WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Internal servers, web application firewalls, and learning modes

From: yelukati mahendra <mahendra_yn () yahoo com>
Date: Wed, 3 Dec 2008 12:03:30 +0530 (IST)

I agree with Preston Connors suggestion of using VPN.
With the hard limitations in your environment,VPN is the best and simple solution for your problems.

Mahendra.


--- On Tue, 2/12/08, Dan Lynch <DLynch () placer ca gov> wrote:


From: Dan Lynch <DLynch () placer ca gov>
Subject: Internal servers, web application firewalls, and learning modes
To: webappsec () securityfocus com
Date: Tuesday, 2 December, 2008, 9:44 PM
Sorry for the long post. My questions are at the end, but
first, take a
minute to see the hard limitations in our environment.

My organization has no in house specialized web expertise,
not in web
development, or code audit, or web application
vulnerability assessment.
None. In the current financial climate we are unable to
hire outside
experts in the field, and, with no money for training,
it's unlikely
we'll be able to develop internal expertise in the near
term. 

This is far from optimal, and I know that. But it's
also completely out
of my control or influence and unlikely to change anytime
soon.

We purchase shrink-wrap web-based applications for such
narrow niches as
probation department case management, or building permit
process
management, or wastewater treatment facility monitoring.
Some of these
are fairly complex, consist of multiple web server /
application server
/ database tiers, and large piles of incomprehensible
scripts. Some
applications hold critical and highly confidential data,
such as
juvenile court records. 

As these are generally intended (at first) for internal use
only, the
servers themselves are mostly on our internal private
network, all are
Windows servers, and all are domain members. 

We are freqently locked into weak contracts with the
providers of these
apps, with little recourse for pursuit of bug-fixes,
feature enhancement
requests, or mitigation of vulnerabilities. Our RFPs and
before-purchase
evaluations of products are limited to purely functional
aspects of the
software, and include no secure coding requirements.

These are the simple facts of the environment, and are
unlikely to
change.

Our user base has recently begun pushing for internet-based
access to
these web interfaces, for their own employees, and for
affiliated
partners to access. In some cases there is resistance to
recommended
topology changes, such as moving web servers into
firewall-protected
subnets and DMZs. In others, functional requirements
prevent it. In some
cases pass-through authentication to the web apps via
Active Directory
is used. Our Windows server team prefers to keep things
simple, using
domain accounts for administration, and our internal WSUS
and other
tools for maintenance. Server hardening has been resisted
where there is
concern that it could possibly affect function of the app.

These facts too are unlikely to change.

As a security team, we are pushing hard to apply what
appropriate risk
mitigation we can. Often, we're not sure what
mitigation is appropriate.
At this time the suggestion has been made that a web
application
firewall will allow us to safely grant access to internal
network web
servers. In particular, Microsoft ISA Server 2006.

All other things being equal, is a web application firewall
an effective
way to protect an internal web server from attack? Is ISA
Server a
useable WAF for an organization with little internal
expertise? As I
understand ISA as compared to other WAFs, there is no
learning
capability, and all application layer rules must be
manually entered.
Can application layer rules be developed for ISA by smart
folks with
limited HTML/HTTP background? Or are we better off pushing
for
acquisition of a trainable WAF? Barracuda has been
suggested. Or is
trainability less important, and we should focus on good
attack
signatures? We own a good IPS, but it is in listening mode
only at this
time. 

Within the limitations of our environment as outlined
above, what
recommendations would you make?

Thanks for any thoughts.

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security
Assessment
With the rapid rise in the number and types of security
threats, web application security assessments should be
considered a crucial phase in the development of any web
application. What methodology should be followed? What tools
can accelerate the assessment process? Download this
Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------



      Did you know? You can CHAT without downloading messenger. Go to http://in.webmessenger.yahoo.com/

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: