`
`Mo GLAM speciatertectscompany industrial Light&Magicmuscles upwith 106
`andwidth °
`
`et details in our exclusive 106 Ethernet editorial
`supplement. Coverage begins after page 26.
`
`The leader in network knowledge m www.nwfusion.com
`
` @ BY JIM DUFFY
`
`Time was you would buy TV
`service from your cable compa-
`ny, telephone service from your
`| phone company, and that was
`that.
`But now cable companies are
`offering phone services at hard-
`to-pass-up prices, while phone
`companies are fighting back
`with plans for TV services deliv-
`ered through brand-new agree-
`ments with leading satellite TV
`providers.
`The heated competition be-
`tween regional Bell operating
`companies and cable compa-
`nies shows nosigns of abating
`as the rivals invade each others’
`turf with “triple play” — voice,
`data and video — service bun-
`dies designed to attract newcus-
`tomers and retain old ones.
`Throw wireless services into the
`mix and the prospects for even
`fiercer battles — and even more
`aggressively priced service pack-
`ages — loom.
`‘A driving factor in our success
`continues to be our bundling
`strategy” said Cox Communica-
`tions President and CEO Jim
`
`
`RBOCs & cable
`wageturf war
`
`
`August 18, 2003 m Volume 20, Number 33
`
`all-in-one
`server mgmt.
`software
`
`@ BY JENNIFER MEARS AND
`DENI CONNOR
`
` HP prepping
`
`“We take [cable competitors]
`HPis readying server manage-
`ment software that should give
`very
`seriously’
`says Mark
`users control of Unix, Linux and
`Pitchford, senior vice president
`Windows machines from a sin-
`of consumer marketing at Qwest.
`gle console,a capability analysts
`The carrier does not divulge
`numbers, but has seen line loss
`say will be particularly impor-
`tant as businesses consolidate
`to cable operators in someofits
`Robbins during the company’s
`workloads to boost efficiencies
`larger metropolitan markets.
`earnings announcement
`last
`in their data centers.
`Such encroachment by cable
`month."Tedaynearly one-third of
`The
`software, code-named
`operators in RBOCterritory is
`our customers buy multiple ser-
`Nimbus, will be the first
`inte-
`vices!
`just beginning andislikelyto last
`The chief business beneficia-
`grated tool from a systems ven-
`a long time, analysts say,
`dor that handles the nitty-gritty
`“Cable competition is the great-
`ries of this budding competition
`are home office workers and
`of server management regard-
`est threat to Bell franchises’ says
`John Hodulik, an analyst at UBS
`less of platform, from updating
`very small companies, custom-
`ers the RBOCs covet as much as
`server BIOS and driveragents to
`Warburg, who says he believes
`the millions of residential users.
`See Nimbus, page 12
`See RBOCs, page 10 |
`
`
`
`
` dai ts“Lessons from leading users North Bronx Healthcare Network
`
`Bronx hospital leaps to 10G
`
`@ BY PHIL HOCHMUTH
`
`the
`The good news was that
`LAN
`at
`the North
`Bronx
`Healthcare Network was pre-
`dictable; unfortunately that was
`the bad news, too.
`
`With zero network downtimein
`five years, the Cisco-based LAN
`was ‘a phenomenallystable envi-
`ronment;says Dan Morreale,ClO
`at NBHN. But doctors and nurses
`using the system also could
`count on phenomenal delays
`
`
`
`&& Clinicians were waiting
`4 or 5 seconds or more for a
`response from the network.
`That wasn’t going to fly.95
`
`Dan Morreale
`ClO; North Bronx Healthcare Network
`
`whenusing applications over the
`healthcare provider's 10M bit/sec
`hubs and Fast Ethernet back-
`
`bone. In fact, when running net-
`work applications, some NBHN
`staff members were known for
`giving computer screens that old
`familiar cheer for which this New
`York boroughis famous.
`“Clinicians were waiting 4 or 5
`seconds or more for a response
`from the network” when using
`certain applications, Morreale
`says.That wasn’t going to go fly”
`A standard prescription for
`such a network problem might
`eall
`for a Gigabit Ethernet up-
`grade. Instead, NBHN is skipping
`astepinthe traditional migration
`See Bronx, page 11
`
`Radware Exhibit 1015
`
`
` SOFTWARE-BASED WEB
`
`
`
`
`AppShield edges InterDo
`in battle of software thatfilters
`Port 80 traffic. Page 48.
`
`APPLICATION FIREWALLS
`
`
`
`Latest worm
`puts focus on
`patch woes
`
`m@ BY ELLEN MESSMER AND
`JOHN FONTANA
`
`The Blaster wormthat last week
`infiltrated hundreds of
`thou-
`sands,if not millions, of Windows-
`based computers once again
`highlighted the IT community's
`inability to plug software holes
`even when they have been
`detected and patches have been
`issued.
`As Network World went
`to
`press late Friday, Microsoft was
`preparing for what was sup-
`posed to be a denial-of-service
`See Blaster, page 13
`
`p $
`
`5
`
`ER«
`WSPAP
`
`-E
`
`EV
`ing
`
`
`
`

`

`
`
` NetworkWorld
`__ NetworkWorld
`
`
`
`
`| www.nW fusion.com|
`
`SOFTWARE-BASED WEB APPLICATION FIREWALLS
`pShield edges InterDo in
`battle of Port 80 filters
`
`@ BY THOMAS POWELL, NETWORK WORLD GLOBAL TEST ALLIANCE
`
`raditionalfirewalls — when properly configured and managed — do a good job of thwarting many network-level
`attacks, but dolittle to address gaping holes in Web applications where intruders commonly attack Websites directly
`through form submissions or URL manipulations.
`
`A new class, of products — often-
`dubbed Web application firewalls —
`attempt
`to thwart Port 80 focused
`attacks by using blacklist- and whitelist-
`style input filtering. We examined six
`software-based offerings: eEye Digital
`Security's SecurellS, KaVaDo’s InterDo,
`MultiNet’s
`iSecureWeb,
`Sanctum’s
`AppShield, Turillion Software's eServer
`Secure
`and webScurity’s webApp.
`secure. We tested all
`the products on
`Microsoft's
`Internet
`Information
`Services (IIS) but most also work with
`Linux and Apache. A future reviewwill
`cover hardware-based products.
`InterDo and AppShield stood above
`the rest
`in terms of ability to. defend
`against attacks andsuitability for large-
`scale Web site deployments. While ex-
`treme flexibility is the key to InterDo,
`the dynamic policy generation and
`strong default configuration of App-
`Shield gave it a slight edge in our evalu-
`ation and earned it our World Class
`award.
`
`Common attack methods
`comeinto play
`To understand Web application fire-
`walls you have to understand what they
`attempt
`to defend against. The most
`basic application attacks modify an
`HTTP request to cause a problem on
`the server or force it to divulge useful
`information. Generic attacks might use
`long URLs to trigger buffer overruns,
`attempt to traverse the site's root direc-
`tory to run trusted commands, or
`exploit extended HTTP features to sup-
`port
`online
`collaboration
`using
`WebDAV. WebDAV (Web-based Distrib-
`uted Authoring and Versioning) is an
`extension of HTTP that lets users col-
`laborate via the Internet.
`
`More sophisticated attacks rely on
`knowledge of how the Web application
`works.
`In database-driven sites using
`dirty URLs
`like http://wwwsitename.
`com/app. asp?id=5, SQL commands
`might be appended to the URL in an
`attempt
`to dump: useful data or gain
`write access to the back-end database.
`Forms also might be open for SQL injec-
`tion, and tampering with hidden data
`
`
`
`fields and manipulation of maximum
`data size limitations, which can lead to
`buffereverrun problems. Given the mul-
`titude of possible attack methods, any
`data from the user — be it a simple
`HTTP request, URL or form submission
`— should not be trusted implicitly.
`
`Divergent defensive strategies
`To combat potential exploits, a Web
`application firewall will take one of two
`approaches. A negative model or black-
`list product looks for common attack
`signatures and warns the administrator
`or blocks the user when it encounters
`one. A positive-model or whitelist fire-
`wall determines all
`the allowable re-
`quests, and inputs and disallows every-
`thing else. Some products try to blend
`the two approaches, but, essentially, all
`the products tested emphasize either a
`positive or negative model.
`A few of the products also addressed
`common Web server information leak-
`age issues such as masking server head-
`ers or sending back generic or config-
`urable error pages. It was disconcerting,
`however, to see how easy it was to iden-
`tify some of
`the application firewall
`products via hard-codederror pages or
`telltales. (some signature response that
`is different enough for the intruder to
`know what kind of tool is in play) in
`response headers. Trying to improve
`security simply by obscuring potentially
`dangerous information is not true secu-
`rity Such blatant
`information leakage
`seems foolish in a security product and
`fails to address the well-knownfact that
`reconnaissanceis a key part of success-
`ful intrusion strategies.
`These tested products spread an obvi-
`ous spectrum of cost vs. functionality.
`Those employing the positive model
`generally are more expensive and
`sophisticated than the products that
`use the negative-model approach (see
`pricing in NetResults box, page 49).
`Another key cost factor is the underly-
`ing’
`architecture. EServer
`Secure
`appears
`intended for
`single-server
`implementations, while AppShield,
`InterDo and webApp.secure serve more
`as proxies, capable of protecting multi-
`
`products
`servers. Higherend
`ple
`AppShield and InterDo also possess
`remote-nanagement capabilities and
`distributed
`architectures,
`features
`designed with server farrn deployments
`in mind.
`
`
`
`Sanctum's AppShield edged out the compe-
`tition as our World Class award winner
`because of its dynamic policy generation
`and strong default configuration.
`
`Raise your AppShield
`Sanctum'’s AppShield boasts a fully
`distributed architecture designed for
`server farm deployments. Components
`include a crisp Java-based manage
`ment console, a configuration server
`(mysql
`is used for database support)
`and one or morefirewall nodes.
`AppShield tises a positive model built
`around what Sanctumcalls its Dynamic
`Policy Recognition Engine. Outgoing
`pages are scanned and the appropriate
`whitelist of allowable inputs is
`comn-
`structed accordingly Such dynamic pol-
`icy generation is a considerable helpin
`getting the product up and running
`quickly and maintaining security poli-
`cies as the site/application changes. The
`general policy defaults put
`in place
`when one chooses the desired security
`level are easily loosened by browsing or
`crawling the site using a trusted IP
`
`address, if you find that the default level
`is too strict for a site or application.
`AppShield has a “passive mode”that
`logs but does not block requests that
`would violate policy This mode lets
`policies be tested, which the adminis-
`trator can modify selectively in real
`time by right-clicking the request that is
`in violation.
`If
`there are multiple
`AppShield nodes deployed in a server
`farm, the passive mode role could be
`permanently given to a single node.
`That node could then serve as a moni-
`tor or honeypot for the entire farm. In
`general, AppShield gets high marks for
`ease of configurability.
`AppShield’s dynamie policy genera-
`tion worked well
`to prevent forceful
`browsing by automatically restricting
`traffic patterns to legitimate naviga-
`tion paths and limiting form-fieldtam-
`pering. AppShield’s default policies,
`however, were more restrictive than
`other products tested when it.came to
`preventing simple SQL injection. The
`default policies also block standard
`attacks such as buffer overruns, directo-
`ry traversals and suspicious URLs. For
`preventing repeated attacks that violate
`security policies,AppShield can notify a
`Check Point
`firewall using the Open
`Platformfor Security (OPSEC) standard
`that a particular IP should be blockedat
`the network level.
`Customizable error pages are provid-
`ed, but there are some shortcomings.
`Although the error page is passed with
`an HTTP reason code ‘to display, the
`page itself is retrieved using a redirect,
`meaning that
`the underlying HTTP
`response code is always a 302 (a redi-
`rect) followed by a 200 (Ok) — ‘not the
`codethat reflects the actual state of the
`
`response. Like many of the firewalls,
`AppShield runs fast and loose with
`HTTP response codes, which is trou-
`bling from standards compliance and
`raises the possibility that potential
`hackers might fingerprint
`the security
`software in place from non-standard
`FeSPOHSES.
`Onaside note,AppShield takes advan-
`tage of being a proxy to provide some
`interesting security-oriented features
`
`

`

`www.nwfusion,com
`
` | 81808
`| NetworkWorld
`
`that go beyond the usual menu of appli-
`cation firewall options: URL mapping
`(including regular express matching) and
`the ability to globally prohibit direct
`downloading of image and multimedia
`files, often dubbed “leeching” This inter-
`esting feature suggests the possibility of
`application firewalls eventually merging
`with authorization and access-control
`
`functionality to provide a complete appli-
`eation security framework.
`
`InterDo can do
`KaVaDo's InterDo was designed with a
`large distributed deployment
`in mind.
`One or more server nodes communicate
`
`segregated into functional areas called
`“pipes, several of which can be com-
`bined within a single tunnel and selec-
`tively applied to one or more applications
`in a configurable order of precedence.
`Examples of pipes include genera] vul-
`nerabilities (URL, header and entity pat-
`tern matches), database issues (parame-
`ter screening), cookies and HTTP meth-
`ods. Default pipes do a good job with
`
`Strict password require-
`ments and muti-level
`administrative rights
`show InterDois serious
`about keeping its house
`in order.
`
`time, and requests
`certain pipes in real
`that run afoul of the security policies are
`blocked while these refinements are
`
`made. This is a safe and helpful way to
`manage the complexity of configuring
`multiple pipes.
`Another helpful managementfeature is
`the update service that can securely
`update pipes in real time using SSL and
`digital signatures.
`InterDo has an IP-blocking feature that
`temporarily prevents continued access
`from visitor IP addresses that have gen-
`erated enough security policy violations
`to constitute a suspect pattern of mali-
`cious behavior Suspect attackers are
`given a security score (high, medium or
`low) and blocked for varying durations.
`The response to further requests from a
`blocked IP is simply a dropped connec-
`tion, but it might be better — especially
`for Level 1 attacks — to have the option
`to show the possibly malicious user a
`configurable message. For those with a
`Check Point
`firewall, InterDo is also
`OPSEC-compatible for
`firewall-based
`network blocking.
`
`SecurellS: URLScan on steroids
`EEye Digital Security's SecurellS has by
`far
`the best user interface of all
`the
`
`soft’s free URLScan tool.
`While SecurellS could deal with mal-
`formed requests exceeding size limits
`and basic URL tampering,
`it couldn't
`detect and block any form tampering or
`careful SQL injection.
`Furthermore, the product sent back the
`inappropriate 406 “Not Acceptable” HTTP
`response code on request
`rejection,
`rather than 403 “Forbidden” or 404 “Not
`Found” message, as it probably should.
`This is the wrong response code and
`informs
`a
`potential
`intruder
`that
`SecurellS is being used.
`SecurellS does have some nice features
`
`to ease deployment in a multi-server envi-
`ronmentby letting policies easily be repli-
`cated to other systems. The product also
`has some basic file-integrity monitoring
`features that could be useful if an intrud-
`
`er penetrated a machine, but they seem
`out of place in an application firewall
`offering.
`SecurellS is targeted at users looking to
`have the support and ease of use missing
`from URLScan. Interestingly, eEye recently
`announceda free personal-use version of
`its software that makes this product an
`obvious replacement
`for URLS5can and
`obviousfirst step for those [IS administra-
`tors new to application firewalls.
`
`with the Java-based management con-
`sole via built-in Secure Sockets Layer
`(SSL) encryption — a feature none of
`the competing products equal. The
`application server nodes run as a set of
`services (in the Windows environment).
`Although there is no central configura-
`tion server, administration of all nodes
`commonbuffer overruns, directorytraver-
`can be done from a single console.Strict
`sals and SQL injection. The default set-
`password requirements and the ability
`tings did not stop form manipulations by
`to set up multiple users with different
`default, but it is possible to set up custom
`administrative privileges
`show that
`tunnels andrules.
`InterDo is serious about keeping its
`InterDo gives administrators a great
`house in order, while supplying security
`deal of flexibility in configuring security
`for the Web application.
`products tested. The program uses an
`policies — more so than any other prod-
`InterDo uses a positive-model approach
`EServer Secure for the entry level
`interface similar to Microsoft Outlook's
`uct we tested. On the downside, initial
`with some: novel architectural concepts.
`Turillion’s eServer Secure is designed
`that makes configuring this negative-
`configuration is nowhere near as easy as
`Trusted and untrusted zones are joined
`by what KaVaDo calls “tunnels? an
`
`
`
`
`AppShield’s and is probably best under- firewall_trivial.model application specifically for the IIS Web server environ-
`taken only after reading the manual very
`Unfortunately, SecurellS lacks the depth
`abstraction describing a connection
`ment. Based on Internet Server Ap-
`betweentrusted and untrusted IP address
`plication Program Interface (ISAPI) tech-
`carefully.
`of many of
`the other products and
`There is a“lean mode”that lets adminis-
`nology, eServer Secure combines a host-
`and port combinations. Within
`the
`appears to do little beyond what a capa-
`ble administrator could do with Micro-
`trators monitor and selectively modify
`based architecture with the flexibility of a
`metaphorof a tunnel,security policies are
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`“):7)AppShield webApp.secure|eServerSecureInterDo SecurllS iSecureWeb
`
`
`
`
`
`ie
`nh
`l
`
`Protection quality30%|5 5 | 28 35 3 3
`
`
`
`
`
`Configuration 30% 4.5
`5
`3
`3.5
`3.5
`4
`
`UWinner
`f
`Ease ofuse 20% 4,5
`| 3.5
`5
`4.5
`3.5
`2.5
`
`installation 10% 4
`4
`5
`2
`5
`3
`
`
`Documentation 10% 4.5
`4
`4
`2
`2
`2
`
`
`TOTAL SCORE | 4.6
`[4.5
`| 3.55
`3.4
`3.35
`3
`
`@ Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`eServer Secure 3.0
`AppShield 4.0
`InterDo 3.0
`Securell$ 2.0
`webApp.secure
`
`
`tanh|iain. Cetera Professional 1.1 in SeanIl 1.615
`
`
`
`Company: Sanctum, Company: KaVaDo, (212)|Company: cEye DigitallistingBoasyayCompany:Turillion
`
`(408) 855-9500, www.
`302-2400 Price: Starting
`Security, (949) 349-9062,
`Company: webScurity,
`Software, (210) 495-3228,
`Company: Multinet, (866)
`sanctuminc.com
`at $15,000. Pro: Incredible
`www.eeye.com
`(763) 786-2009
`www.turillion.com
`682-9286, www,
`
`
`
`
`Price: Starting at Price: $10,000 perserver,|Price: Starting at $995flexibility. Con: Com- Price: Starting at $995; elitesecureweb.com
`
`
`
`$15,000. Pros: Automatic|plexity, Windows, Linux or Solaris.|per server. Pro: MoreWindowsonly. Price: Starting at $2,000.
`rule generation, good
`Pro: Simple one-button
`Pro: Basic positivefire-
`coverage beyond basic
`Pro: Wealth of con-
`
`
`| flexibility. Con: security for basic attacks.|wall with simple config- attacks at inexpensive figuration options.
`
`
`
`| Complexity. Con: Incomplete coverage|uration. Gon: Stabilityand|price. Con: Default Con: Ease-of-use and
`of possible Port 80 attacks.
`installation issues, some
`coverage of attacks
`stability issues.
`false positives.
`| incomplete.
`
`

`

` Review
`How wedidit
`
`fe used a pairot Dell PowerEdge 6000 servers running Windows 2000 and
`’Microsoft Internet Information Server 5.0 as the testing platform. The test
`sites installed used ColdFusion and Active Server Pages for dynamic
`WW®
`‘datainsiee access and did not have input sanitization built in, Testing covered
`‘exploits such as URL tampering, form-field manipulation, SOL injection and
`fmany known ||S server specific exploits. Two other machines on a connected net-
`workusing automated security audit tools and manual attacks performed test-
`ing.Athird machine was used as the administration consolefor altering and
`configuration where possible, Server interaction was monitored not only at the
`browser level but'the wnderlying HTTP discussion was monitored to ensure stan-
`
` dard interaction between systems.
`
`Web-based managementinterface.
`fire-
`This is a strictly negative-model
`wall, with a respectable blacklist of
`attack signatures that are blocked by
`default — long URLs, disallowed meth-
`ods and directory traversals, for example
`— andtheability to revise these policies
`for tighter security. These attacks were
`blocked as expected.
`SQL injection can be combated, but
`this is addressed through keywordfilter-
`ing, and you likely will want to strength-
`en the default policies to make them
`more robust. This product does not obvi-
`ously address manipulation of form-field
`sizes. An update subscription service is
`offered to keep the attack signatures cur-
`rent. Error pages are fully configurable.
`The HTTP management interface is a
`convenient way to handle remote
`administrative duties but is also a liabili-
`ty. Security for remote management
`is
`provided via basic IP filtering. This is a
`nice feature, but the wise user mostlike-
`ly will want to employ SSL as well to fur-
`ther secure communication with the
`firewall.
`The Web interface suffers from the
`statelessness and latency one would
`expect from HTTRand some quirks exist
`— probably a funetion of the tricky
`interprocess communication between
`the ISAPI extension that supports the
`user interface and the ISAPI filter that is
`responsible for actually carrying out the
`security policies.
`Changes to the administration inter-
`face do not always seem to take effect
`immediately or consistently,and some of
`the integrated reporting and statistical
`features display disconcerting inaccura-
`cies. For example, a single request gen-
`erated
`approximately
`60
`“requests
`processed,” and a number of common
`attacks were miscategorized.
`In general, eServer Secure struck us as
`a good example of an entry-level prod-
`uct. In that sense, its most direct com-
`petitors in this review are iSecureWeb
`and SecurellS. Among those products,
`eServer Secure does not stand out for
`having any major flaws (apart from its
`user interface quirks) but neither doesit
`distinguish itself as superior.
`
`WebApp.secure:Positive model
`on the cheap?
`WebScurity’s webApp.secure attempts
`to bring the benefits of positive-model
`application firewalls within reach of
`smaller organizations.
`firewalls,
`Like most positive-model
`webApp.secure bases its security model
`on a whitelist of permitted requests
`called Intended Use Guidelines.
`In
`webApp.secure’s case, this is a list of
`legal URLs for the entire site, which is
`built through the use of what webScurity
`calls “entry points” Entry points let
`administrators
`adjust
`the
`relative
`“porousness” of a site/application, by
`forcing users to come into it
`through
`certain pages but not others and also to
`control URL jumping within thesite.
`During configuration, entry points that
`the administrator has designated are
`treated as starting points for building the
`map of permitted URLs and navigational
`paths between them.Essentially, a trust-
`ed user (or script) must navigate from
`each designated entry point to all the
`pages that are to be treated as legally
`accessible from that entry point. From
`this
`configuration-time
`traversal,
`webApp.secure learns where traffic is
`allowed to enter the site, and where it is
`allowed to go, establishing positive-
`model access control. In theory this
`should be quite useful
`in combating
`exploits that depend on URL jumping
`and other forceful browsing techniques.
`However, during testing it didn’t always
`work correctly.
`WebApp.secure also shines in protect-
`ing against form-field manipulation and
`in blocking the usual run of common
`attack signatures.SQL injection and cross
`site scripting are not well defended
`against by default, but lexical blocking is
`available by disallowing specific charac-
`ters in form field values — an example of
`where the positive model
`implementa-
`tion gives way to standard negative
`model techniques, with a resulting extra
`burden on the administrator.
`Implemented as a proxy that is con-
`trolled via an XML configuration file,
`webApp.secure also provides a native —
`but somewhat awkward — Windows GUI
`for administration. When inspecting the
`
`www.nWwfusion.com |
`
`configuration or making changes, we
`often preferred to access the XML con-
`figuration file directly.
`The product has a number of short-
`comings that suggest a lack of overall
`polish. The error/block pages are hard-
`coded, making them impossible to edit.
`Without such modification, the software
`immediately tells the potential intruder
`what kind of countermeasure software
`is
`installed. However, Version 2.0 of
`webApp.secure was released after test-
`ing and many of these issues might have
`been addressed.
`
`MuitiNetiSecureWeb focuses on
`Microsoft's IIS
`MultiNet’s iSecureWeb also is built
`with ISAPI technology and intended for
`deployment on IIS hosts, A proxy site
`(the “Gateway”) is set up to filter incom-
`ing requests headed to an origin site.
`Policy administration is done via a
`stand-alone interface (the “Studio”) that
`can beinstalled on a separate box.
`Studio is a two-pane, native Windows
`affair. Getting used to navigating around
`its multi-tab, multi-level tree view control
`— and learning how to make senseof it
`al] — takes a considerable investment of
`time and patience.
`As for the security capabilities of the
`default rules, common buffer overflow,
`the default policies handle the illicit
`character sequence and directory tra-
`versal attacks well. However, neither SOL
`injection nor form-field manipulations
`are dealt with adequately.
`The predominant approachis clearly
`negative-model, which limits the reach
`of the default rule set and makes post-
`installation configuration a must for a
`secure setup. At that point, considerable
`power is available to the administrator
`— especially one willing to wade
`through the intricacies of the user inter
`face and, in the case of certain rules,
`deal with the complexities of regular
`expression syntax. There is probably no
`Web-based attack that one cannot stop
`with an iSecureWeb rule, if you've got
`the patience and knowledge to create
`and apply it properly.
`Error pages are easily located and edit-
`ed, a good anti-fingerprinting measure.
`However,it is al] for naught because our
`installation of iSecureWeb doubled the
`HTTP headers in every response and
`certain HTTP response codes lacked the
`usual response message following the
`numerie code. Not only does such
`behavior make a host easy to finger-
`print, it raises serious doubts about the
`soundness of MultiNet’s proxy imple-
`mentation in general. Before running
`iSecureWeb in a production environ-
`ment, we would want more assurance
`that it can be set up ina way that makes
`it fully HTTP-compliant.
`
`Conclusion
`The products we tested fall into two
`distinct classes.The low-end products —
`Securell8, webApp.secure,
`iSecureWeb,
`
`and eServer Secure — are useful but
`have configuration or occasional opera-
`tional problems. SecurellS — while
`potentially the least capable — is proba-
`blythe best bet for someone looking for
`some simple protection for
`the most
`basic attacks. However, for those admin-
`istrators who want to get serious about
`application-level protection, it
`is really
`only a choice between InterDo and
`App.shield, with AppShield having a
`slight advantage in our assessment.
`However, both have significant learning
`curves and might require consulting ser-
`vices for correct usage.
`In the final analysis there is a lingering
`question of whether some of
`the
`“exploits” these products protect against
`shouldn't be dealt with during the Web
`application development process.
`Obviously filtering out bad requestsis
`a wise addition to a Web server, but
`shouldn't a Web application keep track
`of field sizes and allowed data directly?
`It would be less expensive and more
`effective to design security into a Web
`application in the first place.
`Given Sanctum’s recently released
`developerfocused product AppSean DE,
`it would seem that even Web application
`firewall vendors understand the need to
`have security designed into the applica-
`tion from the start, However, the cost of
`reworking an existing Web application
`might be significant enough to make
`even expensive Web application fire-
`walls cost-effective additions to the Web
`administrator's security arsenal.
`
`Powell is the CEO of PINT, a Web devel-
`opment and consulting firm in San Diego.
`He is also the author of numerous Web
`development books. He can be reachedat
`(powell@pint.com.
`
`OTESUElet
`
`