It is only when the packets arrive at the web server that the trouble starts. Web exploits can range from simply defacing the website to installing and running unauthorized software on the server.
Some exploits are only possible because of poor application programming techniques, while others are the result of the open nature of the internet.
Not all web exploits can be dealt with properly at the application level, even if they are detected. An application's validation checks on data from an input form may cause a string containing exploit characters to be rejected. The application will probably return an error message to the user, but it almost certainly will not log the error, so there will be no indication that an attack has been mounted.
Another common type of attack uses the fact that http requests can be altered before sending them to the web server. Exploits using these features can include altering data in order to invoice goods at lower prices and triggering buffer overflow errors. Some attacks can use embedded SQL statements to cause havoc, while others simply replace the website's image files with other, less welcome pictures.
InterDo sets out to address these and other issues by examining the server traffic itself and validating its content before it reaches the application. It also adopts an active approach to security by providing ways to define protection for individual server applications. These checks can be as simple as defining the maximum length allowed for each type of http request or as detailed as defining the field sizes and ranges allowed for each field in individual forms.
It is possible to restrict access to directories within websites so that incorrectly assigned permissions at the server do not compromise security. Security can be defined so that an http "get" request to a directory that contains images will be allowed, but an http "put" request will not.
Embedded scripts and SQL commands can also be detected and prevented from executing. It is also possible to place restrictions on input sources and file uploads and to detect exploits that attempt to make use of SOAP and WSDL. All these kinds of attacks will be detected and reported without passing them to the server, while an appropriate error page will be returned to the user.
The InterDo firewall software can run on Linux, Solaris and Windows platforms. We tested it on a machine with an 800 Mhz Intel Pentium III processor with 128 MB RAM running Windows 2000 Server.
Installation was simple and posed no problems for us. The management console interface was logical and well-designed, with a two-pane layout similar to Windows Explorer.
The help system was easy to use, but there was no context-sensitive help. Setting protection for a website was a straightforward process using the wizard provided, and this created the connection between clients and the application.
These connections, or "tunnels," describe the addresses, ports and protocols used. Tunnels can support SSL encryption and the system provides facilities to manage the required certificates.
Individual security components, referred to as "pipes," can then be applied to individual web applications as required to provide specific security configurations. These can be refined still further by using the Regular Expression facility provided.
Security pipes can also be set to operate in "learning" mode, which logs suspicious behavior and suggests possible remedies. But this does not protect the web application and would not normally be used in a live environment.
In operational terms, the monitoring and reporting facilities enable the administrator to track attempted security breaches and to determine which application is being targeted, while detailed log analysis can reveal the source of the attempted attack. The source address could then be placed on a blacklist maintained by the firewall.
Real-time graphs are available displaying the number of active users and network sessions, and alerts can be raised using network messages, email and SNMP. Specified external programs can also be run when specific alert conditions occur.
There are a number of advantages to having web security checks in one place. Because all web traffic must pass through the application firewall, the site is assured that these security checks have been performed.
Retrofitting these checks to individual applications could be a costly and time-consuming business, although good defensive programming practice dictates that applications should still perform proper checks rather than relying on the InterDo firewall to catch everything.
It is far easier to counter new exploits by implementing new security checks at the firewall than it would be to apply them to the individual applications it protects.
It also allows a site to implement security for web applications and components where there is no access to source code and therefore no easy way to find and fix any vulnerability that might exist.