Web Application Firewall

Web application firewalls (WAF) are a new breed of information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection/ prevention systems can't, and they do not require modification of application source code.

In general, Applications are vulnerable as application developers do not consistently employ secure coding practices. WAF is designed to combat all attack types that have been categorized as high-level threats, including:

  • Cross Site Scripting (XSS)
  • SQL injection flaws
  • OS command injections
  • Site reconnaissance
  • Session hijacking
  • Application denial of service
  • Malicious probes/crawlers
  • Cookie/session tampering
  • Path traversal
  • Information leakage

In addition, companies that transact online are faced with a host of growing industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS), which mandates that all enterprise and Web applications handling credit card and account information must undergo an extensive and costly audit of custom application code. The alternative to satisfy PCI DSS Section 6.6 compliance is simply installing a WAF in place.

Articles

Barracuda Web Application Firewall

Published on January 24, 2011

The Barracuda Web Application Firewall is a complete and powerful security solution for Web applications and Web sites. The Barracuda Web Application Firewall provides award-winning protection against hackers leveraging protocol or application vulnerabilities to instigate data theft, denial of service or defacement of your Web site.

  • Protection against common attacks
  • Outbound data theft protection
  • Web site cloaking
  • Granular policies
  • Secure HTTP traffic
  • SSL Offloading
  • SSL Acceleration
  • Load Balancing

The Barracuda Web Application Firewall protects Web applications and Web services from malicious attacks, and can also increase the performance and scalability of these applications. The Barracuda Web Application Firewall offers every capability needed to deliver, secure and manage enterprise Web applications from a single appliance through an intuitive, real-time user interface.

  • Single point of protection for inbound and outbound traffic for all Web applications
  • Protects Web sites and Web applications against application layer attacks
  • Delivers best practices security right out of the box
Monitors traffic and provides reports about attackers and attack attempts

Barracuda Web Application Firewall Protects Against the Top 10 Biggest Web Site Threats


Vulnerability

Description

Barracuda Web Application Firewall Solution

Cross Site Scripting (XSS)

Injects malicious code from a trusted source as a script to access cookies or session tokens, attack a local network, or gain access to sensitive information stored by a browser or spoof content to confuse the user

Terminates connections to validate user input and inspects incoming requests before forwarding them to back end servers.

Injection Flaws

Relays unauthorized create, read, update or delete commands through a Web application to access data on another system, such as the operating system, database or an external program

Inspects each request from the clients to the back end systems for valid code inputs and blocks any malevolent commands.

Malicious File Execution

Leverages any Web application that accepts user inputted information to open, read, modify or execute files on the server to cause a total server compromise

Blocks operating system (OS) command injections attempting to access or request the server to act inappropriately.

Insecure Direct Object Reference

Exposes a reference to an internal object, such as a file, directory, database record, URL or form that can be manipulated to gain unauthorized access or reduce system performance

Creates a Web site structure using granular URL and form-level settings to treat any anomalous access request as invalid or potential for exposure.

Cross site Request Forgery (CSRF)

Hijacks a browser from a logged-in victim to send a pre-determined request to vulnerable Web applications without the victim’s knowledge

Injects randomized tokens into online forms to authenticate data streams, eliminating the ability to submit malicious requests and cause harmful activity.

Information leakage and Improper Error Handling

Exploits error messages to gather information about the OS and server versions, directories, patch levels, internal addresses to launch targeted attacks on the server with known platform vulnerabilities

Cloaks details of the Web application infrastructure and blocks a server’s error messages from being sent out to the client. Filters and intercepts outbound traffic to prevent the transmission of sensitive information, and blocks or masks attempts to access credit card numbers, social security numbers, client records or any other specified data type.

Broken Authentication and Session Management

Hijacks a session using cookies, form fields or other authentication tokens by leveraging the inability to protect credentials and tokens throughout their lifecycle

Fully terminates and proxies every connection to insulate each unique user session from exposure and can stamp or encrypt the session cookies, thus making them tamper proof. Also has the ability to ensure that all hidden or read-only form fields are not changed by the user.

Insecure CryptographicStorage

Abuses the difficulty application developers face in encrypting credit card numbers, account records, user credentials or proprietary information for storage

Filters and intercepts outbound traffic to prevent the transmission of sensitive information. Blocks attempts to access credit card numbers, social security numbers, client records or any other specified data type.

Insecure Communications

Failure by applications to encrypt network traffic containing sensitive communications

Transforms a plain HTTP Web site into a HTTPS site without changing any code to ensure secure transmission of data. Engages SSL to transmit data on the front end on behalf of an application, while sending plain text requests and responses to the back end servers.

Failure to Restrict URLAccess

Guesses or tampers with an HTTP request to gain access to a Web site’s resources, also known as ‘forceful browsing’

Provides granular URL and form-level settings to create the Web site structure that validates incoming and outgoing session content. The Web site structure can be used to restrict users from guessing and accessing resources deemed restricted from the public, such as Web pages under development.

Other Links

» Security Solutions
» Data Loss/ Leakage Prevention
» Encryption
» End Point Security
» Web Application Firewall
» SSL-VPN

Featured Partners