VAR Business: Protecting your Web applications (c2003

Posted on by

(Note: this article was publsihed in 2003, and included here for historical reasons)

These days, the biggest security problem for enterprise networks relates to the Web server: most firewalls are set to allow Web traffic to freely pass in and out of their domains, and few Web servers are operating perfectly, leaving them open to various exploits both inside and outside of the corporate perimeter. Port 80, the communications port that is used by mostly all Web servers, has become the great applications dumping ground and a backdoor to entering many corporate networks.

This is no exaggeration: the newspapers are filled with stories of hackers and crackers who have obtained data easily from unprotected Web servers. One man, Adrian Lemo, actually makes a living penetrating proxy servers and showing companies how to tighten them up. The Web sites of the New York Times, the U.S. Congress, and various banks have been all been penetrated over the past few years.

Where there is smoke, there is opportunity, especially for the savvy VAR who can deploy analysis and protective tools to close down some of these Web-related loopholes. Let’s look at two promising technologies from startup vendors SPIdynamics and Stratum8 Networks.

SPI Dynamics Inc.sells a Windows-based software analysis tool called Web Inspect that will examine your Web server and look for hundreds of different exploits and potential weaknesses. I installed it on a Windows XP workstation (earlier versions of Windows may need Java and Microsoft’s MDAC modules to work) and pointed it at our internal CMP sites as well as my own personal Web site. The analysis took about an hour apiece to scan through the sites. The resulting reports showed several problems, including unrestricted access to one database server that was left open (and has since been locked down). This is Web Inspect’s strength: the intersection of database and Web server is a particularly weak area, and most enterprises don’t have the skill sets to adequately lock everything down. I did find a few false positives, such as identifying a potential problem with a page on my own site. The page contained the text “C:\” which the software confused with an actual command-line prompt from the server. SPI Dynamics is working on removing as many of these false positives as possible.

Once you find your security loopholes, Stratum8’s Application Protection System (APS) 100 is hardware solution that will keep your Web servers locked down. Think of it as an application-layer packet inspection firewall, with some extra goodies built-in to handle particular Web applications. It is a 1U appliance, running a stripped-down version of Linux that will protect your network from future exploits—and do it in real-time with little or no operator intervention. “We like the fact that Stratum8 does not require man-months — it actually requires man-minutes — of consulting services because it allows us to solve an immediate problem immediately,” says Ted Ritter, Director of Strategic Business Development for Intelligent Decisions, a Virgina-based VAR who does government security and applications consulting.

The box has three network interfaces: one is used for a Web-based administrative utility, while the other two attach to your internal and external networks. This is so that the APS can examine traffic coming and going, and apply its own rule set to what is allowed in and what isn’t. I had some help from the vendor to set up my unit, but I could see that half a day was probably all that was required on even the most complex of networks. The APS can initially be setup to allow all traffic through while you get things setup.

In addition to examining traffic, the APS will also perform field consistency checks (so that users must enter a specific number of characters in a user name field as an example), cookie consistency checks, hyperlink inspection (to prevent directory traversal attacks), and allow only specific URLs to enter particular web sites. All of this is useful, and not particularly difficult, for integrators who have some knowledge of the Web and are willing to spend a little time understanding how the product works. The company recently started a channel program and includes training, a demo unit, and dedicated sales support for its products. “Stratum8 has done a great job of generating leads for us and we appreciate their support. Many people bought firewalls thinking that they protect their applications. The fact that S8 learns the performance patterns of the Web applications, adjusts accordingly, and prevents attacks will be quite helpful to our clients,” says Ritter.

Both products aren’t inexpensive: Web Inspect costs $4995 per web server, although a free 15-day evaluation license is available from the company’s site. The APS 100 starts at $25,000.

Product info box

Web Inspect v. 2.0

SPI Dynamics Inc.

Atlanta, Geo.

866-774-2700

www.spidynamics.com

APS 100 v 1.6

Stratum8 Networks

Santa Clara, Calif.

408-850-0800

www.stratum8.com

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.