Proxies Add a Protective Shield: Page 8 of 22

webApp.Secure Professional 1.1. WebScurity, (763) 786-2009. www.webscurity.com

MultiNet iSecureWeb

The Microsoft Windows version of iSecureWeb installs as a plug-in to Microsoft IIS. The IIS server acts as a host for both the proxy and the administrative Web interface.

The configuration GUI is extremely daunting at first. You're stuck floating through many levels, sublevels and sub-sublevels of branches that contain any number of restriction rules/tests. The good side of iSecureWeb is that you can define rules and tests based on literally any aspect of incoming HTTP requests. This is powerful: You can customize every filter down to the byte to accommodate extremely complex Web applications. The dark side of this approach is that you must wield this power right away, starting from near-scratch. ISecureWeb provides the highest level of configuration specificity among all the products we tested, at the cost of having to deal with the details. This results in a longer learning curve and larger chance for incorrect configuration. ISecureWeb does have a policy-creation wizard, which produces rules as it crawls your Web site, but we found that it produced only mediocre rule recommendations that required a lot of manual intervention.

ISecureWeb lacks support for enforcing dynamically generated form values, much like InterDo. We also made an interesting discovery during our ASP buffer overflow attack: Since iSecureWeb is plugged into IIS, the ASP buffer overflow actually caused DoS problems in the security proxy! While these products may provide an extra security layer, you need to be conscious of vulnerabilities within the layer you're adding. And given iSecureWeb's dependency on IIS, you won't quite be able to escape the IIS patching rigmarole associated with Windows servers.

iSecureWeb 159.3. MultiNet Security, (866) 682-9286, (310) 273-4554. www.multinetsecurity.com