How to Test Web App Firewalls | eWeek

How to Test Web App Firewalls

Written By
Andrew Garcia
Andrew Garcia
May 16, 2005
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

During tests of Web application firewalls, eWEEK Labs configured Imperva Inc.s and Kavado Inc.s products to protect versions of applications that internal staffers regularly use.

We installed a test version of our eWEEK Excellence Awards Web site on a Red Hat Inc. Fedora Core 3 Linux installation running The Apache Software Foundations Tomcat Java servlet container and using IBMs DB2 for the back-end database. We also deployed a Microsoft Corp. Exchange 2003 server deployed on Windows 2000 Server to protect access to the Outlook Web Access Web mail client.

We deployed each of these applications on a live, publicly accessible Internet connection. We deployed the Web application firewalls under test—Impervas SecureSphere 3.3 Dynamic Profiling Firewall and Kavados Defiance TMS—between clients and our servers, noting deployment differences as we added security while maintaining Internet connectivity for each application.

/zimages/5/28571.gifClick hereto read the reviews of SecureSphere 3.3 and Defiance TMS.

Our testbed configuration varied slightly for each Web application firewall. Kavados solution completely masks the public interface of Web applications through a reverse application proxy, which required that we change our Web server addresses. SecureSphere, meanwhile, seamlessly passed traffic without needing address adjustments.

Because of the relatively light traffic load on the test applications, we shortened the profiling period for each Web application firewall, while ensuring that all necessary Web pages had been identified, and manually adjusted field parameters close to the buffer limits defined in our database.

Large businesses wont have this luxury when creating profiles, given the volume and expansive nature of most applications. However, both of the Web application firewalls we tested offer out-of-band alternatives to monitor traffic patterns and application usage on live, production applications without impacting the network or application.

An application scanner that integrates with Web application firewalls will also be a wise investment, allowing administrators to continually probe applications as they evolve.

Kavado adds further benefit by allowing customers to import results found with the Kavado ScanDo application scanner into the Defiance system to automate learning profiles.

eWEEK Labs began the attack cycle on each Web application firewall using Nessus, performing probing scans for known vulnerabilities. We then proceeded with a variety of manually attempted buffer-overflow attacks to various fields, plus invalid HTTP protocol requests and forceful browsing attempts.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.