Impervas SecureSphere 3.3 Dynamic Profiling Firewall, available since February, is a robust and flexible defensive solution for Web applications and databases alike.
Click here to read the full review of SecureSphere 3.3.
2
Impervas SecureSphere 3.3 Dynamic Profiling Firewall, available since February, is a robust and flexible defensive solution for Web applications and databases alike.
SecureSpheres evolving application profiles enforce correct application scope and behavior. Meanwhile, a mix of HTTP protocol enforcement and both Snort-based and Impervas own signature-based defenses combines to protect against known attacks as well as unknown, zero-day threats. Finally, SecureSpheres Correlated Attack Validation engine analyzes results from multiple sources to identify multiple lesser attacks that, when aggregated, could signify a larger threat.
SecureSpheres method of separating protection and management functions into distinct appliances makes the system easily manageable for larger deployments consisting of multiple applications distributed across different locations.
SecureSphere comprises the G4 Gateway, which provides Web application protection, deep-inspection firewall and worm defenses, as well as the MX Management Server, which aggregates and correlates alerts and user activity from multiple G4 Gateways and provides a central point for configuring and maintaining policies via its Web-based console.
SecureSphere starts at $35,000. This price includes one G4 Gateway appliance and one MX Management Server appliance and provides Web application defenses and deep-inspection firewall protection for an unlimited number of servers.
eWEEK Labs tested SecureSphere 3.3, which also directly protects database implementations based on Microsoft Corp.s SQL Server, Sybase Inc.s Adaptive Server Enterprise and IBMs DB2 Universal Database. Database protection costs $10,000 per protected server, plus $30,000 for additional G4 Gateway hardware.
We found it surprisingly easy to get SecureSphere up and running. Unlike Kavados offering, which maintains separate software applications for out-of-band monitoring and in-line gateway protection, the G4 Gateway can be used in either scenario. With a few simple changes from the command line, we could configure the G4 Gateway out of band via a mirrored switch port, or we could deploy the device in-line—without requiring any DNS (Domain Name System), routing or other network reconfigurations.
When used out of band, the G4 Gateway is primarily a monitoring device, but it can also terminate potentially illicit connections via TCP resets to upstream switches. However, the G4 Gateway is most powerful in-line with the traffic stream. As a fully featured deep-inspection firewall, the G4 Gateway drops network and applications attacks and can temporarily block suspicious sessions or IP addresses.
During tests, the G4 Gateway also proved it would not be a single point of failure, as administrators can choose to set the device to either fail open or closed. With the device set to “fail open,” we pulled the plug on the G4 and verified that our clients could still access Web applications while we worked to restore power and protection.
Whether it was deployed in-line or out of band, we found SecureSphere had no immediately discernible impact on application performance.
By default, SecureSphere is configured in Learn mode, which generates a profile of each application its configured to protect. The profile creates a snapshot of each applications normal and expected behavior, identifying valid Web pages, HTTP POST commands and values, and expected value lengths.
After sufficient time to profile (which will depend greatly on the amount of traffic the application gets), a simple toggle command initiates the Protect mode. The Protect mode actively monitors and provides alerts for each defended application. We also added rules to drop malicious traffic and temporarily block transmissions from the originating IP address.
Applications are constantly evolving, and so we liked that SecureSphere continues learning while in Protect mode, automatically adjusting profiles when administrator-defined thresholds are reached and leaving potential changes that have not yet matched thresholds in a pending queue.
SecureSphere quickly identified our initial probes with Nessus and logged our scans to the MX Management Server, identifying a collection of protocol and profile violations that triggered a short block of our IP address per our rules. Likewise, our manual attempts to access forbidden URLs, perform buffer overflows and malformed HTTP requests, and directly contact the back-end database were stopped at the gateway.
We would like to see Imperva expand the use of access permissions within the management console. Unlike Kavados extensible administrative permissions, SecureSphere offers no control over which administrators manage and configure different applications and server groups within the SecureSphere console.
Next page: Evaluation Shortlist: Related Products.
Page Three
Evaluation Shortlist
F5 Networks TrafficShield Application Firewall F5 is set to integrate TrafficShield technology into its Big-IP line of application accelerators by years end (www.f5.com)
NetContinuums NC-1000 Application Security Gateway An ASIC (application-specific integrated circuit)-accelerated and ICSA (International Customer Service Association)-certified firewall that adds data compression features to accelerate applications (www.netcontinuum.com)
Teros Teros 200 Teros is the only vendor in this space to offer a range of appliances for different-size companies and has made great strides in security-policy creation (www.teros.com)
Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.