By Andrew Garcia  |  Posted 2005-05-16 Print this article Print

Impervas SecureSphere 3.3 Dynamic Profiling Firewall, available since February, is a robust and flexible defensive solution for Web applications and databases alike.

SecureSpheres evolving application profiles enforce correct application scope and behavior. Meanwhile, a mix of HTTP protocol enforcement and both Snort-based and Impervas own signature-based defenses combines to protect against known attacks as well as unknown, zero-day threats. Finally, SecureSpheres Correlated Attack Validation engine analyzes results from multiple sources to identify multiple lesser attacks that, when aggregated, could signify a larger threat.

SecureSpheres method of separating protection and management functions into distinct appliances makes the system easily manageable for larger deployments consisting of multiple applications distributed across different locations.

SecureSphere comprises the G4 Gateway, which provides Web application protection, deep-inspection firewall and worm defenses, as well as the MX Management Server, which aggregates and correlates alerts and user activity from multiple G4 Gateways and provides a central point for configuring and maintaining policies via its Web-based console.

SecureSphere starts at $35,000. This price includes one G4 Gateway appliance and one MX Management Server appliance and provides Web application defenses and deep-inspection firewall protection for an unlimited number of servers.

eWEEK Labs tested SecureSphere 3.3, which also directly protects database implementations based on Microsoft Corp.s SQL Server, Sybase Inc.s Adaptive Server Enterprise and IBMs DB2 Universal Database. Database protection costs $10,000 per protected server, plus $30,000 for additional G4 Gateway hardware.

We found it surprisingly easy to get SecureSphere up and running. Unlike Kavados offering, which maintains separate software applications for out-of-band monitoring and in-line gateway protection, the G4 Gateway can be used in either scenario. With a few simple changes from the command line, we could configure the G4 Gateway out of band via a mirrored switch port, or we could deploy the device in-line—without requiring any DNS (Domain Name System), routing or other network reconfigurations.

Click here to read the review of Kavados Defiance TMS 3.1. When used out of band, the G4 Gateway is primarily a monitoring device, but it can also terminate potentially illicit connections via TCP resets to upstream switches. However, the G4 Gateway is most powerful in-line with the traffic stream. As a fully featured deep-inspection firewall, the G4 Gateway drops network and applications attacks and can temporarily block suspicious sessions or IP addresses.

During tests, the G4 Gateway also proved it would not be a single point of failure, as administrators can choose to set the device to either fail open or closed. With the device set to "fail open," we pulled the plug on the G4 and verified that our clients could still access Web applications while we worked to restore power and protection.

Whether it was deployed in-line or out of band, we found SecureSphere had no immediately discernible impact on application performance.

By default, SecureSphere is configured in Learn mode, which generates a profile of each application its configured to protect. The profile creates a snapshot of each applications normal and expected behavior, identifying valid Web pages, HTTP POST commands and values, and expected value lengths.

After sufficient time to profile (which will depend greatly on the amount of traffic the application gets), a simple toggle command initiates the Protect mode. The Protect mode actively monitors and provides alerts for each defended application. We also added rules to drop malicious traffic and temporarily block transmissions from the originating IP address.

Click here for tips on testing Web app firewalls. Applications are constantly evolving, and so we liked that SecureSphere continues learning while in Protect mode, automatically adjusting profiles when administrator-defined thresholds are reached and leaving potential changes that have not yet matched thresholds in a pending queue.

SecureSphere quickly identified our initial probes with Nessus and logged our scans to the MX Management Server, identifying a collection of protocol and profile violations that triggered a short block of our IP address per our rules. Likewise, our manual attempts to access forbidden URLs, perform buffer overflows and malformed HTTP requests, and directly contact the back-end database were stopped at the gateway.

We would like to see Imperva expand the use of access permissions within the management console. Unlike Kavados extensible administrative permissions, SecureSphere offers no control over which administrators manage and configure different applications and server groups within the SecureSphere console.

Next page: Evaluation Shortlist: Related Products.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel