Sanctums Simple Approach to
Security”>
Sanctum Inc.s AppShield 4.0 uses a simple but effective method to prevent attacks on Web applications: It finds out what the application is supposed to do and what type of user activity is normal—then it stops anything else.
In eWeek Labs tests, AppShield 4.0 proved to be very effective at stopping a variety of attacks and probes on any Web application, stopping everything from worms to attempted code insertions, and AppShield works with almost every Web server and Web application development language.
AppShield 4.0, released last month, is priced starting at $15,000. It runs on Solaris, Windows NT and Windows 2000.
AppShield will be especially attractive to companies that rely on Web applications for core business functions, especially given its ability to sit in front of and protect many Web servers and its ability to stop known attacks and new exploits.
While AppShield is very efficient at protecting dynamic Web applications, it pretty much stops there, relying on good network security and a hardened operating system to protect it against other forms of attacks. In some ways, this makes it less effective than competing products such as Entercept Security Technologies Inc.s Entercept 2.0, which is priced at roughly $1,500 per server and not only secures the Web applications and server but also the operating system. However, AppShield, which can use both agents and a proxy approach, can more easily protect multiple systems.
In Version 4.0, Sanctum has included new features that make it much easier to get up and running with AppShield. Once we installed the system, we were able to choose among three preset templates for security protection: a Basic level, which protects against the most common attacks; an Intermediate level, which adds more protection against application tampering; and a Strict level, which tries to block almost everything. We could also opt to pick our own security settings through the custom option (see screen).
AppShield can run in passive or active mode. In the passive mode, the program logs all activity but doesnt block anything. In active mode, the program blocks nonstandard activity from the protected Web applications.
The passive mode is ideal for teaching AppShield how to protect a Web application. To do so, we assigned a workstation to be a trusted IP source for AppShield. We then surfed the applications and carried out all normal activity while AppShield watched and learned. Once we were finished, we could automatically create a security rule for that site.
Because AppShield watches the click stream, it can protect almost any application. In tests, we protected applications written in Active Server Pages, JavaServer Pages and PHP. It was a simple matter to manually edit the created rules or to automatically create a new rule from the administration interface.
AppShield can protect regular Web traffic and traffic within SSL (Secure Sockets Layer) connections, although to protect SSL traffic, the certificates must be added to AppShield. Some performance hit is possible since AppShield must decrypt and re-encrypt the traffic. However, the product can also work with third-party SSL accelerators.
Companies deploying AppShield can choose from two implementations. The more traditional, host-based mode involves installing AppShield on the same system as the Web server and using one of the built-in Web server plug-ins. AppShield has pre-built plug-ins for most popular Web servers including Apache, Microsoft Corp.s Internet Information Services and Sun Microsystems Inc.s Sun Open Net Environment.
The other deployment option is to install AppShield in a gateway mode, where it sits in front of the Web servers and redirects requests to the appropriate servers.
According to Sanctum officials, performance in Version 4.0 of AppShield is much improved over previous versions. Still, some negative effect is probable because the product resides in front of traffic. AppShield can be set up in large clusters to improve performance. In addition, the product automatically passes through all standard HTML and other nonapplication traffic.
Like most security applications, besides trying to stop unwanted activity, AppShield does extensive logging and analysis of this activity. One welcome new feature in this version is the introduction of privacy controls, which make it possible to preset information that will not be stored in the applications logs. This is welcome for companies that dont want information such as their customers credit card numbers stored in security logs.
Executive Summary
: Appshield 4.0″> Executive Summary: Appshield 4.0
USABILITY |
Good |
CAPABILITY |
Good |
PERFORMANCE |
Good |
INTEROPERABILITY |
Excellent |
MANAGEABILITY |
Fair |
SCALABILITY |
Good |
SECURITY |
Good |
Companies trying to make their Web applications more secure will find that Sanctums AppShield will do the job by knowing their Web applications as well as they do, learning all normal activity, then blocking all other activity.
Cost Analysis
At $15,000, AppShield is considerably more expensive than many competitors, which generally are priced at about $2,000. In addition, while a single AppShield installation can protect many servers, pricing is still on a per-server basis, although volume discounts do apply.
(+) Simple rule creation through passive monitoring of Web application activity; can selectively block sensitive privacy information from security logs.
(-) Needs to be installed in conjunction with good system security to protect against direct attacks on the AppShield system.
Evaluation Short List
- Argus Systems Group Inc.s PitBull
- eEye Digital Security Inc.s SecureIIS
- Entercept Security Technologies Entercept 2.0
- www.sanctuminc.com