Video Screencast Help

Web attacking your perception of firewalls

Created: 10 Nov 2011 • Updated: 10 Nov 2011 • 7 comments
Clint M. Sand's picture
+6 6 Votes
Login to vote

There's a lot of discussion in infosec circles on the usefulness (or not) of traditional packet filtering firewalls against today's attacks. Those of us in the industry have long since known that for a firewall to detect modern attack vectors, they need to be application-aware in some way, as with web app firewalls, or proxy-based firewalls.

I also often argue that even traditional packet filtering is still relevant. Traditional packet filtering firewalls allow you to enforce the principal of least privilege at a network level. If systems on the public internet should never be able to route packets to your HR database, then well... enforce it with a firewall.

Ever tried to detect and respond to a so called "slow and low" attack or an APT that occurred over a sustained period of time, leveraging multiple attack vectors? Having an archive of firewall logs to mine from can make or break you.

These are just two examples of how a traditional firewall still has relevance.

With that said, for non-infosec people, there are still some fundamental misunderstandings out there. I read a blog post recently by the CEO of a small SaaS vendor who explained that their customers need have no fear about the privacy of their data, because there was a packet filtering firewall between the web servers and the database; even going so far to say that these firewalls are how he "sleeps well at night".

I wrote him a note pointing him to a report published earlier this year detailing web application attack methods and offered the following commentary. I'm reposting it here in the hopes that others with this misconception can learn about the risks and make better decisions to protect their customer's data.

As the browser became the default "client" software to access applications, ports 80 and 443 became the only ports needed to get access the crown jewels buried deep behind firewalls. Since your sample architecture would require those ports are open to the internet, the entire chain of firewalls behind it are irrelevant. An attacker only needs to access the web server and trick it to acting on his or her behalf.

But how? A single SQL injection vulnerability in the web application on your web server allows an attacker to submit queries that your packet filters, who are only aware of level 3 information, happily send straight to the database. This query that an attacker passes to the web server in a query string, or form submission, would pass through these firewalls as it would have appeared to originate from your own web server as well. The perspective of the attacker, from a normal firewall’s perspective, is your own web server; in your network. In your blog post, you are assuming that in order to attack those backend database servers, an attacker would have to actually compromise each server in the chain. Most attacks these days, as this report shows, happen at the application layer. Traditional firewalls still have relevance, but to stop the most prevalent attacks of the day that compromise customer data, they are rendered almost useless.

Then I offered to chat any time if I wasn't making sense or if he needed help rethinking the design.

Btw, he never responded. I wonder how well he's sleeping.

Comments 7 CommentsJump to latest comment

DCampbell's picture

Traditional firewalls and even the new shiny next generation app aware firewalls will continue to play a supporting role in any well architected organization's defense in depth strategy for a long time to come, and should not be considered the sole security solution.

Too many organizations treat security like it's a condiment, and sprinkle it on their infrastructure without taking the time to understanding the threats they wish to protect against and that's how they end up with the false sense of security like your example SaaS CEO.

+1
Login to vote
SherrodDeGrippo's picture

I agree with your point here. Just because there are new attack vectors and more sophisticated attempts all the time doens't mean that traditional packet filtering somehow becomes irrelevent. As long as ports and IP addresses are used, firewalls that help control and protect them will be needed.

+1
Login to vote
Kate Andrea Watson's picture

The orange county web design agency have experienced this web attack too, some hacker try to hack the important datas and other useful information of the said agency.

-2
Login to vote
billyjorrdan@hotmail.com's picture

Web attacking is very concerning for website owners these days. I'm using Symantec internet security 2012 so far to avoid such threat effectively. Anyways thanks for making awareness about such web threats.

+3
Login to vote
kireonstewartpolmer@hotmail.com's picture

I've found this discussion is very useful and to defend web attacks here mentioned ways are effective. There are many ways hackers are trying to reach our valuable data. By using strong security program I think such attack can be defendable. I'm planning to use Symantec security system for internet protection. Lots of peoples recommend me about his secuerity system. Thanks

+3
Login to vote
donafarnando@hotmail.com's picture

Good cooperation! I'm pleased to know about the supportive strategy and I'm hopeful about it's efficiency to prevent the threat. Hope site owners will be happy enough with this new invention. Thanks for inform about the security service to avoid trouble.

+1
Login to vote
dickwoolston's picture

As a website owner I've found this strategy to prevent the threat totally effective. I'm now going to use Symantec security system for internet protection and I strongly believe this will able to make my satisfaction. Thanks :)

+1
Login to vote