Secure delivery

In his most recent visit to the Middle East, Guy Rosefelt, manager, app firewall international technical operations, applications network group at Citrix Systems, discussed the ramifications of the PCI DSS compliance standard, and how enterprises can get more from their web application firewalls.

  • E-Mail
By  Sathya Mithra Ashok Published  July 19, 2008

What are the challenges that face most enterprises when they implement a web application firewall and what are the most common mistakes they make?

Web app firewalls are for protecting the apps. This means security people responsible for the firewall have no idea what they are protecting. They have no idea what is going in, they have no idea what is going out, they have no idea what potentially looks like a SQL injection attack.

They have to go back to the web app developer and business process owner, to know whether this is validated data that is going in and going out. Security people never talked to app people before, so there is an entire paradigm shift. App developers don't want to admit that their apps have holes in it. The political environment and how people can work together, without anbody ruling the space, is one thing that enterprises have to work on.

The second thing follows the deployment of a firewall. Apps are dynamic, so depending on the technology I deploy, handling and protecting such dynamic technology can become more and more difficult and challenging, especially when there are more things happening on the client side.

The web app firewall can get anything that is within their sphere of influence. It can see stuff that goes in and goes out - but even as it processes some inputs there are ways for the hacker to get into the organisation's network.

This makes things more difficult, because companies would then have to update the web app developer, figure out how to fix the firewall and not allow outside stuff to come in. What we are going to see over the next year is that there will be a lot of development trying to understand these client side technologies in protecting apps and organisations.

Many in the industry believe that the learning curve necessary for web app firewall configuration is an area that organisations should address. How is Citrix helping enterprises with this?

There are several things in the two security models that you can use for an app firewall. The negative model is blocking everything that is not known. The positive model involves having a list of things that can be allowed and everything else gets blocked.

The negative model is a little easier to implement. It works on a list of things that need to be blocked. If a piece of data is not on the list, it get through. Antivirus is an excellent example of that.

The positive security model is a little more difficult to configure, because I have to understand in great detail how the app works to decide what kind of traffic can be allowed in and out. If it is built through templates that makes the job of defining the policy much easier. However, there is only a certain level of accuracy that can be obtained when it comes to the input coming in from app developers, and that is around 85%.

This should cover all normal users because this is the intended traffic. Unfortunately, app developers are not users. and users do things that app developers never envisioned. The other 15% are doing stuff that was never intended for the app. Is this behaviour that the app should be modified for?

With input from the right people, you can still build a reasonable policy. After creating a profile you can turn on the whole positive security model; you will still have to track cookies, track everything in the app, and behaviour that has the potential to cause a complex app to break. But one can also turn down the security functions of the profile to be able to do the functions that reflect the apps, and still provide protection.

Enterprises should be able to customise profiles. In a large web application, 80% of the traffic goes to the public, which is mostly information. I can use lesser and lesser checks and still be able to do a lot of things that I want to do. The remaining 20% can be put to more stringent checks.

There are things we can do to tune the different kinds of apps and modify how the app works. Most pages are in a dynamic structure that is consistent, and basic security checks can track all of that without having to let the entire app go. I can use different methodologies to deal with traffic. And a good web application firewall will give you all the tools for building that.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organisations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats.

A company processing, storing, or transmitting payment card data must be PCI DSS compliant, or risk losing their ability to process credit card payments and being audited or fined.

The current version of the standard requires organisations to have a web application firewall or strict processes for application code review as part of their requirements to develop and maintain secure systems and applications. The deadline for compliance on the new standard is the 30th of June, 2008.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code