AppShield Repels Hack Attacks

SAN MATEO (05/15/2000) - You've installed a firewall and intrusion-detection software. So your Web site is safe from hackers, right? Alas, the unhappy answer is no.

Your firewall still allows outsiders to reach your Web site via one port, so that customers and casual browsers can reach your public applications. Yet numerous security exploits exist at this application level, so the attacks pass right through your well-defended firewall on the open port.

In the past, the only way to protect yourself against these attacks was with secure coding practices by Web site developers and constant monitoring of exploits and vulnerabilities for any third-party applications in use, such as Web servers. Coming next month, however, you can take advantage of Perfecto Technologies Inc.'s turnkey solution to protect you from these attacks. The product, AppShield, Version 2.5, is a plug-and-play, cost-effective solution for application security. If the shipping version matches the beta I reviewed, I'll be tempted to give it a top rating.

AppShield is a software-based solution that sits between the firewall and the Web server. AppShield consists of three main components: Security Engine, Management Console, and License Manager. The Security Engine provides the Web site security, the Management Console is used to configure and run AppShield, and the License Manager manages the AppShield licensing process. The Management Console and the License Manager can be installed on a server running AppShield or on a separate machine.

AppShield protects your network at the application level through several methods. First, AppShield ensures that end-users access the site only from legal entry points, which are defined in the Management Console. This protects sites from users who save pages, such as those that contain pricing information, and modify the data. Second, AppShield generates an application-session token and stores it in an encrypted cookie. This cookie is used in all future transactions to uniquely identify the user. Third, AppShield analyzes each HTML page, using its proprietary Policy Recognition Engine as the page is sent to the browser. The Policy Engine examines the page for information such as CGI parameters, hidden-field values, drop-down menu values, and maximum size for text fields. AppShield determines the security policy of the application based on this on-the-fly analysis.

The Policy Recognition Engine is significant because it enables AppShield to automatically determine legal inputs without any user intervention or predefined policy. This automatic security policy is then enforced using a second proprietary technology, Adaptive Reduction Technology (ART), which verifies that all incoming client requests are legal, and thus safe, values.

Incoming requests from the browser are reduced, or translated, into a minimal instruction set of allowable values. These instructions are then expanded back into the appropriate URL. This Expander/Reducer effectively uncouples the application from the Internet, creating a secure environment for the application. The end-user is sent to an error page and not allowed access to the application if a request violates the policy.

AppShield's Management Console, a Java-based GUI, provides centralized control of all AppShield servers installed at a site. Through the Management Console, you can view the Log Screen, Status Screen, or the Configuration Tool. The log files on the Log Screen are laid out very nicely and color-coded for easy review. Transactions that trigger AppShield error messages are displayed in bold red text for quick identification; data columns can be resized and rearranged according to your preferences. One neat feature of the Log Screen is the JS (JavaScript) Rules tip. AppShield gives you the opportunity to configure allowable JavaScript parameters. JavaScript is problematic to AppShield because it causes changes on the client side, which AppShield considers a security breach. The JS Rules tip suggests a rule for you to incorporate that would allow the rejected transaction through if it should turn out to be legal.

The Status Screen shows pages per second, hits per second, and number of concurrent users in a simple, easy-to-read format that allows you to track the performance of your AppShield servers.

The Configuration Tool provides a central point to control all AppShield parameters and functions. An additional configuration parameter I like, found under the General tab, chooses the mode AppShield can work in: Secure, Learning, or Bypass mode. Secure mode means the site is protected by AppShield; Bypass means it is not. Learning mode gives you the opportunity to see what transactions trigger error messages without losing any site functionality.

Perfecto engineers installed AppShield for me; that's the same service any customer would receive, according to Perfecto. The installation process was very simple and took about 30 minutes. After AppShield was installed, they filled in the necessary IP address and port information in the Network Configuration tab under Configuration Tools. They also installed their test Acme-Hackme Web site, which is filled with application-level holes. I played around with this Web site, modifying hidden fields, tampering with CGI parameters, as well as messing with cookie poisoning, debug options, default Web server settings, and buffer overflows of input fields. I also added a few Web pages of my own creation with some JavaScript and played with the JavaScript Rules.

Based on my look at the beta, I highly recommend this product to any company running a Web application. The current methods of protecting the application layer require more time, effort, and money than most companies are willing to provide. AppShield allows you to focus your efforts on your core competencies, developing a best-of-breed application, without worrying about all the security issues. This decreases your time to market as well as your development costs.

Mandy Andress is director of information security at Privada, a privacy infrastructure provider. Her e-mail address is mandyandress@yahoo.com.

Application-level attacks a threat to your e-businessApplication-level attacks are a rapidly growing threat to any e-business. These attacks exploit security weaknesses in the Web application itself, whether internally developed or in third-party applications. I see two main reasons for the growth of these attacks: the laudable increase in network/host security and poor coding practices.

Administrators are becoming more security-savvy when it comes to network and host security. Firewalls and intrusion detection are today must-haves for any company's network; encryption, PKI (public key infrastructure), and other authentication solutions are quickly becoming standard practice. With this increased awareness, attackers are finding it more difficult to compromise systems at the network level. Numerous products have been released that protect companies from and alert them to network attacks, including Clicknet's entercept, ISS' RealSecure, and Network Ice. (For our recent review of entercept 1.5, turn to www.infoworld.com/printlinks.)Successful e-business is time-critical. Everyone wants to be first to market with a new product, so developers take a few shortcuts. The most common place for these shortcuts to occur is in coding practices. Developers want to create a working application as quickly as possible, which may leave their company open to application-level attacks. Detailed code reviews are the best defense, but most companies do not have the time or resources to do this adequately.

What exactly are application attacks? These attacks are made using a Web browser and knowledge of Web applications, using them in ways that were not intended by the developers. They pass right through the firewall and go undetected by intrusion-detection solutions, which do not monitor this line of communication. In Security Watch, columnists Joel Scambray and Stuart McClure recently wrote about application hacks, discussing some exploits found in Sambar Server and the Finger Server that let an attacker execute remote commands. There is a second side to these attacks: the internally developed application. With a little reverse-engineering, attackers can easily find significant weaknesses in any system that was not developed in a security-conscious environment.

Let's look at a few examples of how this can occur. You have a Web application that allows users to purchase electronics online. The application uses HTML hidden fields to store pricing information. When a user purchases an item, the CGI script in the Web application pulls the price from the hidden field and charges the customer that price for the item purchased. It is trivial to download the HTML, modify the hidden field, and buy a $1,300 television for $1.

This sounds like something that couldn't succeed, yet if the application includes no checks and balances, such as comparing the price in the back-end database to the amount being charged, then the hacker can get away with it.

A second application attack comes in manipulating SQL commands. Some Web applications make SQL queries to the back-end database through the URL. By modifying the URL, attackers can reverse-engineer the database structure and potentially find user names, passwords, or even credit card numbers. Encrypting information stored in the database helps, but that step slows down the process because encrypting and decrypting adds additional transaction-processing time.

Another application attack involves cookies. Some Web applications use cookies, saved on the client's machine, to store user IDs, personal preferences, and so on. Manipulating these cookies could allow an attacker to see the account information of other users. The best defense against cookie poisoning is developing a cryptographically secure cookie.

The best overall defense against application hacks is developing applications in a security-conscious environment and testing them thoroughly. This is not the most feasible solution in today's e-business world because of the high costs and numerous resources required. The alternative is to find a product that saves you from yourself, so to speak, such as Perfecto Technology's AppShield (see review, page 45). AppShield, however, is the first product I have seen that protects e-businesses from application attacks, so this is not yet a common form of defense. If you can gather the resources, you'll serve yourself best with a combination of both application-level protection and properly tested applications.

THE BOTTOM LINE: BETA

AppShield, Version 2.5, beta

Business Case: AppShield protects your Web servers at the application level, decreasing security-related development time and costs.

Technology Case: AppShield's plug-and-play architecture and support for standard HTTP and SSL (Secure Sockets Layer) allow it to be implemented without extensive planning or changes to existing systems.

Pros:

+ Easy to administer

+ Cost-effective

+ Plug-and-play

Cons:

- Slightly cumbersome support for JavaScript and Java appletsCost: $995 per serverPlatform(s): Windows NT; Solaris 2.6 and Solaris 2.7Shipping: June 2000Perfecto Technologies Inc., Santa Clara, California; (408) 855-9500; www.perfectotech.com.

Join the newsletter!

Error: Please check your email address.

More about CGIISS GroupNetwork IcePerfecto TechnologiesPrivadaYahoo

Show Comments

Market Place