There are now three significant players in the Web application firewall space, a field that I think offers the best approach to protecting Web applications from attack.
Teros (former Stratum8 Networks) separates its Teros-100 Application Protection System offering from Sanctums AppShield and KaVaDos InterDo, by shipping it as a 1U rack appliance for ease of installation, security hardening and overall reliability, key for an in-line network device.
Teros-100 APS also provides SSL acceleration in hardware, something that less expensive software-only options, such as AppShield and InterDo, dont have.
All three products have the same core approach: They turn HTTP from a stateless protocol to a statefull one, inspecting each connected clients session to determine if a URL and parameters being submitted are a valid response, given pages the client has already seen. This approach stops worms cold because they use canned attack HTTP requests that dont lie within the set of allowable initial session URLs.
I spoke with Teros CTO and co-founder Abhishek Chauhan and VP of Marketing Tom Bennett about the Feb. 18 launch of the companys 2.0 appliance.
The most interesting thing they mentioned was a new set of business policy modules that go much deeper into HTML pages to look for specific types of data.
For example, the Teros-100 APS 2.0 box uses a pattern recognition algorithm to look for credit-card-number-like strings, and will block pages that have more than one credit card number in them or only allow the last four digits of the credit card number through.
Another option looks for password pages and automatically checks user passwords to see if they meet complexity requirements. This is done in real time and without any changes to the source application—the box will dynamically redirect users to a custom error page if it needs to break into the data stream.
It also offers defacement prevention: Certain pages can be digitally signed to ensure their content doesnt change or pages can be blocked based on stopwords (e.g. "hax0r") or blocked if they lack approved works (such as a copyright banner). Positive page filtering is a good way of stopping application server or database error messages from accidentally getting through to clients.
In other areas, Teros-100 APS 2.0 has a new ability to set different security rules and delegate administrator functions on an application-by-application basis—a major increase in flexibility, but also something that InterDo already provides.
Generated security rules are also now generalized into classes to make them easier to manage, and the box offers automatic hot failover to a backup Teros-100 APS when used in a redundant pair.
Deep page-scanning techniques, combined with pattern recognition algorithms, allow for whole new classes of protection rules to come into force, and its an approach that will pay off.
How do you protect your Web applications? Let me know at firstname.lastname@example.org.