Deploying Application Firewall in Defense in Depth Principle

Abstract

Information security should be a priority for businesses, especially when they are increasingly involved in electronic commerce. With the understanding that securing an operating system successfully requires taking a systematic and comprehensive approach, security practitioners have recommended a layered approach called defense-in-depth.

The cost and complexity of deploying multiple security technologies has prevented many organizations from achieving their information security goal. In view of these constraints and in compliance with recent with recent corporate and industry regulations like Sarbanes-Oxley Act and Payment Card Industry Data Security Standard, businesses now deploy application firewalls as security measures. Based on the foregoing, the author has recommended the use of application firewalls as a single platform for achieving layered security through network protection, application protection and data protection.

This paper commences by examining the defense in depth theory and the types of application firewall and the author concludes by citing the Institute for Computing Applications (IAC) of the Italian National Research Council (CNR) as an example of an organization which engaged application firewalls in resolving its network security problem.

Research Analysis/ Body

The development of Information security is of paramount importance to organizations that have online presence. The primary goals of information security are confidentiality, integrity and availability. In order to achieve these goals, organizations need to adopt a multi-layered security defense strategy named defense in depth. A defense-in-depth approach to security suggests an organization shouldn't rely on a single device to protect its system as the source of attack is growing every day.

Types of Application Firewalls

The best approach to deploy defense-in-depth strategies for protecting information asset is to start at the network perimeter and move from there to the operating system and applications and the data which is the final layer. In an effort to comply with recent corporate and industry regulations like Sarbanes-Oxley Act and Payment Card Industry Data Security Standard, businesses now deploy application firewalls as security measures. The different types of application firewalls are examined below:

Unified Threat Management (UTM)

According to Sunday Business Post (2012), Gartner defined UTM solutions as "multifunction network security products used by small or mid-size businesses with a market value of 1.01 billion EUR in 2011”.

Intrusion detection and prevention is the first layer in a defense- in- depth strategy as security technologies, including traditional firewalls, URL filtering, antivirus, spam filtering and intrusion detection and prevention are performed by multiple systems. These devices are designed to combat all levels of malicious activity on the network by preventing intrusion. They can be easily deployed at remote sites without the help of any security professional because its integrated all-in-one approach facilitates simplicity.

Cisco System, Inc. (2006) in its research found that firewalls provide security “by matching user policies in respect to network access rights to connection information before granting users’ access to network resources”. Because of challenges faced by organizations in identifying appropriate devices to deploy in accomplishing their security goals, Cisco recommended the following options listed in the table below as guidelines for Cisco firewall deployment.
Table 1: Cisco Firewall Options and Deployment Considerations Network Location | Cisco Platform(s) | Decision Criteria | WAN edge:
Corporate headquarters or branch office | Cisco ASA 5500 Series or Cisco PIX Security Appliance | Require plug-and-play capabilities (no changes needed to existing network) and very high performance. Wish to combine with IPS, SSL VPN, and anti-X security functions for stronger security, CapEx, and operational benefits using Cisco ASA 5500 Series | | Cisco IOS Firewall running on Cisco integrated services routers | Want to take advantage of firewall filtering in router software capabilities for CapEx consolidation benefits; require good performance | Between enterprise LAN switch and back-end servers | Cisco Catalyst 6500 Series Firewall Services Module (blade) | Have open slot on Cisco Catalyst switch; wish to conserve capital real estate; require very high performance | | Cisco ASA 5500 Series or Cisco PIX Security Appliance | Require high performance; no switch slot available; might wish to add integrated IPS module (on Cisco ASA 5500 Series) for stronger security and higher performance than is available when separate | Between internal departments | Cisco Catalyst 6500 Series Firewall Services Module (blade) | Have open slot on Cisco Catalyst switch; wish to conserve capital real estate; require very high performance | | Cisco ASA 5500 Series Adaptive Security Appliance | Require high performance, high degree of accuracy, and might wish to add integrated IPS module | Laptops and other mobile equipment | Cisco Security Agent / personal firewall software | Recommended in all instances where corporate data is stored on device |

Patch proxy

It is imperative for the network perimeter to be constantly monitored for attacks and routinely tested for vulnerabilities because of its susceptibility to exposure. A patch proxy can be deployed in a network to monitor client/server interaction by intervening when traffic accesses an unpatched server application or operating system and imitates how the patch would perform had it been installed on the server. Patch proxy permit no traffic directly between networks through elaborate logging and examination of traffic and it also offers access control.

Kost, F. (2006) demonstrated the application of patch proxy by explaining how Microsoft patch MS04-045, eliminates vulnerability in the Windows Internet Naming Service (WINS) by matching the WINS session to an unpatched server and applying the patch equivalent action to the network traffic which validates a key value in the request. The server’s vulnerability to MS04-045 is eliminated because of the action of the network-based patch proxy.

Web application firewall

Payment Card Industry (PC1) defines a web application firewall as: “a security policy enforcement point positioned between a web application and the client end point. A web application firewall (WAF) is a security device shielding the web server from attack. WAF protects web applications and web services from malicious attacks, and can also increase the performance and scalability of these applications. WAF detects attacks by filtering all incoming HTTP and HTTPS traffic through configurable network and application layer controls.

Moore, J. (2005) demonstrated the importance of web application firewall in attack prevention in a scenario where traditional firewalls leaves ports 80 through which HTTP traffic flows open and another Port 443, which permits secure transactions via HTTP open, thereby giving hackers opportunity to use the open ports to attack applications because traditional firewall is going to assume every transaction is legitimate. In this scenario, the web application will defend the web application from attack by halting web traffic and allowing content inspection.

One of the examples of web application firewall is DotDefender web application firewall which prevents threats to web applications by inspecting HTTP traffic and checking packets against rules in order to stop web applications from being exploited. It provides optimal out-of-the-box protection against DoS threats, Cross-Site Scripting, SQL Injection attacks, path traversal and many other web attack techniques.

Database Firewall

The database firewall, a device which enhances a WAF creates a defensive perimeter around a database by looking at SQL statements sent to it to determine whether to pass, log, alert, block, or substitute SQL statements, based on a company's policies. Users can set whitelist and blacklist policies to control the firewall.

Murphy, A. (2006) in his article, cited the example of a user “who may see the following error when mistyping a bug ID in the search form: **ERROR** Invalid 'bug_id' value; SQL returned critical failure! select bug_id, owner, priority, notes from bug_table where bug_id='123456a' AND status=active”. This error message provides opportunity for a malicious user to launch an SQL attack against the bug application and the database over a period time without detection as a result of ease of access. In this case, a database firewall can prevent the attack by blocking malicious SQL statements in the database.

The Imperva SecureSphere Database Security Gateway is a new database firewall appliance which guard against malicious activity in a database. It monitors the database traffic to learn normal query patterns and allows administrator to create rules to prevent unauthorized activity. It restricts users access to the database by prevent the user from running a query in all records of the table.

Conclusion

In the dynamic risk environment we are faced with today, it's more important than ever to apply multiple controls against each risk. In the IT world, no single defense is sufficient in itself to provide adequate security for an organization and no information security strategy is complete without a defense-in-depth strategy.

Defense in depth is becoming an increasingly popular concept in information security. With the rise in internet-based attacks, internal threats and attacks, application firewalls have become critical for public data security. Application firewall which serves to control inbound and outbound communication based on security policy provides layered security through intrusion prevention and detection.

The Institute for Computing Applications (IAC) of the Italian National Research Council (CNR) which relies heavily on the internet for its business engaged application firewalls in directing its network traffic and has found it useful in controlling access to its information assets.

Reference

Bernaschi, M; Aiutolo, E.& Rughetti, P.(1999). Enforcing Network Security: A Real Cease Study in a Research Organization. Computers & Security, 18, 6. Retrieved from Science Direct Database.

Business Wire (2008). Imperva Wins Information Security Magazine Shoot-Out Review of Web Application Firewalls. Retrieved from ABI/INFORM Complete Database.

Byrne, P. (2006). Application firewalls in a defense-in-depth design. Network Security, 9. Retrieved from Science Direct Database.

Cieslak, D. (2006). Information Security: Move beyond Simple Awareness to Specific Action. CPA Technology Advisor, 16,1. Retrieved from ABI/INFORM Complete Database.

Cisco System, Inc. (2006). Deploying Firewalls throughout your Organization. Retrieved from www.cisco.com/en/US/.../prod_white_paper0900aecd8057f042.html. Kost, F. (2006). Patch Proxy Eases Update Pressure. Network World. Retrieved from www.networkworld.com/news/tech/2006/041006-patch-proxy.html

Moore, J. (2005). FAQs: Web Application Security. Federal Computer Week, 19,15. Retrieved from ABI/INFORM Complete Database.

Murphy, A. (2006). Protecting your Internal Resources with Intranet Application Firewalls. EDPACS, 34, 6. Retrieved from ABI/INFORM Complete Database.

Sunday Business Post (2012). Security Watch: UTM Solutions Grow Popular. Retrieved from ABI/INFORM Complete Database.