[AusNOG] web App firewalls.

[Dobbins, Roland]

On May 27, 2010, at 1:35 PM, Pinkerton, Eric wrote:

> IMHO The attached Presentation (and I realise that this isn't your work) represents at best a blinkered view of security appropriate to a particular environment.


Actually, it represents the consensus of the global Internet operational security community - note that there are no stateful firewalls in font of any of the well-known Web sites a) you regularly visit and b) which exhibit little or no downtime.  However, one often finds stateful firewalls in front of Web sites which exhibit a high degree of downtime.

;>

Stateful inspection in front of servers, where *by definition, every connection is unsolicited, and there is therefore no state to track in the first place*, makes no sense.

There simply isn't a rational case to be made for inserting a stateful firewall in front of any client-facing server anywhere, anytime, under any circumstances.  Stateful firewalls in front of servers mitigate no risks which can't be more easily and appropriately mitigated by other means, while greatly expanding both vulnerability to DDoS as well as the exploit attack surface via poorly-written 'inspectors', which are regularly found to have compromise-level vulnerabilities as evidenced by the ongoing security vulnerability notices associated with said stateful firewalls.

Server security is a function of architecture, of policy, of hardening the OS, of hardening the apps/services running on said OS, and enforcing network access policy via stateless ACLs in router/layer-3 switch hardware.  Stateful firewalls contribute nothing to server security policy, and actively detract from it.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken