January 22, 2008

Web Application Firewalls

Ivan Ristic, the principal author of mod-security, just published an article about application firewalls. His thesis: this is the right year for web application firewalls... like modsecurity.

I agree with most of his analysis - webapp firewalls are really a must nowadays: web application protection is "the next big thing". But yet, I don't think misuse based application firewalls are the right answer. They need very high skills to be tuned and configured, and at the moment they don't deliver enough value for the effort required.

While a fine tuned-modsecurity can improve the security of any webapplication, the problem is that a whitelist approach is often unfeasible in complex environments and a blacklist is utterly uneffective against tricky or unknown attacks. The usual problems of signature/behaviour based IDSes.

So what? What we need is the holy grail of intrusion detection: an anomaly based web intrusion detection system. Impossible? Maybe. Necessary? For sure.