The first comment that would make is that you subject line is assuming
a commercial WAF, whereas the are some (such as ModSecurity) which are
open source/free options.
So, taking the monetary ROI out of the equation, you still have a
valid question of what value(s) can you gain by a WAF outside of the
block actions. We are kind of stuck with the "firewall" term in this
industry and is a shame as it can cause confusion as to what types of
security policies and actions are or must be used. WAFs cand be used
for many different purposes.
Here are a few use cases to consider -
1) To inspect SSL web traffic.
Many IDSs/IPSs don't decrypt SSL traffic for various reasons. They
have to inspect a wide range of protocols whereas WAFs only have to
deal with http (and xml, etc...). Due to the wide use of SSL,
essentially all WAFs have the capability to decrypt this traffic.
2) HTTP auditing device
There are many scenarios where you need to have better audit logs of
the web transaction. Perhaps it is for administrative functions,
login pages or credit card purchases. The default logging that most
web servers or applications do is pretty bad. Have you ever tried to
do incident response and you only had access to the CLF access logs?
Good luck.
3) Incident response - trap and trace
Another scenario is when you are doing incident response and you want
to log everything that a client is doing. You can choose to log all
transactions based on items such as source IP, SessionID, etc...
Doing this same type of thing (with layer 7 payloads) with a NIDS is
much more difficult.
4) Identifying application defects
There are many web app vulns that may not manifest themselves until
the app is in production. This means that source code analysis may
miss it. Since the WAF is physically/logically between the client and
app, it can see all inbound and outbound data. It is here where WAFs
can identify when there are certain vulnerabilities, coding errors or
misconfigurations in the app. Detailed error pages and source code
leakages are great examples of this. The main benefit of this is that
you can now take that info and provide it back to the web dev teams
for remediation.
5) Info Leakage detection
There may be sensitive data that is leaving you site that you didn't
even know about. CC or Social Security numbers or other types of info
may be leaking out. WAFs can help to flag this so that you are aware
and can take action.
6) Identifying web vulns/attacks
Forgetting about taking a blocking action for a moment, the most
important aspect is to fisrt identify the issue. Once identified,
then the appropriate remediation can be taken. I believe the web app
vuln scanner folks would agree with this :)
Hopefully this has shown some other value that WAFs can provide beyond
simply blocking.
Cheers,
Ryan
On 1/12/08, B Snake <bsnak3@gmail.com> wrote:
It seems like 90+% of companies that implement WAFs deploy them in
listening-only mode and don't do any blocking for fear of false positives
cutting off legitimate user activity.
I'm new to WAFs and this may be a stupid question, but what security value
does a WAF add if it's not doing any blocking of malicious activity?
-BSnake
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed? What
tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
