ASFWS – Bee Ware WAF

Slides available on http://asfws12.files.wordpress.com/2012/11/yverdon-2012-secweb-analyse-tech-vs-contextuelle.pdf

This talk from Matthieu Estrade (CTO of Bee Ware), entitled officially “Sécurité des application web, analyse technique versus analyse contextuelle” was in fact a kind of sales pitch for Bee Ware, a special kind of Web Application Firewall (WAF). Compass Security has an extensive knowledge about leading WAF products in the German part of Switzerland (think of AirLock, Secure Entry Server or Nevis) but I never heard of Bee Ware until then. Let’s try to understand the idea of this product which obviously never crossed the “Rösti Graben” (yet).

The first part of the presentation focused on the current challenges you have when using “standard” WAFs based on a technical analysis of the request. Depending on the application you may end up with having numerous false positives handled by less trained security engineers not aware of what is relevant to the protected web application. The race between defenders and attackers is endless and pattern blacklisting will always run behind innovative attackers. Furthermore, the quality and the attack surface of web applications vary a lot and taking an informed decision isn’t easy. While getting everything right is possible, it involves a good communication between all stakeholders of a project which unfortunately is not often the case.

This is where the idea behind Bee Ware comes into play. Instead of focusing on technical aspects only, Bee Ware includes a contextual analysis of the requests and all previously related interactions. Therefore, the focus is put on the lower two percent of abnormal web traffic, not matching the usual usage pattern. Several agents analyze each request and keep track of a score per “client” based on the algorithms used by ants to find an optional way. Some agents are of very technical nature, e.g. ensuring the claimed user-agent by the client really is sending HTTP headers as expected. Another agent may track the navigation habits and timing, ensuring pages get viewed on a reasonable rhythm, loading all resources (e.g. pictures) adequately. Yet another agent will assess the navigation path, detecting uncommon navigation pattern (e.g. direct POST on a form before a GET is done or direct access to a hidden feature). Other possible information may base on geographical region (e.g. Russian customer for a local French bank) or on used OS/browser for an intranet which is only accessible over managed machines. All these agents return a score to the engine which correlates them and decides if the client is genuine, suspicious or considered as an identified offender.

New resources will be considered with a high degree of vigilance at the beginning but once a standard usage pattern got learned, the vigilance level is reduced unless other agents signal uncommon properties. For security analysts this kind of WAF may become a challenge as identical requests issued at different times – and therefore different levels of client reputation – will yield different results.