Web Application Firewall

With reports stating that over 80% of all web sites are contain vulnerabilities that make them susceptible to Cross-Site Scripting, SQL Injection, Path Traversal, and many other exploits, many organizations have shown their concern.

Featured Blog Posts

Top Jordan website back up after hacking

AMMAN — Jordan's most popular news website, Ammonnews, said it was shut down ... read more ...

Securing Cloud Data

Cloud computing has raised quite a few questions with IT management, especially when it comes ... read more ...

Web Hacking Facts and Figures

According to a new Data Breach Investigations Report from global comms and IT provider Verizon ... read more ...

dotDefender is an enterprise-class Web application security solution that provides Apache and IIS Server Security across Dedicated, VPS and Cloud environments.
It prevents Cross Site Scripting (XSS) Attacks, SQL Injection Attacks, Credit Card Disclosure, Denial of Service (DoS) Attacks and more. It meets PCI Compliance and also provides E-Commerce Security, IIS and Apache Security, Cloud Security and more.

Most notable is that of the Payment Card Industry (PCI) Security Standards Council who has required that in order to be in compliance, a company who processes credit cards over the Internet needs to either complete, Option 1, a web application vulnerability assessment or, Option 2, implement a web application firewall.

PCI defines a web application firewall as:

“A security policy enforcement point positioned between a web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.”

Basically, a web application firewall, or WAF, protects web applications much in the same way a traditional firewall protects a network. It controls the input and output, as well as the access to and from the asset it is protecting. However, traditional network firewalls, and even Intrusion Prevention Systems (IPS), evaluate IP packets or protocols without an awareness of the application payload so they cannot provide protection to the application layer. Without an awareness of the HTML data payload these layer 3 devices cannot recognize and overcome the types of application layer threats that make web applications vulnerable to attack.

Unlike traditional firewalls that usually block access to certain ports or filter by IP address, web application firewalls look at every request and response within the different web service layers such as HTTP, HTTPS, SOAP, and XML-RPC. The meticulous inspection of web traffic that web application firewalls perform has also earned them the nickname “Deep Packet Inspection Firewalls”.

Risks Associated with Web Applications

Falling out of PCI compliance may not be a concern for many web site owners. Many web sites simply don’t collect credit card data over the Internet and others rely on payment gateways like PayPal to handle all of their online transactions.

Unfortunately for any business or person who runs a web site, deploying any type of web application - even commercial applications or ones supported by a hosting provider - puts the web site at risk for the following:

The truth is, any web application is at risk. Whether it be a commercial application or a Free/Open Source application the potential for it to have vulnerabilities exists. Once these threats are known, attackers use well coordinated methods to seek out sites that are vulnerable and begin to launch their attack.

Preventing Web Application Attacks

Code reviews and vulnerability assessments are excellent ways to help seek out and patch known vulnerabilities in a web application. However, as solid as these two solutions are, they do raise two concerns.

Cost

Both code reviews and vulnerability assessments can be rather costly. One way a company can defray some of these costs is to perform these duties in house but this too may be expensive as personnel usually have to be trained in this practice. Additionally, having people dedicated to these tasks pulls them away from other duties. In smaller organizations, this may not be possible.

Zero-Day Exploits

Code reviews and vulnerability assessments work, but only against known vulnerabilities. Zero-day exploits are ones that have no patch because they have not yet been seen. Even the best reviewers and auditors cannot see into the future to recommend fixes for problems that don’t exist yet.

Web Application Firewalls

Web application firewalls are a perfect solution to the problems with code reviews and vulnerability assessments because they actively and constantly protect web applications against threats using Pattern Recognition to detect and thwart zero-day exploits and other evolving threats, Session Protection to help prevent impersonation, and a Signature Knowledgebase to block known vulnerabilities and known attackers.

With dotDefender web application firewall you can avoid many different threats to web applications because dotDefender inspects your HTTP traffic and checks their packets against rules such as to allow or deny protocols, ports, or IP addresses to stop web applications from being exploited.

Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against DoS threats, Cross-Site Scripting, SQL Injection attacks, path traversal and many other web attack techniques.

The reasons dotDefender offers such a comprehensive solution to your web application security needs are:

The Need to Avoid Attacks

Gartner research states that 75% of all attacks happen at the application layer. As more applications are designed to run in the browser, like Google Apps and the upcoming release of Microsoft Office, and more apps are designed to run in the cloud the odds that a company’s data is vulnerable to a number of threats multiplies with each passing day.

Leaving data exposed like this is expensive. The 2003 attack against TJ Maxx cost between $500 million to $1 billion in lost income and fines. Add to this the fact that their stock fell roughly 66% and it is easy to see just how lost income is not the only way a compromised site can hurt a business’ bottom line. Small web sites are not immune to this threat. While they may not stand to have millions of dollars stolen, they are prime targets for cyber criminals who use these sites as a launching pad for malware distribution and other scams. The sites that serve as unknowing hosts to these criminals soon find their reputation ruined as they are flagged as malicious, and once their visitors are infected they rarely return.

Web application firewalls directly address these threats by examining incoming requests when they are opened by the web server. From here, the web application firewall is able to see the request exactly as the web server sees it allowing it to stop any malicious attempt in an efficient and timely manner.

When looking for a web application firewall solution, it is important to keep certain criteria in mind:

Protect Your Web Applications With dotDefender

dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.

The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as the attacks mentioned above, and many others. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.

What sets dotDefender apart is that it offers comprehensive protection against threats to web applications while being one of the easiest solutions to use.

In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.