What's Wrong with Application Firewalls?

Well, there's nothing wrong with application firewalls, and there's everything wrong with application firewalls.

The nothing - they do limit some of the nassty stuff that haxxor try to put into your website. They're particularly good at getting some of the SQL Injection and some of the HTML Injection (although, with RSnake's research, that amount could be dwindling even more.

So what's the everything wrong with them?

  • For them to be effective, you have to break SSL. Which means that, to get a wide coverage, you have to break SSL really early, or install many firewalls closer to the web servers.
  • Input filtering for the types of semantic issues that application firewalls typically find is inadequate. (See another post on the matter).
  • They're really only good for dealing with semantic issues. The application firewall people will try to convince you that most application flaws are semantic - HTML injection or SQL injection, but that's only because the semantic flaws are the most evident in IDS systems - because logical flaws are completely legitimate in every other regard.
And my real grief with application firewalls is that they tend to make the developers not responsible for their own work. If the firewall is supposedly doing all the work, then there's no reason for developers to do a good job. The problem is, the application firewalls don't do a particularly good job, either, which will give the project a false sense of security.

Further, because of variances in allowable input, exceptions have to be coded into the application firewall (to allow for people with the last name of O'Grady, or for mathematical assertions like 2+2 !> 5). If those exceptions have to be allowed into the application firewall, why not just allow those exceptions in the application?

I'm not an expert on all of the application firewalls out there, but tell me if any of them can stop an XSRF attack (completely legitimate request, by completely legitimate users), or a privilege escalation because of key exposure (what's the firewall going to do, change the key exposure on egress?)

My apologies to any application firewall vendors out there. I know they're your bread and butter, but please don't keep the programmers from earning theirs.