By Nazar Tymoshyk and Stanislav Breslavskyi
Over the last few years, network attacks have subsided in favor of attacks by hackers on firewalls. Because of active SSL usage and booming attention to Web (cloud) storage, typical intrusion detection and intrusion prevention systems (IDS/IPS) solutions are not capable of analyzing traffic higher than the third level of the OSI model. That's why Web applications have become the main arena for battles of hacking vs. security.
Web application firewall (WAF) protection appears to be the next key direction in IT/security development. With WAF deployment getting more and more active, the next step is to combine it with other technologies, such as dynamic application scanning testing (DAST) or the highly promising intrusion deception system.
Web Application Firewall (WAF)
WAF (Web application firewall) is a mechanism aimed at intercepting HTTP requests, such as SQL injections or regular-expression-based cross-site scripting (XSS). This technology works on the application layer (OSI Layer 7, the layer closest to a user), as opposed to the intrusion prevention system that functions on the network layer (aka OSI Layer 3).
WAF configuration allows users to block harmful content, and in this way prevent an attack, as well as identify an attacker. To apply WAF in the most relevant way, consider these key selection criteria:
- Protection against OWASP Top Ten;
- Very few false positives (i.e., never disallow an authorized request);
- Power and ease of learn mode;
- Types of vulnerabilities it can prevent;
- Both positive and negative security model support;
- High performance;
- Brute force protection, etc.
Combination of DAST and WAF
The next leap in WAF development is a combination of DAST and WAF. Dynamic application security testing is an approach toward application scanning by means of which DAST-scanner-generated requests imitating a hacker's activity are sent to the working service. A DAST scanner (Burp, OWASP Zed Attack Proxy) generates a report that serves as a basis for WAF signatures.
So, combining DAST with WAF, we can observe an interesting system:
- WAF initiates a DAST scan of the resource
- DAST scans the resource and generates a report
- WAF pulls report and extracts vulnerability data
- WAF correlates vulnerability data for protection
With this approach, updating the DAST scanner presupposes automatic WAF updates, if there are any malicious payloads not registered in the signature database yet. The effectiveness of such a combination would be enhanced even more by static security analysis.
Honeypot/Deception Proxies (Web IPS)
The next generation of security and web attack detection systems was developed by Juniper's Mykonos Software. They launched a winsome direction in the IDS industry, namely honeypot/deception proxies (Web intrusion prevention systems).
The principle of this mechanism is based on the following: such a honeypot proxy is functioning between a user and a Web service; proxy injects redundant information into traffic and generates redundant resources (for example, by means of embedding hidden fields, intended to attract attacker's attention, into HTML-code or creating fake .htaccess and .htpasswd files). How does that work? An average user won't have the slightest clue about all these complicated "pots," while a hacker, who is looking for the easiest way to attack, will try to hit on tempting (but false) data.
The rest rides upon a part in the position of configuring the system. You may "award" an attacker with an extensive timeout of the service's responses, which will make them angry (really angry); or, to be even more rebellious, indemnify a hacker's geolocation and send them a message: "Big Brother is watching you."
Intrusion prevention systems of this kind may be integrated with WAF signatures, blocking malicious traffic in this way. Read more how these systems work here.
WAF and DAST technologies are still evolving. Trying to peep into the future, IDS combined with machine learning seems to become the most promising direction, with the system being able to learn, identify the attacks and create signatures in real time, by itself. Until then, do not underestimate the role of timely detection and prevention of your systems from the existing intrusions to stay safe and secure.
Nazar Tymoshyk and Stanislav Breslavskyi are security engineers at SoftServe Inc. Nazar specializes in multiple security disciplines including computer forensics, malware analysis and intrusion detection. He holds a Ph.D. in information security from the State University, Lviv Polytechnics. Stanislav's focus is on network solutions development, specifically security-related development. He holds a bachelor's degree in information security from the State University, Lviv Polytechnics. Both Nazar and Stanislav are regular contributors to the SoftServe United blog.