One of the things that I constantly run into is that of security engineers trying to thwart web application attacks with network security equipment (such as IDS/IPS, AV signatures, etc).
A recent example regarded a SQL Injection attack on a web server. This particular entity has a very healthy multi-vendor network security perimeter, and felt that the gear in place was sufficient to both catch and stop a SQL Injection attack.
The really uncomfortable part about the whole thing was listening to the guy describe how he claimed to eventually stop it–by getting his IPS vendor to provide a “SQL Injection” signature. I was amazed….trying to deal with a Layer 7 issue using Layer 3 tools!!
This approach of course will not work (at least not for a determined hacker), what with the various encoding options, numerous ways to perform a SQL Injection attack, IPS signature evasion and the like.
The real issue at hand is how to address web application security attacks. Certainly, using a Web Application Firewall (WAF) in addition to the retro-firewall, but thats sort of like putting up an invisible dog fence to stop all dogs from crossing the line–its the wrong approach, and only deals with a portion of the issue (YOUR dog in this poorly-constructed example).
What was needed in this case was to address the issue of why a SQL Injection vulnerability was there in the first place–bad coding. User or URL-supplied input variables must be sanitized before injected into the SQL query, stored procedures used wherever possible, and -of course- DB permissions must be carefully handed out.
I rarely use the OSI model any more, but it has it’s value. Whether its real or made-up, the point is to address the security issue at the proper level. We need to start moving away from the idea that network security alone will protect our applications.
For a differing view, read RSnake’s post from way back in 2006 here. Although I agree with the viewpoint, the idea is to deal with the problem at the appropriate level. Most web attacks do occur at multiple theoretical OSI models, and -as such- require multiple defense strategies.
Perhaps we need a new model?