Application Firewall Implementation

Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself - and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to support developers, project managers and security testers in the development and operation of secure web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.

One of the criteria for meeting the security standard of the credit card industry currently in force (PCI DSS - Payment Card Industry Data Security Standard v.1.1) for example, is either a regular source code review or the use of a WAF.

The document is aimed primarily at technical decision-makers, especially those responsible for operations and security as well as application owners (specialist department, technical application managers) evaluating the use of a WAF. Special attention has been paid - wherever possible - to the display of work estimates - including in comparison to possible alternatives such as modifications to the source code.

In addition to the importance of the web application regarding turnover or image - the term access to a web application used in this document can be a good criterion in the decision-making process relating to the use of WAFs. Specifically, the access to a web application, measures the extent to which the required changes to the application source code are actually carried out in-house, on time,or can be carried out by third parties.

Quick View

Summary:

NetScaler Application Firewall™ protects Web applications from the growing number of application-layer attacks and prevents the loss of valuable corporate and customer data. In addition to proven attack defenses, the NetScaler Application Firewall aids in compliance with information security regulations, such as PCI-DSS.

Fastest Web App Firewall Available
Application Firewall delivers the industry’s highest performing Web application security solution, capable of protecting Web servers without degrading throughput or application response times. The NetScaler Application Firewall delivers multi-gigabit security performance that meets the needs of any enterprise or datacenter installation.

Positive Security Model
The Application Firewall implements a positive security model to block all application-layer attacks without requiring signatures. Web application behavior deviating from the positive security model is treated as potentially malicious and blocked.By understanding good application behavior, the positive security model is the only proven approach delivering protection against zero-day attacks.

Automatic Learning Engine
In addition to delivering out-of-the-box protection against all web-based threats, Application Firewall provides the ability to tailor security policies for any application, including those using client-side javascript. Citrix NetScaler’s Learning Engine can automatically learn the behavior of an application and generate human-readable policy recommendations. The security manager can then selectively apply recommendations to strengthen a security policy and to enable permissible application behavior.

Defend Your Web Applications
With over 70 percent of successful Internet attacks now exploiting application vulnerabilities, take some time to learn more about award-winning Application Firewall.

Start Date:

March 16, 2009

Go Live:

April 30, 2009

End Date:

May 8, 2009

Current Milestone:

AVP Approval and Prioritization.

Stage:

On hold

People

Sponsor/Champion:

Adrian Sannier, Vice President and University Technology Officer

Lead Customer:

Information Security Officer

Project Manager:

Sharan Johnson

Associate VP University Technology:

Tina Thorstenson

University Technology Director:

Robin Manke-Cassidy

More Info

Source:

Internal

Priority:

High

Scope:

As part of auditor general report 08-04 ASU must find methods by which to protect it's critical application on the web. This project addresses that requirement and protect all of the web applications. This project will allow for ASU to meet and exceed the requirement by being proactive and also providing additional code review with development by utilizing device in advanced mode. Also a requirement by the auditor general to ensure this solution is properly implemented. The scope is to provide this capability within the HIPAA entity environment as well as Data center.

Deliverables:

Brute force login
Known worms
Buffer overflow
Malicious encoding
Command
Malicious robots
Cookie poisoning
Parameter tamper
Cross-site scripting
Patient and corporate espionage
Data destruction
Phishing
Data theft
Scanning
Denial of service
Session hijacking
Directory traversal
SQL injection
Form field tampering
Web, HTTPS and XML application attacks
Identify theft
Web server and operating systems attacks
Illegal encoding
Zero day web worms