How to Test Web App Firewalls

During tests of Web application firewalls, eWEEK Labs configured Imperva's and Kavado's products to protect versions of applications that internal staffers regularly use.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

During tests of Web application firewalls, eWEEK Labs configured Imperva Inc.s and Kavado Inc.s products to protect versions of applications that internal staffers regularly use.

We installed a test version of our eWEEK Excellence Awards Web site on a Red Hat Inc. Fedora Core 3 Linux installation running The Apache Software Foundations Tomcat Java servlet container and using IBMs DB2 for the back-end database. We also deployed a Microsoft Corp. Exchange 2003 server deployed on Windows 2000 Server to protect access to the Outlook Web Access Web mail client.

We deployed each of these applications on a live, publicly accessible Internet connection. We deployed the Web application firewalls under test—Impervas SecureSphere 3.3 Dynamic Profiling Firewall and Kavados Defiance TMS—between clients and our servers, noting deployment differences as we added security while maintaining Internet connectivity for each application.

/zimages/5/28571.gifClick here to read the reviews of SecureSphere 3.3 and Defiance TMS.

Our testbed configuration varied slightly for each Web application firewall. Kavados solution completely masks the public interface of Web applications through a reverse application proxy, which required that we change our Web server addresses. SecureSphere, meanwhile, seamlessly passed traffic without needing address adjustments.

Because of the relatively light traffic load on the test applications, we shortened the profiling period for each Web application firewall, while ensuring that all necessary Web pages had been identified, and manually adjusted field parameters close to the buffer limits defined in our database.

Large businesses wont have this luxury when creating profiles, given the volume and expansive nature of most applications. However, both of the Web application firewalls we tested offer out-of-band alternatives to monitor traffic patterns and application usage on live, production applications without impacting the network or application.

An application scanner that integrates with Web application firewalls will also be a wise investment, allowing administrators to continually probe applications as they evolve.

Kavado adds further benefit by allowing customers to import results found with the Kavado ScanDo application scanner into the Defiance system to automate learning profiles.

eWEEK Labs began the attack cycle on each Web application firewall using Nessus, performing probing scans for known vulnerabilities. We then proceeded with a variety of manually attempted buffer-overflow attacks to various fields, plus invalid HTTP protocol requests and forceful browsing attempts.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.