How to Test Web App Firewalls

By Andrew Garcia  |  Posted 2005-05-16 Print this article Print

During tests of Web application firewalls, eWEEK Labs configured Imperva's and Kavado's products to protect versions of applications that internal staffers regularly use.

During tests of Web application firewalls, eWEEK Labs configured Imperva Inc.s and Kavado Inc.s products to protect versions of applications that internal staffers regularly use.

We installed a test version of our eWEEK Excellence Awards Web site on a Red Hat Inc. Fedora Core 3 Linux installation running The Apache Software Foundations Tomcat Java servlet container and using IBMs DB2 for the back-end database. We also deployed a Microsoft Corp. Exchange 2003 server deployed on Windows 2000 Server to protect access to the Outlook Web Access Web mail client.

We deployed each of these applications on a live, publicly accessible Internet connection. We deployed the Web application firewalls under test—Impervas SecureSphere 3.3 Dynamic Profiling Firewall and Kavados Defiance TMS—between clients and our servers, noting deployment differences as we added security while maintaining Internet connectivity for each application.

Click here to read the reviews of SecureSphere 3.3 and Defiance TMS. Our testbed configuration varied slightly for each Web application firewall. Kavados solution completely masks the public interface of Web applications through a reverse application proxy, which required that we change our Web server addresses. SecureSphere, meanwhile, seamlessly passed traffic without needing address adjustments.

Because of the relatively light traffic load on the test applications, we shortened the profiling period for each Web application firewall, while ensuring that all necessary Web pages had been identified, and manually adjusted field parameters close to the buffer limits defined in our database.

Large businesses wont have this luxury when creating profiles, given the volume and expansive nature of most applications. However, both of the Web application firewalls we tested offer out-of-band alternatives to monitor traffic patterns and application usage on live, production applications without impacting the network or application.

An application scanner that integrates with Web application firewalls will also be a wise investment, allowing administrators to continually probe applications as they evolve.

Kavado adds further benefit by allowing customers to import results found with the Kavado ScanDo application scanner into the Defiance system to automate learning profiles.

eWEEK Labs began the attack cycle on each Web application firewall using Nessus, performing probing scans for known vulnerabilities. We then proceeded with a variety of manually attempted buffer-overflow attacks to various fields, plus invalid HTTP protocol requests and forceful browsing attempts.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel