Protect Your Web Applications


VARBusiness takes a look at two promising products


These days, the biggest security problem for enterprise networks relates to the Web server: Most firewalls are set to allow Web traffic to freely pass in and out of their domains, but few Web servers are operating perfectly, leaving networks open to various exploits both inside and outside of the corporate perimeter. Port 80, the communications port that is used by mostly all Web servers, has become the great applications dumping ground and a back door to entering many corporate networks.

I'm not exaggerating. The newspapers are filled with stories of hackers and crackers who have easily obtained data from unprotected Web servers. The Web sites of The New York Times, the U.S. Congress and various banks have all been penetrated during the past few years. One man, Adrian Lemo, actually makes a living penetrating proxy servers and then showing companies how to tighten them up.

But where there's smoke, there's opportunity, especially for VARs who can deploy analysis and protective tools to close down some of these Web-related loopholes. I took a look at two promising technologies from start-up vendors SPI Dynamics and Stratum8 Networks. Here's what I found:

Atlanta-based SPI Dynamics sells a Windows-based, software-analysis tool called Web Inspect, which examines a Web server for hundreds of different exploits and potential weaknesses. I installed it on a Windows XP workstation (earlier versions of Windows may need Java and Microsoft's MDAC modules to work) and pointed it at our internal CMP sites as well as my own personal Web site. Each analysis took about an hour. The resulting reports showed several problems, including unrestricted access to one database server that was left open (and has since been locked down). That is Web Inspect's strength: The intersection of database and Web server is a particularly weak area, and most enterprises don't have the skillsets to adequately lock everything down.

Of note, I did find a few false positives, such as identifying a potential problem with a page on my own site. The page contained the text "C:%5C", which the software confused with an actual command-line prompt from the server. SPI Dynamics says it's working on removing as many of these false positives as possible.

Once you find your security loopholes, Santa Clara, Calif.-based Stratum8's Application Protection System (APS) 100 is a hardware solution that will keep your Web servers locked down. Think of it as an application-layer packet-inspection firewall, with some extra goodies built in to handle particular Web applications. APS 100 is a 1U appliance, running a stripped-down version of Linux that will protect your network from future exploits,doing so in real-time with little or no operator intervention.

"We like the fact that implementing Stratum8 does not require man-months,it actually requires man-minutes,of consulting services," says Ted Ritter, director of strategic business development for Intelligent Decisions, a Chantilly, Va.-based VAR.

APS 100 has three network interfaces. One is used for a Web-based administrative utility, while the other two attach to internal and external networks, allowing it to examine traffic coming and going, and to apply its own rule set to what is allowed in. I had some help from the vendor to set up my unit, but I could see that half a day was probably all that was required on even the most complex of networks.

In addition, the APS 100 performs field- and cookie-consistency checks and hyperlink inspections, and lets only specific URLs enter particular Web sites. All of this is useful, and not particularly difficult, for integrators who have some knowledge of the Web and are willing to spend a little time understanding how the product works.

Neither product comes cheap: Web Inspect costs $4,995 per Web server; a free 15-day evaluation license is available at www.spidynamics.com. The APS 100 starts at $25,000, but one can protect multiple Web servers.