I was looking through a presentation by .mario about PHPIDS (embedded below for your convenience), which got me thinking about Web Application Firewalls (or WAFs for short).
Currently I don’t see very much value in WAFs. My way of thinking goes something like this – there are two types of web applications
you might run on your server:
- Those you have the source code for (either because it’s open source, developed in-house or delivered in a source-code format)
- Those you don’t have the source code for
From what I’ve seen (disclaimer: I did not have the opportunity to use PHPIDS or mod_security in production yet), to really tailor the WAF for your site, you must have a detailed knowledge about the type of data expected. If you take the time to gain this knowledge, wouldn’t it be better/easier to fix the source code directly?
My conclusion is that WAFs can be a last-step preventative measure with their generic rules, however source code review is much more effective in finding (and fixing) the vulnerabilities. Probably most of you will say we knew this already
, but there are tendencies out there to equate the two (from what I understand the PCI guidelines presents the two as alternatives to one another).
PS. You should also check out the article over at nullbyte about how input validation is not the be all and end all of security.
PS no. 2: It may seem that I’ve been very dismissive of WAFs and would never use them. Just to clarify: I think that they should be used because they provide an other layer of defense (and also have a very good ROI from a business standpoint), however if you need some serious security (if you are handling sensitive information), you shouldn’t stop there.
One response to “Web Applicaiton Firewalls – are they usefull?”
It depends on what security model your WAF is using. ModSecurity (and others) used as a negative model does not require such detailed knowledge of your app. However, if you are trying to build a complete positive model, then it becomes more difficult. There are plenty of WAFs out there, though, that build a positive model by analyzing the traffic. Such a WAF can then use this positive model and a negative model togeather to protect web applications quite well without knowing details about your apps. But as you wrote, this is only part of the big picture and you should have a layered approach (defense in-depth).