Benefits of a Reverse Proxy WAF – Revisited

Druckfreundlich, PDF & E-Mail

As a reverse proxy, the Barracuda Web Application Firewall protects all your application's custom code, but it also does lot of other things under the hood, that protects third party software such as application frameworks, middleware, protocols, OS stacks, CMS, etc. Our white paper on reverse proxy benefits, talks about all the application layer security and performance benefits obtained from a reverse proxy architecture. In this post, we will discuss many other benefits you get from this architecture, especially in securing third party software.

Data centers today suffer from a complex sprawl of legacy servers and software. In the face of zero day vulnerabilities, this can be a recipe for panic. Contacting each vendor (whose primary focus might not be security) and getting hotfixes could get painful. In the absence of a quick turnaround, the only choices are to risk business downtime or be vulnerable to a new, well known zero-day that is being actively exploited.

Being a reverse proxy allows the Barracuda Web Application Firewall to shield the vulnerable third party server stacks against zero-day attacks. Moreover, it provides a central control point in the network that provides instant remediation for all such zero day vulnerabilities. Here are a few examples from recent times to illustrate this:


SSL Stack: There has been a spate of attacks against SSL of late. The BEAST attack involved disabling vulnerable block ciphers, CRIME attack that involved disabling SSL compression, Padding Oracle attack that required securing cookies and preventing CSRF, and many others like SSL renegotiation attacks, Lucky 13 etc,. And, the mother of them all, the Heartbleed SSL attack that affected certain versions of OpenSSL last month.

Also, post Snowden and PRISM leaks, concerned users have been increasingly moving to Perfect Forward Secrecy (PFS) ciphersuites. Most server vendors today still do not support this. The long turnaround is often due to the fact that SSL software is not easy to upgrade as many other services are tightly coupled to it. Worse, the server vendor’s business focus may not lie in security but elsewhere.

[Passive security systems such as IPS and span port WAFs cannot be made to work with PFS at all]

We already protect against many of these, and our automated threat feeds immediately provide you a quick way to apply the fixes. You do not have to wait for vendor or OSS fixes or make intrusive hacks in your servers.

Programming Frameworks: Default PHP/Perl installations have been known to have lots of vulnerabilities.The PHP Hash Collision attack targeted collisions in PHP hashtables DoS-ing web applications. Ruby on Rails framework was found to have an SQL Injection vulnerability.

Web Servers: Targeting web servers is a potent attack vector, as a handful of them dominate the Internet. IIS has had several vulnerabilities recently. Apache suffered from Range Header DoS attacks, slowloris, and others. Apache struts has had several attacks in 2013 and this year that including remote command execution and DoS attacks into the classloader.

Content Management Systems: CMS systems like WordPress and Joomla have been repeatedly targeted either directly or via one of the plethora of add-ons available for these. Moreover, its very easy to weaponize these attacks using Google hacking to find sites running vulnerable CMS versions.

SOA frameworks: These suffer from some of the same vulnerabilities as HTTP, but via XML and SOAP protocols. XPath injection, XML parser DoS attacks, etc have been popular in the wild, but the SOA framework vendors have not shown great focus in incorporating security as a core development process.

Network Protocols: Even though the TCP stacks are one of the more mature of all the stacks, they still come up with vulnerabilities now and then, like TCP timestamp DoS, spoofed RST DoS, etc.

Apart from third party vulnerabilities, a new attack vector that is often overlooked are APIs:

Rich APIs: APIs are now becoming more important than the application itself, a by-product of the increasingly API and cloud centric world we live in. However, their security is considered as someone else's problem. Snapchat's API security breach leaked millions of user's names and phone numbers. Disqus had a similar breach in their API. Not to forget, there are no security updates for these as this is your own custom code.

All the above components are widely deployed but hardly anyone questioned their security worthiness, until the vulnerability was exposed. Even the security elite who integrate security in their SDLC focus mainly on their custom code, but assume the underlying frameworks to be secure.

These are just a few examples for vulnerabilities in third party software that are easily remediated by the Barracuda Web Application Firewall. The great thing about this is, that you are already protected by a majority of these and for others you get the quickest time to remediation from our award winning customer services and support.

Nach oben scrollen