Jeff Forristal is a senior security consultant for Neohapsis. Write to him at [email protected]. Updates to this article will be available online at www.neohapsis.com/articles/webappfw/.
Post a comment or question on this story.
Remember when most attacks hit at the network layer? Those were the days. Now, with the proliferation of Web services and introduction of protocols like SOAP, who knows what evil is trying to slither in via HTTP tunnels? Think you're safe? How many different applications run in your Web environment? Have you done a security assessment of all that source code? We didn't think so.
One possible answer is a Web application-level firewall. We installed proxy offerings from Kavado, MultiNet, Sanctum, Teros and WebScurity in our Chicago Neohapsis partner labs and tasked them with protecting two deliberately insecure Web sites. We tampered with cookies and form fields, threw Microsoft FrontPage into the mix, then sat back and watched the destruction. We also evaluated ease of configuration, a huge concern unless you have strong application-security chops on board.
None of the products could stop every attack, but Kavado InterDo and Sanctum AppShield came closest. We were impressed by InterDo's feature set, but it let dynamic form value attacks slip past, giving Sanctum the edge to win our Editor's Choice.
Our plan: Take off-the-shelf Web application platforms, like PHP and JSP, sprinkle in common programming mistakes, and see if the security proxies can defend the applications against our offensive onslaught. You'll find a full list of our attacks on page 56.
We used a range of Web technologies to create challenges for the security proxies. Our first Web server was a full-functioning e-commerce site for ordering books, la Amazon.com. It comprised an Apache Web server hosting PHP and JSP pages via a Caucho Technology Resin Java server. We went with SAP for the back-end e-commerce database. The second test Web server was based on Microsoft Windows 2000 Small Business Server and hosted both a small IIS intranet site and an Exchange 2000 OWA (Outlook Web Access) deployment. The intranet site connected to Microsoft SQL Server behind the scenes and used Microsoft FrontPage to publish HTML content. We used slightly older versions to ensure we had vulnerabilities to exploit.