AppShield is the oldest and one of the most mature in this small class of security products. The AppShield initiated will note a handful of new features in this version: improved rule generation and log management, a 100 percent performance boost, support for Microsoft Windows 2000 and Sun Microsystems Solaris 8, compatibility with Check Point Software Technologies' OPSEC (Open Platform for Security) SAM (Suspicious Activity Monitoring), URL mapping, foreign character support, and better network integration.

Shield Position

AppShield acts as an HTTP proxy and sits between the Internet and your Web servers -- though the product is flexible when it comes to network topology. One or more AppShields can protect one or more Web servers while integrating with load-balancers and other high-availability products.

AppShield inspects and filters HTTP traffic according to your security policies, configuration of which can range from simple protocol validation to ultraparanoid character filtering. The inspection handles SSL traffic and can be enhanced by optional SSL acceleration cards from nCipher Corp. and Rainbow Technologies to ensure AppShield doesn't become an SSL traffic bottleneck. The program also can act as an SSL front end for your Web server by handling all SSL negotiations and passing normal (non-SSL) HTTP traffic on to your server. Since SSL processing is performed by AppShield, fewer Web server resources are required.

Locations that require SSL down to the end Web server can have it their way too, but they'll suffer a performance hit: AppShield will have to decrypt and then re-encrypt the data.

AppShield also can pass client SSL certificate and IP information along to the Web servers via HTTP headers to ensure that the Web server will be able to see the information that is absorbed by AppShield. And the software comes with a handful of HTTP server plug-ins -- for Apache, Microsoft and Netscape/ iPlanet Web servers -- that can read the client-information headers and make the Web server believe the connection is from the client's IP. This is useful if you use Web statistic programs on your server logs.

Since AppShield understands HTTP and HTML, it detected the subtle protocol violations and attacks I launched; these are normally ignored by a firewall and intrusion-detection system. My attacks included HTML-form tampering, SQL injection, cross-site scripting and CGI parameter manipulation against my demo PHP-Nuke site. But the protections of AppShield do not end there: AppShield rewrites URLs, filters cookies and headers, validates traffic flow, and prevents buffer overflows from both hackers and Internet worms.

It features flexible logging and alerting capabilities, and can even communicate with OPSEC-compliant devices, such as Check Point's FireWall-1, to terminate sessions and log events.

Educating AppShield

Traffic-flow validation via cookies is an integral part of AppShield's functionality. AppShield also offers a noncookie tracking alternative, but this has a slight performance disadvantage. AppShield will deny any user who tries to access an internal page without first accessing the correct predecessor page, ensuring that a user progresses through a set of Web pages in a predefined order.

For AppShield to be effective, you must show it how the dynamic applications on your site operate. I used the new Automatic Rule Generator to help make AppShield privy to my demo site. AppShield observed a trusted IP interacting with my site and applications, and the Automatic Rule Generator determined allowable actions and expected responses. I needed to run through only one session with my Web application for AppShield to get the basics of how it worked and how it should go about protecting it.

If necessary, I could have tweaked the generated rules by using the built-in regular expression language. AppShield also comes with preconfigured lists of safe characters to use, so you don't have to waste time guessing what to filter.

Vendor Information AppShield 4.0, starts at $15,000. Available: Now. Sanctum, (408) 855-9500, (877) 888-3970; fax (408) 855-9521. www.sanctuminc.com

Because there is little risk in letting users access static HTML pages or graphic images, AppShield has two options for automatically serving these types of files without having to define explicit rules. This saves you precious rule-tweaking time -- you then only have to deal with configuring your dynamic Web applications. Also, if you have a large site, you can take the bulk approach by using CyberSpyder Web crawler, a $35 shareware program, to generate a list of pages found on your Web site, which you would then feed to AppShield. It would be better if this crawling functionality were built into AppShield.

When Is a Firewall not a Firewall?

AppShield has some other drawbacks. For one, it doesn't include basic firewalling or host OS lockdown support: You'll need to place a normal firewall in front of the AppShield system and keep the underlying OS patched. Also, the rigorous validation of the HTTP protocol introduces delays and latency, which means the AppShield system could be the choke point of a busy environment. This is easy to counter by deploying multiple AppShield systems and load-balancers to distribute the load, but this increases management and ownership costs.

AppShield is best-suited for sites that feature many dynamic applications, where form tampering could wreak havoc. Sites with few or no dynamic applications will not benefit from the bulk of AppShield's features beyond basic protection against problems in the native Web server software -- but that's not to say these aren't worth having.

Skeptics may wonder why anyone would take the time to analyze the application and configure AppShield to filter malicious parameters when that time could be spent configuring and modifying the actual application to filter the same parameters. But if you don't have the capability to enforce secure coding practices in your site's Web applications, then using AppShield is one of the few options you have to protect against hackers.

Jeff Forristal is the lead security developer for security consultancy Neohapsis, in Chicago. Send your comments on this article to him at jeff@neohapsis.com.