Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper



Similar documents
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

How To Protect A Web Application From Attack From A Trusted Environment

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Barracuda Web Application Firewall

Where every interaction matters.

Barracuda Message Archiver Vx Deployment. Whitepaper

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Web Application Security

Gateway Security at Stateful Inspection/Application Proxy

Barracuda Message Archiver Vx Deployment. Whitepaper

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

FortiWeb 5.0, Web Application Firewall Course #251

Networking for Caribbean Development

Guidelines for Web applications protection with dedicated Web Application Firewall

Information Technology Policy

Implementation of Web Application Firewall

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Barracuda Web Site Firewall Administrator s Guide

The New PCI Requirement: Application Firewall vs. Code Review

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Importance of Web Application Firewall Technology for Protecting Web-based Resources

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

How the Barracuda Web Application Firewall Secures Your Mobile and IoT Services. Whitepaper

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

What is Web Security? Motivation

Intrusion detection for web applications

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

IJMIE Volume 2, Issue 9 ISSN:

Application Firewall Overview. Published: February 2007 For the latest information, please see

PCI DSS Compliance. with the Barracuda NG Firewall. White Paper

Basic & Advanced Administration for Citrix NetScaler 9.2

The Hillstone and Trend Micro Joint Solution

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

F5 ASM i DB Monitoring w ofercie NASK

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Barracuda Intrusion Detection and Prevention System

Web Application Firewall on SonicWALL SSL VPN

Locking down a Hitachi ID Suite server

Hack Proof Your Webapps

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

A Layperson s Guide To DoS Attacks

Check list for web developers

NSFOCUS Web Application Firewall White Paper

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Table of Contents. Page 2/13

Sitefinity Security and Best Practices

HTTPS Inspection with Cisco CWS

Application Security Testing

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Comprehensive Filtering. Whitepaper

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

elearning for Secure Application Development

Complete Protection against Evolving DDoS Threats

Introducing IBM s Advanced Threat Protection Platform

10 Things Every Web Application Firewall Should Provide Share this ebook

The Benefits of SSL Content Inspection ABSTRACT

White Paper Secure Reverse Proxy Server and Web Application Firewall

Strategic Information Security. Attacking and Defending Web Services

Radware s Behavioral Server Cracking Protection

Web Application Firewall on SonicWALL SRA

Cloud Relay Solution. Whitepaper

The Key to Secure Online Financial Transactions

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Features of a comprehensive application security solution

How To Protect Your Web Applications From Attack From A Malicious Web Application From A Web Attack

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Firewalls and Intrusion Detection

Inspection of Encrypted HTTPS Traffic

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Ruby on Rails Secure Coding Recommendations

INSTANT MESSAGING SECURITY

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

BlackRidge Technology Transport Access Control: Overview

Web Application Vulnerability Testing with Nessus

NSFOCUS Web Application Firewall

Web Application Security

FortiWeb for ISP. Web Application Firewall. Copyright Fortinet Inc. All rights reserved.

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Cross Site Scripting in Joomla Acajoom Component

Barracuda Syslog Barracuda Web Site Firewall

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

HTTPS HTTP. ProxySG Web Server. Client. ProxySG TechBrief Reverse Proxy with SSL. 1 Technical Brief

Transcription:

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category of products known as Intrusion Prevention Systems (IPS) emerged as a solution to provide the necessary protection. However, as these attacks have grown in sophistication and target Web-based applications, the security offered by IPS solutions falls short on multiple accounts due to their core technological design of matching attack signatures against the traffic coming into your network. Since one Web application differs from another, using simplistic pattern matching does not suffice. Securing against the latest Layer 7 Web attacks requires the security solution to be aware of Web application constructs and also to be aware of application context. This is the core of the next generation of products that secure Web applications Web Application Firewalls. Release 1 There is some confusion regarding the differences between these two technologies. IPS vendors often add to the confusion by claiming that their solutions provide complete Web application protection. This paper examines the essential differences between Web Application Firewalls and IPS solutions, especially with regard to Web application protection. Application Protection Technology Comparison IPS solutions work at the network layer and can detect network level attacks such as stealth port scans, CGI attacks and attacks aimed at the protocols. They allow or deny packets after comparing them to known attack signatures. Because the IPS has no knowledge of the Web Application Layer constructs, the data structure and encoding cannot be considered during this comparison. This approach fails to prevent many attacks, or generates false positives, depending on the security policies. The Barracuda Web Application Firewall fully terminates and proxies every connection. Because the firewall has complete visibility into the application layer constructs, it can apply strict security checks on the decoded request content. It also provides the flexibility to tighten or relax the security policies for individual elements, a requirement for securing complex Web applications. Application State Awareness Securing against certain attacks, such as cookie tampering, session hijacking and hidden form field tampering requires that application constructs such as cookie or session be understood, and that their values be monitored to prevent tampering. Web application constructs that security appliances must identify to secure against Layer 7 attacks: URLs Query/form parameters HTTP headers HTTP cookies Session context POST Response content Authenticaion services and other applications Since IPS products work at the network level and have no application state knowledge, they are incapable of blocking these application layer attacks. The Barracuda Web Application Firewall understands the Web traffic constructs and keeps track of the application state and client sessions. This enables it to enforce the full application state validation needed to secure the Web application. Securing Encrypted or Encoded Traffic Because most IPS products work at the network layer, they cannot validate encrypted sessions or interpret application encoding schemes. This prevents IPS technology from protecting the most mission-critical applications in a network. d5opx;ðóge]ì_ 3óâ= [Z_ܾçÙ Vð ' <½ #Ôm]ëæoª5Zòˆ!0^Ý kê Ø_mt_È _œ ín k»a H _?>'5@Ì êü_ Ýë_;u 37JMµ4[_ø Èò¾ø má¼_ Decrypt %2e%2e%2fpartners%2Fe%2ffinance%2frec%t2f Normalize../partners/finance/rec/ Secure

Good hackers know this and take full advantage of it. They use SSL to hide their activities from the security snoops. Hackers also use encoding schemes such as URL encoding, Unicode and hexadecimal to evade the security provided by IPS products, rendering their application protection useless against all but the simplest attacks. The Barracuda Web Application Firewall, by contrast, was designed from the ground up with Web applications in mind. As a result, it automatically decrypts and normalizes all traffic before attempting any security inspection. Protection from Attack Variants and Zero Day Attacks Most modern IPS products share a common heritage with signature-based intrusion detection system (IDS) solutions. They watch incoming network traffic and compare it against a database of signatures describing all previously known exploits. If a close match is discovered, the traffic is blocked. This signature-based approach requires each new threat to be discovered and added to the known threat signature database before it can be prevented. Even known signatures can escape detection by slightly modifying the attack signature. The Barracuda Web Application Firewall, however, uses both a positive security model and a signaturebased model. It ensures that every user request and response conforms to expected application usage and allows only valid traffic, which prevents both known and unknown application attacks with no signatures and no false positives. For example: On a page login.asp, the Barracuda Web Application Firewall can enforce the field loginid to only accept numbers [0-9] and a maximum value of 999999. This defeats all known and unknown injection attacks. Outbound Data Leak Prevention IPS solutions cannot intercept and modify outbound responses from the Web applications. Hackers frequently attempt to simulate error conditions where the server response reveals sensitive information about the application, server or the database. The information gathered can be used to launch focused attacks subsequently. The Barracuda Web Application Firewall suppresses sensitive information in responses such as stack traces and debugging information to cloak the Web applications. It also removes headers like server banners that can be used to identify the servers. Additionally, the Barracuda Web Application Firewall ensures that sensitive information like credit card information or social security numbers are either masked or blocked to protect against data leaks. Protection Against Forceful Browsing One of the most common hacker reconnaissance strategies is Web harvesting, either manual or using malicious robots and crawlers, in an attempt to gain access to resources that are not explicitly linked but may be easily attacked. One of the most common hacker reconnaissance strategies is Web harvesting, either manual or using malicious robots and crawlers, in an attempt to gain access to resources that are not explicitly linked but may be easily attacked. IPS solutions have no defense against such forceful browsing attacks. Since they cannot control the server error responses, they are unable to effectively cloak the Web applications. The Barracuda Web Application Firewall can automatically learn the precise application profile and its security policies from request and response traffic. This includes the application structure such as valid URL space, the FORM/query parameters allowed for each page, their maximum instances and allowed values. Any request for a resource outside the generated profile or violating the profile is denied by the Barracuda Web Application Firewall, thus protecting against forceful browsing. Granular Control A one-size-fits-all security model, as offered by IPS products, generates too many false positives when applications need to explicitly allow certain inputs that otherwise might be deemed as attacks. For example, an online email application may treat HTML input as valid, but the IPS would treat it as an XSS injection attack. A name parameter may be allowed a single quote (John O Connor) but this will match SQL injection patterns.

The Barracuda Web Application Firewall allows administrators to selectively relax the security policy to allow such inputs where they are required, while continuing to apply them everywhere else. IPS products do not offer such fine-grained exception configuration. Securing Customized Web Applications IPS protection is limited to well-known applications and platforms such as Microsoft, Oracle or Apache. But as many as 75% of all attacks today target vulnerabilities in customized application code built on top of these platforms for which there are no signatures. As a result, IPS solutions are not effective in these cases. This problem often is compounded by the fact that custom Web applications themselves are dynamic and complex, so as new vulnerabilities get introduced they require a different approach to securing these applications. Because it learns legitimate application behavior in real-time, the Barracuda Web Application Firewall is able to block both known and unknown attacks in standard platforms and customized application code. Securing Web Services and Protecting against Web 2.0 Attacks. The adoption of Web 2.0 technologies such as Web Services, SOAP, AJAX, JSON, RIA and RSS/Atom has generated additional attack vectors that are being increasingly exploited by hackers. Examples of such new attacks includes XPATH injection, WSDL probing, XML poisoning and parsing attacks, as well as many others. Existing attacks like XSS, CSRF and a combination of the two can be carried out in new ways with Web 2.0 application frameworks and are becoming very popular in the hacker s toolbox. Using the new client side frameworks such as AJAX, hackers are bypassing same-origin policy to get cross domain access to the victim s authenticated sites, thereby riding the victim s sessions without his/her knowledge. Refer to the whitepaper Barracuda Web Application Firewall: Benefits of Proxy- Based Web Application Firewalls for a more in depth discussion on proxy-based solutions. IPS products do not provide any protection from such attacks. The Barracuda Web Application Firewall uses advanced checks such as referrer checking and injecting unique session tokens in responses to thwart cross-domain session riding attacks. It also features a comprehensive XML firewall that denies attacks on Web 2.0 applications based on the new technologies such as AJAX and Web Services. Architectural Limitations of IPS Products Due to being non-proxy in nature, IPS solutions are not able to offer protection against application layer DoS attacks and do not have the deployment flexibility of the Barracuda Web Application Firewall as indicated below. DEPLOYMENT FLEXIBILITY IPS/IDS FIREWALL BARRACUDA WEB APP FIREWALL Secure network partitioning No Yes Integrated Load Balancer No Yes Accelerated application delivery No Yes TCP connection pooling No Yes Application content based routing No Yes SSL offloading No Yes Built in authentication engine No Yes Multiple applications single sign on No Yes

Feature Comparison The table below gives a quick comparison between the Web security abilities of other technologies vis-àvis the Barracuda Web Application Firewall. SECURITY IPS/IDS FIREWALL BARRACUDA WEB APP FIREWALL Injection attack protection (XSS, SQL) No Yes CSRF protection No Yes Normalize encoded traffic No Yes Inspect HTTPS traffic No Yes Session tampering/hijacking/ riding protection Forceful browsing prevention No Yes Data theft protection, cloaking No Yes Brute-force protection No Yes Web services projection No Yes Virus/malware upload protection No Yes Application layer DoS protection No Yes Rate control protection No Yes Request, response rewrite No Yes Application access logging and user audit trails No No Yes Yes To learn more about Barracuda s web security solutions, please visit www.barracuda.com/products or call Barracuda for a free 30-day evaluation at 1-408-342-5400 or 1-888-268-4772 (US & Canada). About Barracuda Networks, Inc. Protecting users, applications, and data for more than 150,000 organizations worldwide, Barracuda Networks has developed a global reputation as the go-to leader for powerful, easy-to-use, affordable IT solutions. The company s proven customer-centric business model focuses on delivering high-value, subscription-based IT solutions for security and data protection. For additional information, please visit www.barracuda.com. Barracuda Networks 3175 S. Winchester Boulevard Campbell, CA 95008 United States 408-342-5400 888-268-4772 (US & Canada) www.barracuda.com info@barracuda.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information