Are your Web apps secure?

See correction at end of review

Web-based applications have become vital pieces of business infrastructure. Along the way, they’ve also become major security risks for the organizations that rely on them.

Large volumes of sensitive information exchanged through Web applications — and stored in databases behind those applications — hold an irresistible attraction for cyber thieves and vandals who know how to exploit structural and programmatic weaknesses. Low-profile, low-traffic sites, especially those that don’t host transactions, seldom elicit enough hacker interest to cause worry. On the other hand, high-visibility or high-traffic sites invite innovative attacks.

The job of a dedicated Web application firewall is to guard against such sophisticated exploits. For this review, we tested four products dedicated to this task: KaVaDo InterDo 3.0, NetContinuum NC-1000 Web Security Gateway V3.5, Sanctum AppShield 4.0, and Teros Secure Application Gateway 100. For higher traffic volumes, these security systems make perfect sense, because they can apply special rules to Web-specific traffic while maintaining adequate network performance.

Intruder Alert

Web application firewalls stand sentry on a new frontier of creative destruction, where malicious payloads come wrapped in the structure of legitimate traffic. The most dangerous exploits target application vulnerabilities without running afoul of ordinary firewalls: no poorly formed network traffic, no unusually large packets, no mismatches between address and content. Instead, these sneak attacks employ unexpected command strings, altered cookies, or changes to hidden form fields.

In mounting a defense, Web app firewalls inspect the contents of each packet and compare the payload against rules gleaned from ordinary transactions between user and application. These security products look at both sides of the transaction, understand well-formed exploits, and block unexpected behavior. The higher the volume and the value of Web traffic, the higher the security risk — and the more it makes sense to add the dedicated power of a Web application security system.

There are broad similarities in what all four products do but substantial differences in how they go about doing it. Two products, from Teros and NetContinuum, are available only as appliances; KaVaDo and Sanctum make their solutions available as either appliances or software suites. The latter two also come with scan software designed to suss out vulnerabilities in Web applications. Teros offers an add-on scanner and NetContinuum does not rely on a scanner at all.

The biggest and most welcome similarity among these products is that they stop, even in their default configurations, many of the most common exploits used by thieves and vandals. In addition, all include GUI management applications and all assume (quite correctly) that extensive training or customization will be necessary before the product can be relied on for real-world application security.

We tested the software versions of these products on dual Pentium III 800MHz processors with 512MB RAM running Gentoo Linux, VMWare, and Windows 2000 Server. Security products, the test application, and scanners were placed on a secure, isolated network subject to no additional traffic. The Web application used as the test bed was Web Goat, a security education tool from the Open Web Application Security Projectwritten to be vulnerable to major application exploits.

KaVaDoInterDo 3.0

KaVaDo takes a two-part view of protecting Web applications. First, you scan an application for vulnerabilities using ScanDo 2.0 (see “Scanning Apps for Vulnerabilities,” page 40). Once those vulnerabilities have been reported and addressed, you ask InterDo 3.0 to stand sentry. Overall, we found InterDo to be a capable application security system that stands out — mainly due to wizards that configure the software for initial use.

We tested InterDo software rather than the appliance version. After installation, we looked at the default status first, then examined ways to customize protection. In its default state, InterDo stops many standard attacks, including SQL injection, cross-site scripting, and weak-authentication cookies. It also establishes a common set of policies that enforces HTTP and HTTPS RFC compliance — a set of rules that may be more restrictive than your application can bear. Even so, any security product’s real value is derived from its capacity to be tailored to specific applications. InterDo offers powerful help in this regard, mainly through its cleverly designed wizards.

In InterDo, a unified set of rules establishes accepted behavior for all traffic to and from a Web application –traffic that can include both HTTP and HTTPS information. Setting up these rules involves defining the connection between InterDo and the application; specifying behavior that is restricted (as well as, in some cases, behavior that is permitted); and indicating the type of action and notification required of InterDo.

This process of defining activities and responses can be based on learning, where InterDo logs transactions along with proposed responses. Administrators can then go through the logs and accept, reject, or modify InterDo’s decisions. This approach is easier than building rules from scratch, but still requires frequent rounds of change/save/restart activity to bring the system to full functionality. InterDo breaks away from the field, though, when you use the wizards to begin operations.

InterDo’s wizards lead you through decisions about which sorts of traffic and transactions that your application needs to see and which activities are threats. The dialogues in the wizard are easy to understand and the resulting actions can bring security to a functional, if not perfect, state very quickly. InterDo’s wizards cut dramatically into the time and effort required to get started, although most users will want to learn enough to tweak settings to their particular needs.

Once InterDo is running, you control it through a proprietary management console, though it’s also possible to manually (or through another application) edit the XML policy files. Alerts and messages are available in a wide variety of forms, including SYSLOG, SNMP, and SMTP.

In addition to protecting application code, InterDo protects sensitive information by recognizing and blocking transmission of Social Security and credit card numbers from the application to a user query. InterDo will also act as an SSL certificate server, however applications and enterprises that make heavy use of certificates for security should opt for a separate SSL server for performance reasons.

InterDo benefits from the strongest UI in this group — it features a setup process that even a non-expert can follow. The availability of ScanDo makes InterDo a strong candidate for organizations willing and able to modify their applications and reinforce the modified app with a rock-solid application firewall.

NetContinuumNC-1000 Web Security Gateway V3.5

NetContnuum’s Web Security Gateway is an appliance-only product that, unlike other appliances, builds its security on a custom hardware platform, with algorithms implemented in silicon rather than software running on a standard processor. The hardware gives NetContinuum a clear advantage in performance — passing packets through the device to and from the server — without compromising security. Unfortunately, NetContinuum has wrapped this speed and power in a somewhat confusing user interface.

The Web Security Gateway will protect any major Web or application server, and can be configured to allow virtually any type of transaction. And the basic GUI, which is well-designed, has the advantage of being written in cross-platform Java. But when you must dig beneath the basic GUI, or try to configure the Gateway via the serial port, things get confusing.

NetContinuum stores its management information as an XML file. When changes are required, the interface presents you with a directory tree structure. At the end of some branch is the information you need to alter, but good luck discovering precisely where that branch lies. Changes necessary for most implementations, such as altering the routing information or changing the IP address of the console, are difficult to find and not well documented. Once found, the changes aren’t easy to make, so the entire process becomes a bigger chore than it should be.

The Web Security Gateway protects, in its default configuration, against the same exploits covered by the other products we tested and has similar facilities for learning behavior and altering rules. Those changes that can be made within the GUI can be effected quickly and easily, with many changes available through several methods (file menu, drop-down menu, or pop-up box). The options don’t have quite the same smooth feel as those in the Teros UI, but the capabilities are all there and usually lie where you’d think they should be found.

Management for the Web Security Gateway is straightforward, although NetContinuum lacks the depth of incident reporting offered by the other systems. The internal logs don’t provide easy drill-down into incident details, nor simple access to overall transaction monitoring. Logs are available in the standard formats, and it’s possible that an outboard application could provide the overall view lacking in the basic management GUI.

NetContinuum is in the process of addressing the software’s shortcomings. In December, the company announced Version 4.0 of its software, an upgrade to the NC-1000 that adds traditional network firewall capabilities, including stateful packet inspection. The new software will be generally available in March.

In network performance and capability, the NetContinuum Web Security Gateway is a very strong product. Its custom silicon and networking features, including VLAN support and load balancing, give it the ability to keep up with traffic streams that might require multiple instances of other solutions. In an all-Linux management environment, the Java GUI console will fit right in. With a better serial console and stronger GUI presentation, NetContinuum could be the strongest player in the Web security market.

Sanctum Appshield 4.0

Sanctum’s Appshield, like KaVaDo’s InterDo, is part of a larger application protection suite. Sanctum takes an even more inclusive approach than KaVaDo, though, with multiple levels of scanning that accompany the entire application development cycle — the idea being to build security into the application, and then provide additional protection through Appshield. We found that AppShield does, indeed, provide solid protection, but you’ll have to work for your application’s safety.

Where KaVaDo relies on wizards, Sanctum provides detailed help files to explain 16 steps to a basic service. Errors were reported as we set up the service, but the messages were not always as helpful as we would have liked. Once running, however, Appshield proved the equal of the other products we reviewed in preventing attacks from reaching the application server.

Part of the complexity in setting up Sanctum results from its reliance on what the company calls a “positive security model” — a white list of allowed transactions. Any traffic not specifically allowed by the established rules of the system is blocked. A white-list approach is a good way to become acquainted with the broad range of transactions required by most Web-based applications.

AppShield can provide protection in conjunction with load balancing, but Sanctum recommends that an AppShield be deployed in front of each load balancer. (One reason for this: AppShield insists upon session-level stickiness, usually implemented through cookies.) Multiple AppShields also come into play as bandwidth increases — Sanctum estimates that a full T1 feed would require two or three AppShields for full protection. Sanctum recommends an 800MHz PIII with 1GB of RAM as the host machine for AppShield. In our testing we discovered the memory recommendation should be followed carefully or performance will suffer considerably.

The reporting and management capabilities of AppShield are comprehensive, and the UI is certainly unobtrusive (at one point, we weren’t even aware AppShield was running until after the test had begun). Unfortunately, the overall UI simply isn’t as polished as those of the other products. The result is a lot of needless mousing around for simple tasks and a setup process that seems much more complicated than it actually is.

The UI is the only real downside to an otherwise very capable security system. Given the family of scan products that can be deployed alongside AppShield, the Sanctum solution seems best suited for those seeking to incorporate security into their Web apps throughout the development and deployment cycles.

TerosSecure Application Gateway 100

Teros is one of the two systems we looked at that comes only as an appliance (the other is NetContinuum). The Gateway 100 is built on a Linux platform and provides robust performance and protections with a user interface that makes setup (with one significant exception) a straightforward process.

The difficulty in setup comes when trying to build a Java script during the “learning” process. Although this process is similar to that employed by other systems, creating and modifying the Java script within the Teros user interface is so complicated it should probably be left to a professional services organization. Otherwise, the learning process handles cookie signing, forms, and field modification with separate functions and rules allowed for each application under protection.

Alerts generated by the Gateway 100 can be provided through SMTP, SNMP, SYSLOG, internal Teros log, CLF, or ECLF. In addition, the Gateway 100 can provide alerts that interface with Check Point or NetScreen as part of dynamic policies enforced by the IDS (intrusion detection system). The alerts fall into two areas, system notices and security, and the device can be multi-homed. On the human side of things, Teros has provided an easy-to-use, easy-to-understand GUI that appears in a Web browser — the only browser-based UI in the group. (It runs on IE only.)

Teros takes a “shut it down” approach to security, giving the Gateway 100 default settings that will cause all but the simplest (and most correctly written) Web applications to fail. This is a superb approach from a pure security standpoint, requiring the installer to specifically allow each type of traffic or transaction that can come through the device. In a system with a poorly designed interface, the process of adding allowed transactions can be brutal, but the Gateway 100’s clean, straightforward GUI takes most of the pain out of the procedure.

The Gateway 100 lacks a companion scanning tool, however Teros has provided integration capabilities with the SPI Dynamics application scanner. Scanning aside, the Gateway 100 is a solid choice for those who have an existing application they have no intention of changing. The Teros system provides solid protection for all common Web servers and application types in one easy-to-handle package.

Choose Your Defense

All the systems we tested do a fine job of protecting Web-based applications. In fact, we wouldn’t hesitate to deploy any of these systems as part of our application infrastructure. But the key difference proved to be ease of setup, and in that category, KaVaDo InterDo 3.0 pulled ahead.

A final word of caution: Web application firewalls, even those packaged as appliances, are not plug and play. Most applications worth protecting rely on complex business logic and critical data transmission as they execute transactions. Expect a learning curve for you and for the Web app firewall itself as it determines allowable traffic. Putting any of these systems in production without rigorous testing would be a painful way to learn how complicated a Web application is — not to mention how loudly users can scream when the app no longer works.

Correction

In the bottom line box for KaVaDo Interdo 3.0, the verbal score has been corrected.