Everyone is on the WAF bandwagon!!!……WTF?
July 5th, 2008 Drazen Drazic Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime |
I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!
If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS 6.6) and using that to drive business?
Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?
$$$$ vs industry objectives?! Oh yeah!
It’s all BS and I am happy for you to pull me up on it!
We’ve followed the WAF business since day 1! We’ve been there at the start of F5 products for example…BUT…..they’ve never wanted us to test them….we’ve tried and asked many times! (Wonder why?…..) So if anyone wants to promote them, ask the questions?!?! Maybe others did BUT we did not hear about it We just got the impression they were scared of letting us “test” the “system”.
Ooooh Yeah….we love pen testing against WAFs. Not one to this day has saved a site we have tested! While SG helps with product, we always acknowledge that product alone solves little.
Another DD rant you’re probably thinking. As usual, open to flames!
July 5th, 2008 at 1:04 am
As a client of Securus Global, the one thing that they have never done is exaggerate what they do! It would be too easy to see based upon my knowledge. Dealing with my CIO, they saved us bucks against PCI DSS and WAFs. Same time I seen companies sell out to make a buck! Jeremiah, have you only recently met F5?
July 5th, 2008 at 1:28 am
The Jeremiah Grossman stuff with WAF and F5 surprised me. His latest post sounded like a big marketing and sales ad. See my post above.
Business is business but our industry never forgets……..so I will cop it also!
July 5th, 2008 at 10:07 am
I need me one of those or at least someone to do it for me! I can’t be stuffed worrying about security so lets get it going. Another great promise of security to add to the list with Symantec, McAfee etc etc. Magic is good! I suppose every little bit help if you’re hopeless to begin with.
July 5th, 2008 at 12:55 pm
The good old bandwagon! Good post and pretty much in alignment with what I am seeing. The likes of an F5 are smart to get some known industry people backing them. Gives them some cred but are some selling out to get into bed with them?
July 5th, 2008 at 1:22 pm
Yeah amazing how quickly people can change their position on things. If I get one more vendor coming in the door to sell me on an encryption, compliance or application firewall solution to make me PCI compliant, I will start throwing haymakers. If I thought that a WAF was going to now provide me with something of substance, I would buy it. This tech has a long way to go and having “experts” tell me otherwise is not going to convince me.
July 6th, 2008 at 3:15 am
Hello everyone, I thought I’d chime in since my name was dropped.
First of all WhiteHat Security knew there was going to be a certain level of healthy skepticism towards the VA+WAF concept and we had our work cut for us to prove the benefits. We also appreciated that WAF industry had a lot of baggage from years past, and rightly so, though none of which we were responsible for. What we don’t appreciate, given our reputation, that our solutions be labeled as BS or snake oil. This is NOT what we are, have been, or will be while I’m around.
Our views on VA+WAF had little to do with PCI and everything to do with customer demand. As I write this we are conducting well over 600 web application vulnerability assessments per week on many of the largest, most recognizable, and important online properties. I don’t say this to brag, but to provide context. At that scale hundreds, if not thousands, of vulnerabilities are identified during the same period – statistically they’ll go unfixed for months or more with IT Security unable to do much of anything except plead with developers.
With the PCI 6.6 deadline looming our customers clamored for answers. Some even went to great lengths to try and disrupt or “trick” our scanner in effort to generate a “clean” report – a far worse outcome. Plus with vulnerability counts I was looking at there didn’t seem to be a way for web security at large to improve (mitigate vulns) near-term without a device such as a WAF. Far too many sites, far too many vulnerabilities, and the bad guys already taking advantage. The latest round of mass SQL injection attacks adds further proof. Anyone really think we’re going to fix 1MM+ vulns line by line?
Not being fond at all of WAFs ourselves, we’d been around the block with them too as you can tell by Arian Evan’s recent mailing list posts, still we felt we needed to keep an open mind and give them a second or even third look. So 18 months ago we began meeting with every major WAF vendor asking them a simple question, “if you knew the vulnerabilities in a website ahead of time would it help your product?” Half said yes, the other half said no. We worked with the half that said yes, but since then the others have come back around.
For our initial VA+WAF prototypes we wanted something simple to get started and a place to improve upon. It would be far from perfect, nothing lofty, and certainly not comprehensive. We decided to tackle the two most pervasive and most exploited vulnerabilities, XSS and SQL Injection, which also happen to be the easiest issues to scan for and block with a WAF. We also decided against attempting a positive security model as being too error prone being built up by a scanner.
We opted for a strict meta-character blacklist focusing only on the web applications and parameters known to be vulnerable. Without semi-colons, parens, quotes, etc. SQL Injection could not be (easily) exploited and also would not block legit traffic because those characters would not be valid anyway on a location known to have issues. The same logic applied to XSS and more classes of attack to follow. Finally we vetted the concept with a number of our customers and analysts. We’d done our homework, the feedback overwhelmingly positive, so we built it.
Please don’t take this the wrong way, but we don’t build our solutions to please competing industry experts/vendors. We build solutions to help our customers overcome the problems they ask about. Sorry this comment turned out so long. With that background I’d be happy to personally walk anyone here through a live demo showing how it all works and would be happy to answer any questions about the technology. Blog anything you’d like about what you see, no NDA required. The exact same thing Mike Andrews and I did recently. Thanks for your time.
July 6th, 2008 at 9:39 am
@Jeremiah, good to have you post here.
I think you’ve got a tough task at present to convince many in the industry that the technologies are at a level where a customer should/could have a strong level of confidence that their security position is going to be significantly improved. (Unless they’re coming from a relatively weak base to begin with in my opinion). Additional costs, additional layers of security/complexity, and is the focus being further taken away from the core issues and potentially more serious problems already within the client site?
If the number of vulns is high, the likelihood that they’re owned/compromised already is good. Not coming from a fair and zero starting base means that vuln testing and then using a WAF as a front end protector to stop some known vulns being exploited is a flawed premise. Saying that, I assume WH would be considering this already and be addressing it on a per client basis. But, given most organisations in our opinion prefer not to investigate the likelihood of already being compromised (based upon number and type of vulns detected), but would rather just patch/re-build in the hope that if anything bad was happening, it all quietly goes away, you’re just protecting the already beaten systems. Giving a company the option of doing away with hardening systems, patching, etc even though I know this is not *your* intention, you know it’s going to be happening.
Personally, my confidence in the WAF technologies today is not high but they’ll get better I assume. Will they ever get to a level where I will recommend them as a must have to a client, who knows.
Good luck with it all. Looking forward to talking more about this.
DD
July 7th, 2008 at 3:14 am
Hey DD, good to be here and now we’re getting somewhere. You bring up some excellent points.
You’re right, VA+WAF is mostly designed for those “coming from a relatively weak base.” However, I do not believe the “focus being further taken away from the core issues”, if by core issues you mean “software security.” There are two parties involved, development and IT Security, who also have different budgets. Developers should not have to concern themselves with WAFs, or paying for them, that’s IT Security’s responsibility. And IT Security typically only has indirect involvement with code, that’s of course for the development group to manage. One should not distract or take away from the other.
The point that perhaps the system is already compromised, which by itself is interesting because I think it’s the first time I’ve seen the possibility mentioned in this context. Right again that organizations are unlikely to perform forensics unless an “event” compels them to do so, regardless of the number of type of vulnerabilities present. WH, as a VA provider, has limited insider information and can’t reliably make such a recommendation. What we have done from time to time is upon identifying particular high severity easy to find vulnerability suggest the customer might want to perform forensics because we’re probably not the first to find it. Again, we have no idea when and if they do so.
I think we also both agree that VA+WAF virtual patches will be used as long-term solutions whether we like it or not. An organization might perceive this mitigation as “good enough” over the costs of a code fix – and IMHO this should be their right to choose. Nothing says an organization MUST remedy a particular issue at all ever anyway. The business could make the conscious choice to accept the risk. What’s hard to measure presently is how difficult a blacklist virtual patch as I’ve described is to defeat. I think in most cases it’d be pretty hard if implemented properly, but confidence will need to be built over time, such as is our discussion here.
Personally I view WAFs the same way as another other security solution including multi-factor authentication, system hardening, patching, security-with-obscurity, etc. Its important to know what they’re good at, not so good at, and their hard/software costs. Each should be selected as dictated by the needs of the business to sufficiently reduce risk. Risk of getting hacked. Risk of failing compliance, and so on. And as we know, risk is an extremely tough thing to measure in infosec. All too many people give up though and go with conventional wisdom in effort to CYA.
July 8th, 2008 at 9:33 am
Interesting discussion.
The main problem I have with WAFs is it’s very much a 80% solution - it will only protect against 80% of the vulnerabilities.
Well that’s good and all, but it doesn’t work well in security. If you have 10 vulnerabilities that have the same capability then blocking 8 of them you’re raising the bar slightly, but really you’re not lowering the capability of any hackers that come across your site at all.
Say you use your blacklist to block quotation marks. Well that protects against this:
select * from table where stringcolumn=”…”
but does nothing to protect against this:
select * from table where intcolumn=…
For XSS, blocking quotation marks prevents this hole:
<input type=”text” value=”…”>
but doesn’t do wonders for this:
<input type=text value=…>
So say you have ten XSS holes in your system. Nine use quotes but one doesn’t. Are you really more secure if you block just the nine that use quotes?
Of course the major problem is there’s no context. Poor O’Conner can’t register to your site. The email site might not be able to have email addresses in angle brackets. The code site is totally stuffed.
Meanwhile the WAF is doing nothing to prevent someone from changing the query variable from 31432 to 38432 and grabbing someone else’s credit card number. Such a simple flaw, yet it does nothing.
How about we concentrate on implementing better solutions? Parameterise your SQL. Use whitelists for every field. Patch your software.
(As a side note, one of the latest tests I did had a WAF protecting it. It didn’t help much.)
July 8th, 2008 at 2:34 pm
How often does the question of ‘indepence’ of opinion get raised here ?
Facts are, you’d have to seriously question the independence of any expert opinion that is potentially clouded by sponsorships, gratuities or any other form of reward. (ie, someone paid to tell me that WAF is a good thing.)
Now I fully respect the right of those people to make such paid comments (thats their job) but I’ll treat ‘em with the same respect I would a car salesman or real estate agent: Buyer beware.
BG.
July 8th, 2008 at 3:48 pm
Before I went on my rant, we were in the process of a related panel/discussion type post on WAFs. Since I’m trying a good news only posting week, (though many think I won’t be able to make a week), I thought I would add the views from the “panel” here as a response. Keep in mind, the responses, all bar Matthew’s above were done before this original rant and don’t necessarily relate to posts and responses here directly. Indirectly though, they’re relevant to the topic.
** WAFs were being sold as magic solutions to app level security when they first started to hit the market some time back. The take-up was small…justified at the time?
RGod: Yes. The take up was tentative as is most new technologies.
DD: Big claims were being made which really couldn’t be backed up. Aside from that, few organisations even understood the risks so the thinking behind the tech was ahead of its time.
EmmoNot: Most definitely justified. The last thing people need in their network is another layer of “security” products.
** A heap of talk on the Net lately about WAFs and quite a few converts in recent times from guys in the industry. Are WAFs at a position to be taken seriously?
RGod: Taken seriously, yes - but - will they solve all your problems? no. In all the years that I have been penetration testing through them I am yet to have one stop an attack. Considering the cost, I think that is a problem.
DD: Would I recommend them ahead of other things, no. The tech is just too immature and not good enough as a line of defence at present.
EmmoNot: All I can see WAFs doing is increasing the complexity of pre-existing systems. Complexity is the enemy of security, most of the time. Spend the money on fixing the bugs.
** We’re still seeing a heap of vendors with dollars in their eyes – any technologies stand out to you that are worth a look?
RGod: There is no one size fits all. It all depends on what you are protecting. Do your own testing of all the types and you can and see what works best for you. Each product has its strengths and weaknesses and you need to find
one with the strengths that you need.
DD: I would say there’s a score of other things people should be looking at before WAFs.
EmmoNot: I recommend an investment in talented security staff as opposed to a bunch of product junk that’s just another thing for an attacker to compromise/increase your power bill/lower the uptime of your network/another hungry mouth to patch.
** We argued recently in Borb that PCI DSS 6.6 is a superfluous addition to the standard. What’s your thoughts on that?
RGod: The large print giveth, and the small print taketh away..Requirement 6.6 had teeth. It was a no BS rule that meant people had to invest in the technical security of their systems. However, since the ‘clarification’ paper came out, they have watered it down so much that it really does look and smell like something that is superfluous.
DD: You know my thoughts: (”summarised”)
http://beastorbuddha.com/2008/06/24/pci-dss-66-getting-on-the-comment-bandwagon/
EmmoNot: huh? WAF is a superfluous addition to the standard? well….It was added because so much cardholder data was being stolen using XSS and SQL injection. WAFs raise the bar for SQL injection, but expose you to different risk. Back to what I said before….
** Do you think many of your clients should be seriously looking at WAFs? In what circumstances if so?
RGod: Absolutley, its the way forward no question. Just make sure that the one that you buy works for your web application and is kept up to date with new attacks. Also, (and this will sound very silly, I know) make sure you
configure it properly.
DD: Hmmm….as I said, I would add a score of other things before this but if you believe 6.6 to the letter without the added interpretation notes, have a look. Have a look also if per chance you’ve built a web app presence that may somehow be built to be protected by one. What chance we reverse code to develop applications to fit the devices that are supposed to protect it? Anyone thought of that?
EmmoNot: If they have a massive amount of webapp code (like hundreds of thousands of lines) or a vulnerable webapp that they can’t fix, sure but really, is it going to work?
** Lets cut to the chase. With the testing you do for clients, are you seeing these things impacting upon your ability to detect and exploit vulnerabilities in the environments you are testing?
RGod: WAFs…. no. BUT, I have been blocked by staff who really know what they are doing and recognise malicious traffic on their network when they see it. It is essential that staff don’t rely on these types of devices to magically block everything. You still need to have staff who are on top of what they are doing.
DD: You guys tell me.
EmmoNot: Not really!
** Akin to having anti-badware software installed, do you think it is better to have something (WAF) than not have one at all?
RGod: Yes and no. Yes it is better than nothing, but I think organisations need to think long and hard about where they will get the bet value out of their security budgets.
DD: No…experience and history shows that if accountability for security can be handed over to a technology, no matter how questionable, people will do that in many cases - to the detriment of overall security and the company in general!
EmmoNot: Hell no! The less, the better!
**Any hope these things are ever going to really provide a decent level of security to cover for poorly developed software?
RGod: It’s the same kind of thing as the old ‘deep packet inspection’ routine that was been thrown around in 2002.. Filtering devices are being made more aware and being given longer teeth. Its a natural evolution from the first generation of non-stateful firewalls, slowly moving up the layers of encapsulation.
DD: Not unless we reverse code all apps to fit in with the tech itself. Am I onto something here?
EmmoNot: Maybe. I guess you can compare them to exploit prevention mitigations for memory based attacks (such as those provided by PaX) which are must-haves in this day and age. WAFs can stop/degrade a large amount of exploits, if installed, and configured correctly. They still leave gaps though. And introduce new ones. My question is: What protects the poorly developed software that’s running on the webapp firewall? (guessing that 90% of these things are running linux..)
July 8th, 2008 at 11:32 pm
@matthew
“Well that’s good and all, but it doesn’t work well in security. If you have 10 vulnerabilities that have the same capability then blocking 8 of them you’re raising the bar slightly, but really you’re not lowering the capability of any hackers that come across your site at all.”
This is true if you view WAFs in a vacuum. Let’s say you’ve adequately mitigated 8 of 10 issues with a WAF, IT Security can then recommend to the development group they prioritize the remaining 2 over the others, which be should/could be faster to deal with. We’re trying for incremental gains not silver bullets.
“So say you have ten XSS holes in your system. Nine use quotes but one doesn’t. Are you really more secure if you block just the nine that use quotes? ”
“secure” is a relative term, but again, if you’ve mitigated 9 you code fix the last one in the code. Its an easier/faster path to something comprehensive.
“Of course the major problem is there’s no context. Poor O’Conner can’t register to your site. The email site might not be able to have email addresses in angle brackets. The code site is totally stuffed.”
We’re suggesting extremely narrow rules on url parameters known to be vulnerable, see below for an example. I have little faith in global rules of any kind. Also, if the field that O’Conner was trying to login to was vulnerable to SQL Injection, I’d submit he in the vast majority of cases he wouldn’t able to login anyway because he would have caused the system to syntax error.
SQL Injection
SecRule ARGS:’/^(var)$/’ “([\'\"\(\)\;\-=`\*])” capture
XSS
SecRule ARGS:’/^(var)$/’ “([\'\"\(\)\;])” capture
“Meanwhile the WAF is doing nothing to prevent someone from changing the query variable from 31432 to 38432 and grabbing someone else’s credit card number. Such a simple flaw, yet it does nothing.”
Most of the time they don’t, that doesn’t mean they can’t though. I’ve been doing a lot of research in this area, even though we don’t have a WAF of our own, I think it can be done.
“How about we concentrate on implementing better solutions? Parameterise your SQL. Use whitelists for every field. Patch your software.”
They are and they should, however this is a developer activity. WAFs are an IT Security activity. The use of one should not preclude the use of the other.
July 10th, 2008 at 11:09 am
Yeah I read the encrypted URL post after I made my post. Pretty cool solution. I also see your point about prioritising the remaining two vulns.
So on a different tack, how do you protect the WAF itself? It’s something that I’m definitely worried about that the security you’re gaining is more than offset by the insecurity of the WAF host itself. After all if the WAF is taken over by an attacker it’s pretty much as good as if the web server itself is taken over. SSL I’d assume is terminated before the WAF, which means that encryption won’t help.
You’re increasing the attack surface enormously here - what’s to stop an attacker from going at the WAF?
July 11th, 2008 at 12:13 am
matthew, really nothing stops an attacker from going after a WAF, just like any other network device practically speaking. Externally WAF are probably easier to bypass than to outright hack. The web-interfaces are internally facing and OS/TCP stack is *nix. All well understood and used tech.
An acceptable level of comfort with WAFs will only come over time, just like they did with network firewalls. More people need to bang on them, deploy them, and openly talk about them their experiences. Issues will and have come up with various vendors, which helps the products improve and people to become OK with the complexity/security trade-off you mentioned.
You ask me, its not their security that should be the most worrisome, its their stability.
July 14th, 2008 at 10:32 am
Fair enough. Thanks for the really interesting discussion Jeremiah.
July 17th, 2008 at 11:16 pm
Waffle, waffle, waffle…the stuff is crap! Lets not compare this to FWs and what they did years ago and justify their (WAFs) existence. We’ve moved on. WAFs are nowhere near at a level that anyone should consider the serious investment! It’s not just the cost of the h/w and s/w but maintenance, management and admin of the crappy systems - let alone the extra layer of comms slow down while these systems pretend to be smart. Added management adds to complexity and further decreases ability to focus on core f**king problems. Wake up!
The infosec industry should not be bowing down and accepting patchwork defences as ‘well, it’s better than nothing’! That just gives support to shit practice to begin with and goes against what we stand for. Ok …. we can catch x number of y type vulns…great! So can and more a serious VA program. Weigh up the dollars vs. the negative positive BS this provides a cio and we’re taking many steps backwards in what we do in our industry.