Not that long ago, firewalls were simple things. They fit neatly into corporate networks and helped to protect anything residing on that network from external threats. Today, the mission isn’t so simple.
Many corporate applications reside beyond the firewall and many workers need to access internal application from remote locations. And while traditional firewalls are good at blocking suspicious traffic at the lower levels of the TCP/IP protocol stack, they’re not designed to block layer 7, or application layer, attacks.
For instance, think of how much information enters your databases through web-based forms. Hackers obviously see those forms as a point of entrance they can compromise. As attackers started moving up the stack, security companies had to respond in kind.
Thus, web application firewalls are designed specifically to protect against layer 7 attacks. Web application firewalls are becoming nearly as important as traditional firewalls, and if your organization doesn’t have one, you are courting danger.
Keep these five questions in mind as you search for the web application firewall that is right for your organization:
1. What exactly are you trying to protect?
For some organizations, the main thing to protect will be a web-based email portal for traveling employees. For others, they need to protect sensitive customer data from prying eyes – a challenge that, if not met, could compromise compliance with industry regulations.
Carlos Romero is the EVP of Technology for Smart Business Technology (SMART), a developer of payment and transaction software. After more than two decades of developing payment software, their customers began asking them for a hosted solution.
“If you’re going to host and process payments, you need to achieve Level 1 PCI compliance,” Romero said. “That meant our online security had to meet the same standards as Wal-Mart or Visa.” (In contrast, the typical corner store is Level 4 compliant.)
SMART brought in an auditor, and the auditor’s main recommendation was to install a web application firewall. Romero investigated some low-cost, software-only solutions, but quickly dismissed them as inadequate.
Protecting cardholder data and maintaining PCI compliance meant that discount solution weren’t worth the risk, and that his organization would need to invest in a more robust hardware-based solution.
2. How will it fit in with your existing security solution?
After ruling out low-end web application firewalls, Romero then looked at solutions from Barracuda and Fortinet, eventually going with Fortinet.
SMART was already using Fortinet’s traditional firewalls, so the decision made sense. “We have a comfort level with Fortinet,” Romero said. “We know their products work as advertised. The UI is easy to use, and their support has always been top-notch.”
Romero liked the fact that his IT staff already pretty much knew their way around the FortiWeb product because the UI was consistent with other Fortinet firewalls. This reduced training time and, on an ongoing basis, will make managing the device much easier.
3. How open does your application need to be?
Human Kinetics (HK) publishes online materials related to kinesiology. It hosts its own e-commerce website and nearly 40 other educational and storefront sites, which together get about half a million unique visits per month.
Especially for e-commerce sites, the traditional method of blocking traffic doesn’t work. People need to be able to get to your storefront. After evaluating several (unnamed) vendors, HK selected F5’s BIG-IP Application Security Manager (ASM).
HK didn’t realize until after deploying F5 that the previous solution had been blocking more traffic than it should have. “Users would get an error message and the page wouldn’t load at all,” said Brad Trankina, Director of Network and Information Systems at Human Kinetics. “Some customers would leave the site in frustration rather than wait 10 to 15 seconds for a page to download.”
The previous solution they were using provided only high-level, non-specific error reports, which made it difficult to pinpoint and correct problems.
Lyons says HK’s entire approach to security has changed from that of keeping people out of the network to inviting them in. “With the F5 solution, we’re getting far fewer false positives, so we’re allowing more legitimate traffic,” he said. “Because F5 enables deep packet inspection, we can tell exactly what is causing an error and know how to fix it.”
4. Are there other features you would prefer to integrate with Layer 7 protection?
Most web application vendors offer a number of complementary security solutions that can be delivered as part of a larger solution. In the case of HK, for instance, they went with a combined Local Traffic Manager (to improve app delivery) and BIG-IP ASM solution.
For customers of Check Point, many want the ability to consolidate external web protection with internal controls to prevent abuses. AAA of New York has processes and procedures in place when employees need to bring information into the network.
“In the past, applications such as Dropbox were a concern as they enabled people to get around our processes and allowed them to send out or bring in documents and files which could compromise our security,” said Fred Komoroski, CIO, AAA New York.
The Check Point URL Filtering and Application Control Software Blades integrate with one another to provide AAA with unified enforcement and management for all aspects of its web security strategy. The solution provides AAA with the ability to identify, block, or limit applications, widgets, and URLs that pose a threat to its network environment or employee productivity.
5. How much of a threat is web-based email?
Global investment bank Greenhill & Co. must comply with strict federal requirements for capturing the content of all interactions with customers. However, Greenhill was experiencing numerous issues with its incumbent firewall from Juniper Networks. In particular, monitoring and controlling webmail was problematic.
Webmail applications were easily evading detection by legacy “port-blocking” firewalls and other security infrastructure by tunneling over SSL. Greenhill needed a flexible solution that would deliver network visibility, even into activities tunneled over SSL, and then allow it to select which users to block, assign different blocking criteria for certain users, and set such policies based on an Active Directory (AD) group.
“We needed better visibility into our network in order to block access to certain applications – especially Gmail over HTTPS,” said John Shaffer, Greenhill’s Director of Global Systems and Technology. “We could see users were circumventing our blocking solution by switching to SSL encrypted versions of webmail applications.”
The situation raised concerns internally about the firm’s vulnerability to data leakage and its overall compliance stance.
Shaffer read about Palo Alto Network’s PA series firewalls in a trade publication and decided to test one out. The demonstration instantly unearthed users accessing Facebook, Gmail, RSS, Google Desktop, AOL Instant Messenger (AIM), Meebo, Skype and Yahoo! Mail.
“For the first time we could see exactly which users were accessing specific applications,” said Shaffer. One of the features that won over Greenhill’s IT team was Palo Alto’s ability to control application access on a per-user basis through integration with Active Directory.
Now that it has been deployed, the PA Series has helped Greenhill rein in webmail usage by blocking access to it unless a user has been added to the company’s Webmail Exception Users Group in Active Directory.