Review: AppShield 4.0

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Sanctums AppShield is the most well-established product in the Web application firewall space, having first delivered on the core concepts of stateful HTML traffic inspection and filtering in 1999, when the product first shipped.

Now at a 4.0 release, AppShield has a proven track record and the broadest integration support for third-party firewall and application server products. (All three firewalls we tested are compliant with Check Point Software Technologies Ltd.s Operational Security.)

Like InterDo, AppShield is a host-based product and runs on Windows and Solaris. Its priced at $15,000 per protected Web server or application server, for up to three protected servers; after that, the price per server starts to drop.

Unlike InterDo (but like Teros-100 APS), AppShield is a stateful HTTP firewall and automatically identifies each Web client and then inspects outgoing traffic to that client to automatically build rules about what valid traffic that client can next submit. Out of the box, AppShield will protect against form fields being added or removed, hidden form fields having their values changed by the client or client-side cookie modification.

However, this dynamic approach can cause site incompatibility problems. This is particularly the case with links and page content generated dynamically on the client using JavaScript. AppShield (and Teros-100 APS) cannot parse outgoing JavaScript code and so will flag the URLs generated by client-side JavaScript as potential attacks. We needed to create security rule exceptions in each product to allow one part of our test application that did this to work.

AppShield and Teros-100 APS can also prevent Web applications from behaving the way users expect by blocking deep linking and the ability to bookmark inner pages unless appropriate security exceptions are created. (AppShield allows special support for bookmarks to be turned on, although the manual warns that this feature adds considerable system load.)

InterDo works in a different way, using a static list of allowed or banned URLs, as it doesnt track traffic on a client-by-client basis. As a result, it does not have these same issues with URLs or bookmarking—but also doesnt have the flexibility that AppShield and Teros-100 APS do to dynamically determine when invalid URLs are requested.

AppShield had the most cumbersome security-exception-rule-generation process of the three products we tested.

Teros-100 APS generates its rules based on what a large number of actual site sessions agree is valid, and InterDo generates rules from an automatic site scan (using ScanDo, its companion site scanning tool). Both of these approaches are efficient, although we like the Teros-100 APS approach best for big sites.

To generate exception rules for AppShield, meanwhile, we had to define a trusted IP and then manually exercise every part of a Web application. For a site of any significant size, this is a real burden and introduces potential for human error. The alternative is to create security rules one by one using AppShields Rule Manager or to generate rules by approving exceptions out of AppShields log (which can be done singly or in groups).

Note that for both AppShield and Teros-100 APS, security exceptions need only be created where applications do unusual things that look like security attacks.

AppShield does provide a set of easily enabled settings that can be used to quickly provide general HTTP protection. In addition, new with AppShield 4.0 is a set of three predefined security levels—basic, intermediate and strict—that quickly provide broad site protection, though not with the specificity or control that the rule-based approaches provide.

Also in This Feature:

• Review: InterDo 3.0
• Review: Teros-100 APS 2.1.1