Table of Contents
Advertisement
Name
A7 - Broken Authentication and Session
Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Access
Slowloris Protection
In addition to the top ten threats listed above, Web Application Firewall protects against
Slowloris HTTP Denial of Service attacks. This means that Web Application Firewall also
protects all the backend Web servers against this attack. Many Web servers, including Apache,
are vulnerable to Slowloris. Slowloris is especially effective against Web servers that use
threaded processes and limit the amount of threading allowed.
Slowloris is a stealthy, slow-acting attack that sends partial HTTP requests at regular intervals
to hold connections open to the Web server. It gradually ties up all the sockets, consuming
sockets as they are freed up when other connections are closed. Slowloris can send different
host headers, and can send GET, HEAD, and POST requests. The string of partial requests
makes Slowloris comparable to a SYN flood, except that it uses HTTP rather than TCP. Only
the targeted Web server is affected, while other services and ports on the same server are still
available. When the attack is terminated, the Web server can return to normal within as little as
5 seconds, making Slowloris useful for causing a brief downtime or distraction while other
attacks are initiated. Once the attack stops or the session is closed, the Web server logs may
show several hundred 400 errors.
For more information about how Web Application Firewall protects against the OWASP top ten
and Slowloris types of attacks, see the
page
63.
Offloaded Web Application Protection
Web Application Firewall can also protect an offloaded Web application, which is a special
purpose portal created to provide seamless access to a Web application running on a server
behind the SRA appliance. The portal must be configured as a virtual host. It is possible to
disable authentication and access policy enforcement for such an offloaded host. If
authentication is enabled, a suitable domain needs to be associated with this portal and all Dell
SonicWALL advanced authentication features such as One Time Password, Two-factor
Authentication, and Single Sign-On apply to the offloaded host.
Application Profiling
Starting in SRA 5.5, Application Profiling (Phase 1) allows the administrator to generate custom
rules in an automated manner based on a trusted set of inputs. This is a highly effective method
of providing security to Web applications because it develops a profile of what inputs are
acceptable by the application. Everything else is denied, providing positive security
enforcement. This results in fewer false positives than generic signatures, which adopt a
negative security model. When the administrator places the device in learning mode in a
Description
Account credentials and session tokens are often not properly
protected. Attackers compromise passwords, keys, or authen-
tication tokens to assume other users' identities.
Web applications rarely use cryptographic functions properly
to protect data and credentials. Attackers use weakly pro-
tected data to conduct identity theft and other crimes, such as
credit card fraud.
Applications frequently fail to encrypt network traffic when it is
necessary to protect sensitive communications.
Frequently, an application only protects sensitive functionality
by preventing the display of links or URLs to unauthorized
users. Attackers can use this weakness to access and perform
unauthorized operations by accessing those URLs directly.
"How Does Web Application Firewall Work?" section on
SRA Overview | 61
Hide quick links:
Advertisement
Chapters
Table of Contents
