Stephen,
You make some interesting points and I don't disagree with any of your
principles.
I'm going to talk about a web application project I was recently
involved in, and why I feel an app firewall was a good choice.
There were two developers (including myself) involved in the project,
both reasonably versed in security issues. All code written was reviewed
and tested by the other developer. We did not get source code externally
audited because that was too expensive (maybe we didn't go to the right
consultants). We did get a penetration test of the complete system by a
reputable firm.
Now, we could have done the single system thing, but the risks are
significant: a single vulnerability in the TCP/IP stack, web server or
web application will lead to a complete compromise. No amount of
hardening, auditing or patch management gets around that basic fact.
So, we went for a two-tier solution. We gave much thought to the
division of responsibilities between the tiers. Ultimately having a
back-end web application with a front-end app firewall seemed the most
logical solution. The front-end is Apache/Resin and the back-end is
Python BaseHTTPServer. The front-end interprets incoming requests,
whitelist validates all input and canonicalizes requests before passing
to the back-end. It also provides some DOS and brute-force protection.
The back-end is your regular webapp - in principle it's plenty secure
enough to put directly on the Internet.
So, having done this I think app firewalls are an important part of a
secure system. To anyone who disagrees with this, my question is: what
should we have done instead?
Regards,
Paul
Well the point of defence in depth is to have a secure system, with
multiple security checkpoints to ensure that a flaw in any single
level doesn't give access to the whole system. And if we had infinite
budgets I'm sure we would have a wild time in the app security
superstore, but we don't; and we have to spend the limited resources
we have very wisely. If I had to choose between fixing the problem at
the root, or applying a patch - I'll go for the root every time. And
this is not necessarily just code audits, but can range from stricter
quality assurance procedures, to developer education, peer review and
security testing. These have longer term benefits for an organisation
since they contribute to the wider security process rather than
solving a specific problem.
--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
