Review: Web Application Firewalls

Posted by Jeffrey H. Rubin and Ravind Budhiraja on April 21, 2006

Think you know what Web sites are running on your servers? So did we. Then we started testing Web application firewalls and saw requests coming in for a site we didn't recognize--and which, by the way, was vulnerable. We assumed a vendor had left old data on an appliance under test, but all the vendors we asked insisted this was not the case. So we did an NSLOOKUP, and lo and behold, discovered one of our programmers was running a nonprofit Web site on our development server.

Heed the voice of experience--if you want to know exactly what's going on with your Web servers, a Web application firewall, or WAF, is worth every penny. Available in software or appliance form, WAFs work at the application layer, using deep-packet inspection to reveal the inner workings of Web applications while thwarting attacks made possible by insecure programming.

We invited WAF appliance vendors to send gear to our Syracuse University Real-World Labs®. We specified that products must inspect HTTP traffic and make decisions at the application layer to detect and stop common Web attacks, including SQL injection, buffer overflows, form-field manipulation, session hijacking, path traversal and forceful browsing.

Web Application Firewall Features Click to enlarge in another window