product fails a periodic spot-check or full test cycle and Radware subsequently fails to provide an adequate fix within a prescribed length of time. Candidate Web Application Firewall Product Components To comply with the requirements stated in version 2.1 (Corrected) of The Web Application Firewall Certification Criteria, vendors must submit all necessary product hardware, software, and documentation. Collectively, the set of components delivered to ICSA Labs for testing comprises the product under test, called the Candidate Web Application Firewall Product. This section of the report describes each component of the Candidate Web Application Firewall Product submitted for testing in the Network Security Lab at ICSA Labs. Hardware Radware submitted an for testing. The Appwall was a 1U rackmount appliance with six 10/100/1000 Copper Ethernet ports, two GE SFP Fiber ports, one management console port and one USB port. Software The was delivered with version 5.6.3.1_86 of the firmware installed during the course of testing, the software was upgraded to 5.6.4.1. The required a license key, which was obtained from Radware. Documentation To satisfy documentation requirements, Radware provided the Network Security Lab team with the following electronic documents in order to assist in the installation, configuration and administration of the : Management Application User Guide Release Notes, Version 5.6.4, April 24, 2013 http://kb.radware.com/questions/3175 http://kb.radware.com/questions/3193 WAFX-RADWAREINC-2013-0530-01 Page 3 of 9

Web Application Firewall Certification Criteria The Candidate Web Application Firewall Product was tested against version 2.1 (Corrected) of The Web Application Firewall Certification Criteria: https://www.icsalabs.com/sites/default/files/waf_corrected_criteria_v2.1.pdf Web Application Firewall Configuration ICSA Labs installs the product submitted for testing to simulate a realistic deployment of the Candidate Web Application Firewall Product in a typical end user environment. Since products submitted for testing can often be configured many different ways, analysts frequently confront many configuration-related decisions both before and after installing the Candidate Web Application Firewall Product. For the purposes of these tests, analysts attempted to install and configure the Candidate Web Application Firewall Product as a typical end user would and according to its intended use. Analysts use the provided documentation to assist with all configuration decisions. If multiple configurations were used for testing, they are detailed below with the findings. Test Description The Network Security Lab team deployed the on a testbed designed to represent a real-world deployment of a web application firewall. The was deployed in a simulated DMZ, and was be protected from a simulated Internet by an ICSA Labs Certified Network Firewall Network Security Lab analysts ran a sophisticated suite of web attacks, penetration tests, and scans against a set of web sites protected by the to verify web application firewall functionality as defined in The Web Application Firewall Certification Criteria. ICSA Labs analysts also ran tests to verify proper operation of product administration and general functionality as dictated by the criteria above. Product Configuration Using the s Management Application, analysts did the following to configure the product: Created a new HTTP tunnel by right-clicking Tunnels -> HTTP -> Add. The tunnel was configured to have the listening the address be the public facing IP address which resolved to the protected webserver and the forwarding address was set to the IP address of the protected webserver itself. The hostname was added here as well. Under Security Policies, a new web application was created. The tunnel created in the previous step was added here. Under this web application, the [Any Host] settings for User Tracking and Authentication were enabled. Under Security Policies -> Hosts -> <Any Host>, CSRF was set to active, along with Directory Listing and URL Rewrite. Under the musicstore sub-directory, all actions were set to inherit. Under Auto Policy Generation, the auto Policy Generation was enabled to learn the protected website. After this completed, the application paths filter settings were all set to Manual and Active. Under Filters -> Parameters, some methods required fine tuning to enforce proper method usage. Filters were arranged such that logging was set highest in order to capture all requests before they were acted upon by the engine. WAFX-RADWAREINC-2013-0530-01 Page 4 of 9

Documentation The Network Security Lab team evaluated the documentation provided with the Candidate Web Application Firewall Product to verify that the vendor supplies adequate documentation to assist an end user with the installation, configuration, maintenance, and administration of the Candidate Web Application Firewall Product. Throughout testing, the Network Security Lab team use the documentation provided and evaluate it for accuracy, completeness, and usefulness. All documentation used during testing was found to meet the criteria. Functional Testing Once configured to enforce a security policy the Candidate Web Application Firewall Product is tested to validate that through testing that its security policy cannot be circumvented. The Candidate Web Application Firewall Product, while enforcing its security policy, must allow permitted services to function (HTTP, HTTPS, SSL) as designed while maintaining the integrity and confidentiality of the data. This includes the masking of internal application structure as well as information displayed to the user of the protected website. During Functional Security Testing the Network Security Lab team evaluates the Candidate Web Application Firewall Product to verify that it is also not susceptible to commonly known vulnerabilities or exploits. This includes attacks targeting buffer overflow, cross site scripting (XSS), cross site request forgery (CSRF), improper input validation session mismanagement and information leakage. The Network Security Lab team confirmed that the properly permitted the services tested while correctly enforcing the security policy. Vulnerability Testing During Vulnerability Testing he Network Security Lab team verifies that no unauthorized control of any of the Candidate Web Application Firewall Product administrative functions can be obtained. Also, the Candidate Web Application Firewall Product must demonstrate through testing that it is not vulnerable to any publicly know exploits or vulnerabilities as well as not introducing any vulnerabilities while enforcing its security policy. Finally, the Candidate Web Application Firewall Product must be able to mitigate as well as not be rendered inoperable by any trivial Denial of Service attack. The Network Security Lab team uses commercial, in-house, and freely available testing tools to attack and probe the Candidate Web Application Firewall Product. During vulnerability testing it is assumed that the Candidate Web Application Firewall Product resides behind an ICSA Labs Certified Firewall (network firewall). Therefore, the scope of this requirement is limited to valid network traffic destined for the Candidate Web Application Firewall Product or the servers it is protecting, for example, services such as HTTP, HTTPS, and Remote Administration. After Radware addressed the issues reported by the Network Security Lab team the was retested. The product properly permitted the minimum set of common services inbound and outbound per WAFX-RADWAREINC-2013-0530-01 Page 5 of 9

the Corporate module of the criteria. Furthermore, during re-testing of the, it was not susceptible to attacks launched inbound and outbound to and through the product, including trivial Denial-Of-Service attacks. Logging Version 2.1 (Corrected) of The Web Application Firewall Certification Criteria requires that the Candidate Web Application Firewall Product provide an extensive logging capability. In practice, this degree of logging may not be enabled at all times or by default. The Network Security Lab team evaluates each Candidate Web Application Firewall Product to verify that it has the ability to capture, and present the required system and network event information to enable an administrator to audit security related events. Additionally, it is not required that the Candidate Web Application Firewall Product be capable of storing the logs locally. However, if stored remotely additional testing is conducted. For all logged events the Network Security Lab team verifies that all necessary log data is recorded. The following log examples were collected during testing. The first is an example of a configuration change (time modified), the second is an example of a non-malicious request collected from the s logging filter, and the third is an example of a blocked attack collected from the s Management Application Web GUI. During the course of testing, Radware submitted firmware upgrades to address issues found in testing. See the Criteria Violations and Resolutions section for more information. May 8 00:26:00 appwall-beta Date Modified from Wed May 8 00:25:59 GMT 2013 to Wed May 8 00:26:00 GMT 2013 (date-set) ##205.160.130.66 40614##5-7-2013 23:15:5## GET /shop.php?sort=genre&&genre=punk HTTP/1.1 Host: musicstore.radware-appwall.prop User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-us; rv:1.9) Gecko/2008070309 CentOS/3.0-2.el5.centos Firefox/3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://musicstore.radware-appwall.prop/shop.php?sort=genre Cookie: store_cookie=dd129729254; Session_ID=0,Public,258,258,victim,1367968497,205.160.130.66,75d20cd5ac3220757daec57d9 8da3efd,3b5737eb4b657363682076686dea30a1,; K_V_D_store_cookie=kjbmdfkfnapbfgdlagpkphiapjejnkmlojoegpbiiamcpjmpoffdafhdhnkijhbnmcfdf fpgaicc Accept-Encoding: identity WAFX-RADWAREINC-2013-0530-01 Page 6 of 9

Administration Web application firewall products often have more than a single method by which administration is possible. Whether the product can be administered remotely using vendor-provided administration software, from a web browser-based interface, via some non-networked connection such as a serial port, or via some other means, authentication must be possible before access to administrative functions is gained. The Network Security Lab team tests not only that authentication mechanisms exist but also that they cannot be bypassed for all required administrative interfaces. The was administered through a Web GUI, although an SSH interface exists as well. Within the Web GUI interface, the Management Application can be run to administer the product s security engine. Initially, this was done through a separate application, but during the course of testing, this was integrated into the Web GUI. Initially, the did not meet all Administrative requirements. See the Criteria Violations and Resolutions section for more information. Persistence Power outages, electrical storms, and inadvertent power losses should not cause the Candidate Web Application Firewall Product to lose valuable information such as the security policy being enforced, log data, authentication data, and system clock information. Further, the security policy being enforced following the restoration of power should be the same as the security policy being enforced prior to the loss of power. This section documents the findings of the Network Security Lab team while testing the Candidate Web Application Firewall Product against the persistence requirements. During testing, no issues were found related to persistence. Criteria Violations and Resolutions Section In the event that the Network Security Lab team uncover criteria violations while testing the Candidate Web Application Firewall Product, the vendor must make repairs before testing can be completed and WAFX-RADWAREINC-2013-0530-01 Page 7 of 9

certification granted. The section that follows documents any and all criteria violations discovered during testing. Additionally any steps that must be taken by an administrator to ensure that the product meets the criteria are documented below. Results Logged events did not contain all elements specified in the criteria. This was corrected by updating the firmware to 5.6.4.1. Sensitive data fields were not masked in all areas. This was corrected by updating the firmware to 5.6.4.1. Not all administrative interfaces correctly enforced authentication. This was corrected by updating the firmware to 5.6.4.1. WAFX-RADWAREINC-2013-0530-01 Page 8 of 9

Testing Information This report is issued by the authority of the Managing Director, ICSA Labs. Tests are done under normal operating conditions Lab Report Date May 30, 2013 Please visit www.icsalabs.com for the most current information about this and other products Test Location ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 Product Developer s Headquarters Radware Inc. 575 Corporate Drive Mahwah, NJ 07430 USA The certification test methods used to produce this report are accredited and meet the requirements of ISO/IEC 17025 as verified by the ANSI-ASQ National Accreditation Board/ACLASS. Refer to certificate and scope of accreditation number AT 1423.. Testing reports shall not be reproduced except in full, without prior written approval of ICSA Labs. WAFX-RADWAREINC-2013-0530-01 Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information