Web App Firewalls Toughen Up

State-of-the-art firewalls prevent the exploitation of Web application holes.

With a pressing need to do more to protect Web applications from attack, IT staff can turn to a new class of specialized firewalls that do a great deal to protect Web servers, Web applications, and connected internal servers and databases from attack.

Each of the three Web application firewalls eWEEK Labs reviews here—Kavado Inc.s InterDo 3.0, Sanctum Inc.s AppShield 4.0 and Teros Inc.s Teros-100 APS (Application Protection System) 2.1.1—provides next-generation attack defense through a deep understanding of how HTML applications function.

All three products go through an HTML parsing phase where they learn the form field, application structure and cookie usage for each Web page. The firewalls use this information to dynamically inspect all incoming requests. They can therefore block requests that modify hidden fields or cookies or submit malformed requests, such as very long parameters or parameters containing script or SQL commands.

Teros-100 APS goes further yet—and earns an Analysts Choice award—by providing high-level content filtering and recognition algorithms, coupled with simple and effective Bayesian traffic pattern recognition algorithms, to determine legitimate site behavior. No product in this category does what we think a mature effort should, but at this early technology development stage, Teros-100 APS stands out.

The deep level of protocol inspection used by each of the products we tested, customized to each page in each protected application, is the big win for customers adopting any of them.

These tools are an especially good fit for organizations that are having difficulty cleaning up security problems in their Web applications.

Compatibility is one benefit. Because Web application firewalls look only at the outgoing HTML stream (the application code itself is a black box to them), they will work with Web applications written in any language or deployed on any platform. Speed of deployment is another benefit to these application firewalls. Although it may take considerable time to tune them, all three products offer basic protection almost immediately.

Now the downside: All three of these tools can break existing Web applications through their strict controls on allowable behavior. While the firewalls we tested show improvement over their respective past releases in terms of how effectively they are able to infer correct behavior, we advise potential adopters to be ready for several cycles of painstaking reconfiguration and fine-tuning.

An advance wed like to see in this category of products is tighter integration with common Web application development languages and back-end databases. These products have to guess, with varying degrees of accuracy, what data type each HTML form field should be. The ability to parse source code or scan data types in the back-end database tables would let the application firewall know much more precisely what data input was allowable. Were still some time away from this level of sophistication, however.