Special-effects company Industrial lightat Mass muscles upwiui 1oc.
`andwidth “
`
`et details in our exclusive 10G Ethernet editorial
`
`supplement. coverage begins alter page 26.
`
`M0
`
`The leader in network knowledge I www.nwtus':on.com
`
`August 18, 2003 I Volume 20, Number33
`
`RBOGs & cable
`wage turf war
`
`
`I BY JIM DUFFY
`
`Time was you would buy TV
`service irom your cabie compa-
`ny. telephone service front your
`- phone Company‘. and that was
`that.
`
`HP prepping
`all-In-one
`
`server mgmt.
`software
`I BY JENNIFER MEAH5 AND
`DENI CONNOR
`
`HP is readying server manage
`ment software that should give
`users control of Unix. Linux and
`Windows machines from a sin-
`
`gle consolea capability analysts
`sa_v will be particularly impor-
`tant as businesses consolidate
`workloads to boost clficiencies
`in their data centers.
`The
`software. code-named
`Nimbus. will be the first
`inte-
`
`grated tool from a systems ven-
`(lot that ltandles the nitty-gritty
`of sewer management regard-
`less of platform. from updating
`server BIOS and driver agents to
`Sec Nimbus. page 12
`
`“We take [cable competitors]
`very
`seriously."
`says Mark
`Pitchford. senior vice president
`of consumer marketing at Qwest.
`The carrier does not divulge
`nutnbers. but has seen line loss
`to cable operators in sorne of its
`larger metropolitan markets.
`Such encroachment by Cable
`operators in RBOC territonr
`is
`just beginning and is likely to last
`a long time. analysts say:
`"Cable competition is the great-
`est threat to Bet] franchises.” says
`John Hodulik, an analyst at UBS
`Warburg. who says he believes
`See H3005. page 10 l
`
`Robbins during the company's
`earnings announcement
`last
`mont|i."'l"oday neariy one-third of
`our customers buy multiple ser-
`vices."
`The chief business beneficia-
`
`t'ies of this budding competition
`are home office workers and
`
`very small companies, custom-
`ers the RBOCS covet as mttch as
`the millions of residential users.
`
`
`J1 '" Lessons from llia.tltng users North Bronx Ileatthcare Natworlt
`
`Bronx hospital leaps to 106
`
`I BY PHIL HOCHMUTH
`
`With zero network downtime in
`
`the
`The good news was that
`LAN
`at
`the North
`Bronx
`Healthcare Network was pre-
`dictable: unlortunatelv that was
`the bad news,too.
`
`five years. the Ciscobascd LAN
`was"a phenomenally stable envi-
`ronment." says Dan Morreale. (‘IO
`at l\ll3l~tN.But doctors and nurses
`
`using the system also could
`count on phenomenal delays
`
`
`
`ll clinicians were waiting
`
`4 or 5 seconds or more for a
`
`response from the network.
`That wasn't going to fly. '1!
`
`Dan llllorreale
`ClO. North l3r‘r.-nv. l+ealti'i:.' are l\l»:'-:twor«'
`
`when using applications over the
`ltealthcare provider's l0M bit/Sec
`hubs and Fast Ethernet back-
`
`bone. In fact. when running net-
`work applications. sorne NBl"lN
`staff members were known for
`
`giving computer screens that old
`familiar cheer forwhich this New
`
`‘rbrk borough is famous.
`"Clinicians were waiting -l or 5
`seconds or more for a response
`from the network" when using
`certain applications. Morrcale
`says.“That wasn‘t going to go fly."
`A standard prescription for
`such a network problem might
`call
`for a Gigabit Ethernet up-
`grade. lnsteatl. NBHN is skipping
`a step in the traditional migration
`See Bronx. page 11
`
`Radware Exhibit 1015
`
`But now cable companies are
`offering phone services at hard-
`to-pass-up prices, while phone
`companies are fighting back
`with plans for TV services deliv-
`ered through brand—new agree-
`ments with leading satellite TV
`providers.
`The heated competition be-
`tween regional Bell Operating
`companies and cable compa-
`nies shows no signs of abating
`as the rivals invade each others‘
`
`turf with "triple play" — voice.
`data and video — service bun-
`
`dles designed to attract new cus-
`tomers and retain old ones.
`Throw wireless services into the
`
`mix and the prospects for even
`fiercer battles — and even more
`
`aggressix-'el}~' priced service pack-
`ages — loom.
`"A driving factor in our success
`continues to be our bundling
`strateg_v," said Cox Communica-
`tions President and CEO Jim
`
`Latest worm
`puts focus on
`patch woes
`
`I BY ELLEN MESSMER AND
`JOHN FONTANA
`
`The Blaster worm that last week
`infiltrated hundreds of
`thou-
`sanclsif not mil|ions,ofWindovvs-
`based computers once again
`highlighted the IT comrnunitys
`inability to plug software holes
`even when they have been
`detected and patches have been
`issued.
`As N'e.'Loorr'e
`
`ll-'i.)r1'd went
`
`to
`
`press late Friclay. Microsoft was
`preparing for what was stip-
`posed to be a denialof-service
`See Blaster. page 15
`
`NEW3.l7’.-'—\F‘ERu.l'~f-
`
`
`
`AppShield edges |nterDo
`in battle of software that filters
`
`Port 80 traffic. Page 48.
`
`APPLICATION FIREWALLS
`
` sor‘rwAi'mf-"BASED WEB
`
`

`
` .rNatiitiiiil<liirirlii
`
`
`
`rerwurkworr
`
`
`
`
`
`www.ilwfusil)ri.milIil
`
`soFTWARE-BASED WEB APPLICATION F'lREWALlS
`pshield edges lnterDo in
`battle of Port 80 filters
`
`I BY THOMAS POWELL, NETWORK WORLD GLOBAL TEST ALLIANCE
`
`raditional firewalls — when properly configured and managed — do a good job of thwarting many network—level
`
`attacks, but do little to address gaping holes in Web applications where intruders commonly attack Web sites directly
`
`through form submissions or URL manipulations.
`
`A new class of products — often-
`dubhed Web application firewalls —
`attempt
`to thwart Port 80 focused
`attacks by using blacklist and whitelist-
`style input filtering. We examined six
`soltwarebased offerings: eEye Digital
`Security's Securells. l<aVaDo’s lnterDo,
`Mu|tiNet's
`iSccureW'eb._
`Sanctutnis
`AppShield. T'urillion Scifttrvaies cServer
`Secure
`and wcbScurity‘s webApp.
`secure. We tested all
`the products on
`Microsoft's
`Internet
`Information
`
`Services (_llS} but most also work with
`Linux and Apache.A future review will
`cover hardware.-based products.
`lnterDo and AppShield stood above
`the rest
`in terms of ability to defend
`against attacks and suitability for large
`scale Web site deployrnerits. While ex-
`treme flexibility is the key to lnterDo,
`the dynamic policy generation and
`strong default configuration of App-
`Shield gave it a slight edge in our evalu-
`ation and earned it our World Class
`award.
`
`common attack methods
`come into play
`To Linderstand Web application tire-
`walis you have to understand what they
`attempt
`to defend against. The most
`basic application attacks modify an
`HTTP request to cause a problem on
`the server or force it to divulge useful
`information. Generic attacks might use
`long URLs to trigger buffer overruns,
`attempt to traverse the sites root direc-
`tory to run trusted commands, or
`exploit extended HTTP features to sup-
`port
`online
`collaboration
`using
`WehDAV. WebDAV (Wet:—based Distrib-
`uted Authoring and Versioning) is an
`extension of HTTP that lets users col-
`laborate via the Internet,
`
`More sophisticated attacks rely on
`knowledge of how the Web application
`works.
`in database-driven sites using
`dirty URLs
`like http;//wwwsitenanie.
`com/app. asp?irl:5. SQL commands
`miglit be appended to the URL in an
`attempt
`to dump useful data or gain
`write access to the back-end database.
`
`Forms also might be open for SQL injec-
`tion. anrl
`tampering with hidrlen data
`
`
`
`fields and manipulation of maximum
`data size limitations, which can lead to
`buffemverrun prob|ems.('3iven the mul-
`titude oi possible attack methods, any
`data from the user — be it a simple
`HTTP request. URL or form submission
`—should not be trusted implicitly:
`
`Divergent defensive strategies
`To combat potential exploits. a Web
`application firewall will take one of two
`approaches.A negative model or black-
`list product looks for common attack
`signatures and warns the administrator
`or blocks the user when it encounters
`
`one. A positive-model or whitelist fire-
`wall determines all
`the allowable re-
`
`quests, and inputs and disallows every-
`thing else. Some products try to blend
`the two approaches, but, essentially. all
`the products tested emphasize either a
`positive or negative model.
`A few of the products also addressed
`common Web server information leak-
`
`age issues such as masking server head-
`ers or sending back generic or config-
`urable error pages. lt was disconcerting.
`however: to see how easy it was to iden-
`tify some of
`the application firewall
`products via hard-COClE(Il error pages or
`telltales (some signature response that
`is different enough for the intruder to
`know what kind of tool is in play) in
`response headers. Trying to improve
`security simply by obscuring potentially
`dangerous information is not true secu-
`rity Such blatant
`information leakage
`seems foolish in a security product and
`fails to address the well-known fact that
`
`reconnaissance is a key part of success-
`ful intrusion strategies.
`These tested products spread an obvi-
`ous spectrum of cost vs. functionality.
`Those employing the positive model
`generally are more expensive and
`sophisticated than the products that
`use the negativemoiilel approach (see
`pricing in NetResults box, page :19).
`Another key cost factor is the underly~
`ing
`architecture.
`EServ-er
`Secure
`appears
`intenclecl
`for
`single-server
`implementations, while Applfahield,
`h‘1terDo and webApp.se-cure serve more
`as proxies. capable oi protecting multi-
`
`products
`servers. Higher-end
`ple
`Appshield and lnterDo also possess
`remote-management capabilities and
`distributed
`architectures.
`features
`designed with server farm deployments
`in mind.
`
`
`
`Sanoti.In1_'s Anpshietd edged out the compo-
`titioo as our ‘World Glass award winner
`because of its dynamic policy generation
`and strong tlafautt configuration.
`
`Raise your Appshield
`Sanctum's AppShield boasts a fully
`tlistribttted architecture designed for
`server farm deployments. Components
`include a crisp .lava-liasetl n'1anage-
`ment console. a configuration server
`(mysql
`is used for database support)
`and one or more firewall nodes.
`
`AppShielr.l uses a positive model built
`around what Sanctum calls its Dynamic
`Policy Recognition Engine. Outgoing
`pages are scanned and the appropriate
`whitelist of allow-abic inputs is con-
`structed accordingly. Such dynarnic pol-
`icy generation is a considerable help in
`getting the product up and running
`quickly, and maintaining security poli-
`cies as the site/application changes.The
`general policy defaults put
`in place
`when one Cltooses the desired security
`level are easily loosened by browsing or
`crawling the site using a trusterl
`IF’
`
`addressifyou find that the default level
`is too strict for a site or application.
`Appfihield has a “passive mode" that
`logs but does not block requests that
`would violate policy This mode lets
`policies be tested. which the adminis-
`trator can modify selectively in real
`time by right—clicking the request that is
`in violation.
`If
`there are mull.iple
`Appshield nodes deployed in a server
`farm. the passive mode role could be
`permanently given to a single node.
`That node could then serve as a moni-
`
`tor or hone_v;)ot for the entire farm. in
`general. Appshield gets high marks for
`ease of configurability.
`.-\ppShield’s dynamic policy genera-
`tion worked well
`to prevent forceful
`browsing by automatically restricting
`traffic patterns to legitimate naviga-
`tion paths and limiting form—field tarn-
`pering. !\ppShie|d‘s default policies.
`however, were more restrictive than
`other products tested when it came to
`preventing simple SQL injection. The
`default policies also block standard
`attacks such as buffer overruns. directo-
`ry traversals and suspicious URl.s. For
`preventing repeated attacks that violate
`security policies.AppSl)iel(l can notify 21
`Check Point
`firewall using the Open
`Platform for Security (OPSEC) standard
`that a particular ll’ should be blocked at
`the network level.
`
`Customizable error pages are provid-
`ed. but there are some shortcomings.
`Although the error page is passed with
`an HTTP reason code to display, the
`page itseil is I'et1‘ie\'ed using a redirect.
`Ineaning that
`the underlying HTTP
`response code is always a 302 tfia redi-
`rect) followed by a 200 (Okl — not the
`code that reflects the actual state of the
`
`response. Like many of the firewalls.
`AppShield runs fast and loose with
`HTTP response codes. which is trou-
`bling lrom standards compliance and
`raises the possibility that potential
`hackers might fingerprint
`the security
`software in place from nonstandard
`l’E‘S[JL')I'l.$l':‘S.
`On aside note,.I\ppShield takes advan-
`tage of being a proxy to provide sortie
`interesting securil.y-oriented features
`
`

`
`www.iiwfusinn.ctim
`
`that go beyond the usual menu of appli
`cation firewall options: URL mapping
`("including regular express matching) and
`the ability to globally prohibit direct
`downloading of image and multimedia
`files, often dubbed “leeching." This inter-
`esting feature suggests the possibility of
`application firewalls eventually merging
`with authorization and access-control
`
`functionality to provide a complete appli-
`cation security framework.
`
`Intorlio can do
`KaVaDo's lnterDo was designed with a
`large distributed deployment
`in mind.
`One or more server nodes communicate
`
`with the Java-based management con-
`sole via built-in Secure Sockets Layer
`(SSL] encryption — a feature none of
`the competing products equal. The
`application server nodes run as a set of
`services (in the Windows environrnent).
`Although there is no central configura-
`tion server, administration of all nodes
`can be done from a single console.Strict
`password requirements and the ability
`to set up multiple users with different
`administrative privileges
`show that
`InterDo is serious about keeping its
`house in order. while supplying security
`for the Web application.
`lnterDo uses a positive-model approach
`with some novel architectural concepts.
`Trusted and untrusted zones are joined
`by what KaVaDo calls “tunnels.” an
`abstraction describing a connection
`between trusted and untrusted IP address
`
`the
`and port combinations. Within
`metaphor of a tunnel.sr-.curity policies are
`
`segregated into functional areas called
`"pipes," several of which can be com-
`bined within a single tunnel and selec-
`tively applied to one or more applications
`in a configurable order of precedence.
`Examples of pipes include general vul-
`nerabilities (URL, header and entity pat-
`tern matches’), database issues {parame-
`ter screening), cookies and HTTP meth-
`ods. Default pipes do a good job with
`
`Strict password require-
`
`ments and mutli-level
`
`administrative rights
`
`show |nterDo is serious
`
`about keeping its house
`
`in order.
`
`common buffer overruns,direcloi"_y traver-
`sals and SQL injection. The default set-
`tings did not stop form manipulations by
`default, but it is possible to set up custom
`tunnels and rules.
`
`lnterDo gives administrators a great
`deal of flexibility in configuring security
`policies — more so than any other prod-
`uct we tested. On the downside, initial
`configuration is nowhere near as easy as
`AppShielci's and is probably best tinder-
`taken only after reading the manual very
`carefully.
`There is a"lean mode"tbat lets adminis-
`
`trators monitor and selectively modify
`
`Net Results
`
`
`
`l 8.«i8?u3
`
`
`
`l_ tlawiirkwtiriii.
`
`time, and requests
`certain pipes in real
`that run afoul of the security policies are
`blocked while these refinements are
`
`made. This is a safe and helpful way to
`manage the complexity of configuring
`multiple pipes.
`Another helpful management feature is
`the update service that can securely
`update pipes in real time using SSL and
`digital signatures.
`lnterDo has an lP-blocking feature that
`ternporarlly prevents continued access
`from visitor [P addresses that have gen-
`erated enough security policy violations
`to constitute a suspect pattern of mali-
`cious behavior. Suspect attackers are
`given a security score (high. medium or
`low) and blocked for varying durations.
`The response to further requests from a
`blocked IP is simply a dropped connec-
`tion. but it might be better— especially
`for Level 1 attacks — to have the option
`to show the possibiy malicious user a
`configurable message. For those with 21
`Check Point
`firewall.
`lnterDo is also
`OPSEC-compatible for
`firewall-based
`network blocking.
`
`Securolls: llltlscan on steroids
`E‘.Eye Digital Security's Securells has by
`far
`the best user interface of all
`the
`
`products tested. The program uses an
`interface similar to Microsoft Outlooks
`
`that makes configuring this negative-
`model
`application
`firewall
`trivial.
`Unfortunately. Secur-ellS lacks the depth
`of many of
`the other products and
`appears to do little beyond what a capa-
`ble administrator couid do with Micro-
`
`soft's free URLScan tool.
`While SecurellS could deal with mal-
`
`formed requests exceerlirig size limits
`and basic URL tampering.
`it couldn't
`detect and block any form tampering or
`careful SQL injection.
`Furthermore. the product sent back the
`inappropriate I-l06“Not Acceptable" HTTP
`response code on request
`rejection.
`rather than 403 "Forbidden" or 404 “Not
`
`Found” message. as it probably should.
`This is the wrong response code and
`informs
`a
`potential
`intruder
`that
`SecurelI.S is being used.
`SecurellS does have some nice features
`
`to ease deployment in a multiserver envi-
`ronment by letting policies easily be repli-
`cated to other systems.The product also
`has some basic file—integrity monitoring
`features that could be useful if an intrud-
`
`er penetrated a machine. but they seem
`out of place in an application firewall
`offering.
`Securells is targeted at users looking to
`have the support and ease of use missing
`from UR1Scan.|riteresting1y. e-Eye recently
`announced a free personal-use version of
`its software that makes this product an
`obvious replacement
`for URLSCHFI and
`obvious first step for those [IS administra-
`tors new to application firewalls.
`
`Eserver Secure for the entry level
`Turil1ion’s eSei'ver Secure is designed
`specifically for the IIS Web server environ-
`ment. Based on Internet Server Ap-
`plication Program Interface {IE-API) tech-
`nology, eserver Secure combines a host-
`based architecture with the flexibility of a
`
`
`sum-$2.5
`nup_.uun
`claws:-"saunas
`j—‘ W?
`Milli 1.1 j ’ — *
`1.815
`company: i<aVaDo, (212)
`company: eEye Digital T company:Tur-illion
`30242400 Price: Starting
`Security. (949) 34941062,
`company: webscurity.
`Software. (210) 495-3228,
`comparw: Multinet. (866)
`at $15.0(XJ. Pro: incredible
`vvww.eey.e.com
`(763) 786-2009
`wwvv. turillion.com-
`682-9286. www,
`flexibility. con: Com-
`Price: Starting at $995;
`Price: 5:10.000 per server.
`Price: Starting at $995
`elitasecurewehcom
`plexity.
`Windows only.
`Windows. Linux or Solaris.
`per server. Fro: More
`Price: Starting at $2.000.
`Pro: Simple one-button
`Pro: Basic positive fine-
`coverage beyond basic
`Pro:Weatth of con-
`secu rity for basic attacks.
`wall with simple config—
`attacks at inexpensive
`figuration options.
`Con: incomplete coverage
`ur-ation. Gun: Stability and
`price. Can: Default
`Con: Ease-of—use and
`of possible Port80 attacks.
`installation issues. some
`coverage of attacks
`stability issues.
`false positives.
`. incomplete.
`
` mamas
`
`
`
`company: Sanctum.
`(408) 85544500. www.
`sanctuminc.com
`Price: Starting at
`$15,000. Pros: Automatic
`rule generation, good
`l flexibility. Con:
`. Complexity.
`‘
`
`
`.
`Protoofion quality50% 5
`womgésll
`
`IIIIOHM
`. 5
`
`Itonfiguratin 39% 4.5
`
`Ease of use 20% 4.5
`lnstaIlation1ll% 4
`Ilooumentation1'lI5$
`4.5
`Tl|Tll8ll0lIE_ us
`
`qffiyzer
`
`5
`
`i
`i 5.5
`' 4
`4
`its
`
`l soourlls
`l 2.5
`
`3
`
`5
`l 5
`| 4
`I 5.55
`
`woblpoaom-o
`. 5.5
`
`osomi-Secure
`5
`
`lsoourohob
`3
`
`3.5
`
`4.5
`2
`2
`5.4
`
`3.5
`
`3.5
`5
`2
`3.55
`
`4
`
`2.5
`5
`2
`5.1
`
`I Scoring Key: 5: Exceptional; 4:\l'er'y good; 5: Average; 2: Below average; 1: Consistently subpar
`
`
`
`

`
`lwww.nwfusirin.t:nm l
`
`and eServer Secure — are useful but
`
`have configuration or occasional opera-
`tional problems. SecLirellS -- while
`potentially the least capable — is proba-
`bly the best bet for someone looking for
`some simple protection for
`the most
`basic attacks. However. for those admin-
`istrators who want to get serious about
`application-level protection. it
`is really
`only a choice between lnterDo and
`App.Shield. with AppShield having a
`slight advantage in our assessment.
`However. both have significant learning
`curves and might require consulting ser-
`vices for correct usage.
`In the final analysis there is a lingering
`question of whether some of
`the
`“exploits” these products protect against
`shouldn’t be dealt with during the Web
`application development process.
`Obviously filtering out bad requests is
`a wise addition to a Web server. but
`shouidn‘t a Web application keep track
`of field sizes and allowed data directly?
`It would be less expensive and more
`effective to design security into a Web
`application in the first place.
`Given Sanctum's recently released
`developer-focused product AppScan DE.
`it would seem that even Web application
`firewall vendors understand the need to
`
`have security designed into the appiica-
`tion from the start. However. the cost of
`reworking an existing Web application
`might be significant enough to make
`even expensive Web application fire-
`walls cost—effective additions to the Web
`administrator's security arsenal.
`
`Fbweff is the CEO of PINK (1 lrl/eb devel-
`opment and consuffing firm in San Diego.
`He is also the author of numerous Web
`
`development books. He can be reeched.al
`!powe1l@pr'nt. corn.
`
`configuration or making changes. we
`often preferred to access the XML con-
`figuration file directly
`The product has a number of short-
`comings that suggest a lack of overall
`polish.The error/block pages are hard-
`coded, making them impossible to edit.
`Without such modification. the software
`immediately tells the potential intruder
`what kind of countermeasure software
`is
`installed. However, Version 2.0 of
`webApp.secure was released after test-
`ing andmany of these issues might have
`been addressed.
`
`MuItil|nt».iSecure\Vel: focuses on
`Microsoft‘s IIS
`Mu|tiNet's iSecureWeb also is built
`with ISAPI technology and intended for
`deployment on IIS hosts. A proxy site
`(the “Gateway'’) is setup to filter incom-
`ing requests headed to an origin site.
`Policy administration is ‘clone via a
`stand-alone interface (the"Studio") that
`can be installed on a separate box.
`Studio is a two-pane. native Windows
`affair. Getting used to navigating around
`its multi-tab. multi-level tree view control
`— and learning how to make sense of it
`all — takes a considerable investment of
`
`time and patience.
`As for the security capabilities of the
`default rules, common buffer overflow.
`the default policies handle the illicit
`character sequence and directory tra-
`versal attacks well. However. neither SQL
`injection nor form-field manipulations
`are dealt with adequately.
`The predominant approach is clearly
`negative-rnodel. which limits the reach
`of the default rule ‘set and makes post-
`installation configuration a must for a
`secure" setup. At that point, considerable
`power is available to the administrator
`— especially one willing to wade
`through the intricacies of the user inter-
`face and, in the case of certain rules.
`deal with the complexities of regular
`expression syntax. There is probably no
`Web-based attack that one cannot stop
`with an isecureweb rule. if you’ve got
`the patience and knowledge to create
`and apply it properly
`Error pages are easily located and edit-
`ed. a good anti—fit1gerprinting measure.
`However. it is all fo-r naught because our
`installation of fSecureWeb doubled the
`
`HTTP headers in every response and
`certain HTTP response codes lacked the
`usual response message following the
`numeric code. Not only does such
`behavior make a host easy to finger-
`print, it raises serious doubts about the
`soundness of MultiNet’s proxy imple-
`mentation in general. Before running
`iSecureWeb in a production environ-
`ment. we ‘would want more assurance
`that it can be set up in a way that makes
`it fully HTTP-compliant.
`
`flonclusion
`The products we tested fall into two
`distinct classe5.The low-end products —
`SecurellS. webApp.secure,
`iSecureWeb.
`
` heview
`
`How we did it
`
`
`
`~
`
`.-‘e used a pair of Dell PowerEcIge 6000 servers running Windows 2000 and
`iwlicrosoft Internet Information Server 5.0 as the testing platiorm.The test
`_ Vsites installed used ColdFusion and Active Server’ Pages for dynamic
`;i3l;ife"se access and did not have input sanitlzatlon built inlesting covered
`'e3‘<‘{:ilo:tts such as URL tampering. form-field manipulation. SOL injection and
`tnanyknowri l|S server specific exploits. Two other machines on a connected net-
`woricusilig automated security audit tools and manual attacks performed test-
`ing.=ri\»il5hird machine was used as the adrninistratlon console for altering and
`Conf_i'gu_ration where possible. Server interaction was monitored not only at the
`browser level but the underlying HTTP discussion was monitored to ensure stan-
`etard interactioii between systems.
`
`
`
`
`
`Web-based management interface.
`fire-
`This is a strictly negativemodel
`wall. with a respectable blacklist of
`attack signatures that are blocked by
`default — long URLs, disallowed meth-
`ods and directory traversals. for example
`— and the ability to revise these policies
`for tighter security. These attacks were
`blocked as expected.
`SQL injection can be combated, but
`this is addressed through keyword filter-
`ing. and you likely will want to strength-
`en the default policies to make them
`more robust.This product does not obvi-
`ously address manipulation of form-field
`sizes. An update subscription service is
`offered to keep the attack signatures cur-
`rent. Error pages are "fully configurable.
`The HTTP management interface is a
`convenient way to handle remote
`administrative duties but is also a liabili-
`
`is
`ty. Security for remote management
`provided via basic IP filtering. This is a
`nice feature. but the wise user most like-
`ly will want to employ SS1. as well to fur-
`ther secure communication with the
`firewall.
`The Web interface suffers from the
`
`statelessness and latency one would
`expect from H'TTF,’and some quirks exist
`—- probabty a function of the tricky
`interprocess communication between
`the ISAPI extension that supports the
`user interface and the lSAPl filter that is
`
`responsible for actually carrying out the
`security policies.
`Changes to the administration inter-
`face do not always seem to take effect
`immediately or consistently. and some of
`the integrated reporting and statistical
`features display disconcerting inaccura-
`cies. For example. a single request gen-
`erated
`app-roxlmately
`60
`“requests
`processed." and a number of common
`attacks were miscategorized.
`In general, eServer Secure struck us as
`a good example of an entry-level prod-
`uct. In that sense. its most direct com-
`petitors in this review are iSecureWeb
`and Securells. Among those products.
`eServer Secure does not stand out for
`having any major flaws (apart from its
`user interface quirks) but neither does it
`distinguish itself as superior.
`
`ltlehltppseeure: Positive model
`on the cheap?
`WebScurity’s webApp.secure attempts
`to bring the benefits of positive-model
`application firewalls within reach of
`smaller organizations.
`firewalls.
`Like most positive-model
`webApp.secure bases its security model
`on a whitelist of permitted requests
`called intended Use Guidelines.
`In
`webApp.secure’s case. this is a list of
`legal URLs for the entire site. which is
`built through the use of what webscurity
`calls “entry points.“ Entry points let
`administrators
`adiust
`the
`relative
`"porousness" of a sitelapplication. by
`forcing users to come into it
`through
`certain pages but not others and also to
`control URL jumping within the site.
`During configuration, entry points that
`the administrator has designated are
`treated as starting points for building the
`map of permitted URLs and navigational
`paths between them. E'.ssenti'a'lly. a trust-
`ed user (or script) must navigate from
`each designated entry point to all the
`pages that are to be treated as legally
`accessible from that entry point. From
`this
`configuration—time
`traversal.
`webApp.secure learns where traffic is
`allowed to enter the site. and where it is
`allowed to go. establishing positive-
`model access control. in theory this
`should be quite useful
`in combating
`exploits that depend on URL jumping
`and other forceful browsing techniques.
`However, during testing it didn't always
`work correctly.
`Webnppsecure also shines in protect-
`ing against form-field manipulation and
`in blocking the usual run of common
`attack signatures.SQL injection and cross
`site scripting are not well defended
`against by default, but lexical blocking is
`available by disallowing specific charac-
`ters in form field values — an example of
`where the positive model
`implernenta-
`tion gives way to standard negative
`model techniques.with a resulting extra
`burden on the administrator
`
`Implemented as a p.roxy that is con-
`trolled via an XML configuration file.
`webApp.secure also provides a native —
`but somewhat awkward —Windows GUI
`
`for administ.ration.When inspecting the