Modernizing Authentication — What It Takes to Transform Secure Access
You've got antivirus software and firewalls in place and update them regularly. You use encryption for sensitive transactions and have a strong authentication mechanism. You even have an intrusion-detection system in place to alert you to suspicious activity. You figure all this amounts to reasonable protection against fraudulent transactions and any kind of Web site defacement.
And you would be wrong.
At least, that's what a breed of vendors that purport to protect Web applications and content are arguing. To prove their point, these vendors are downright anxious to demonstrate that it's not difficult to break into a Web site by exploiting known shortcomings in Web-related languages including HTML and Common Gateway Interface (CGI).
Sanctum's AppShield protects Web applications by first learning what the application is intended to do, then disallowing any actions that fall outside those parameters. For example, if a given field in a Web form is only supposed to accept 14 characters, AppShield will not allow insertion of a longer string, which could lead to a buffer overflow and subsequent security breach.
Ubizen, a Belgian security company that made its U.S. launch in March, has a similar product that is part of a broader security suite.
Other companies have different approaches. For example, WatchGuard's ServerLock prevents unauthorized changes to crucial Windows NT and 2000 operating system elements, including Web pages, while Entercept (the former ClickNet) is focused on protecting the Web server from conducting actions that fall outside its normal course of business.
The proxy approach
Sanctum's AppShield and Ubizen's DMZ/Shield essentially try to cover up for vulnerabilities inherent in many Web applications. It is often relatively easy for a hacker to find and change hidden fields that indicate a product price. Similarly, hackers can often change the parameters of a CGI script to search for, say, a password file instead of a product price. If capabilities, such as search, are not implemented correctly, sites can also be subject to buffer-overflow attacks that could lead a hacker to an administrative page - opening the door to all sorts of havoc.
Both products essentially act as Web server proxies, checking requests on behalf of the server.
AppShield will examine a Web application to learn what entries are considered acceptable in each field, and then refuse to accept any entries outside the norm, Bar-Gad says. In that way, it covers up for holes that programmers leave in their applications. If a hacker tries to enter a string of characters that are too long for a given field, for example, AppShield will reject the entry and respond with a user-defined error page.
That's a valuable proposition, says Reggie Ellis, information security officer at Pacific Capital Bancorp, a bank holding company in Santa Barbara. It's common for programmers to build in back doors that let them administer the applications, which is exactly what hackers look for.
"Programmers don't typically program with security in mind," he says. "They want to make sure applications work efficiently and are easy to use."
One Sanctum user, who asked not to be identified, says Sanctum engineers demonstrated they could compromise his company's site by taking advantage of faulty coding and hidden fields. The company eventually bought AppShield and has since seen evidence that it has thwarted attacks. "AppShield did what it was supposed to do," the user says.
Ubizen, while a new player in the U.S. market, has a well-established presence in Europe, mainly among financial institutions. Established in 1995 as NetVision, the company is a spinoff from K.U. Leuven, a university in Leuven, Belgium, known for security expertise. It was there that the Rijndael encryption algorithm, recently adopted for use by the U.S. government, was developed. Ubizen is now an $80 million company with about 550 employees, says CEO Stijn Bijnens.
The DMZ/Shield application security product is only one part of Ubizen's MultiSecure product line, which also includes tools for authentication, authorization, intrusion detection, digital signatures and nonrepudiation of electronic transactions.
Ubizen considers its suite of products and security services a differentiator. It was an important factor in the purchasing decision made by Peter Marchand, IT manager for KBC Securities, an investment bank in Belgium.
KBC uses DMZ/Shield on its Web servers, which are hosted by a third party. But KBC also had Ubizen build it a secure transaction system based on two-factor authentication and uses the company's Online/Guardian service for 24-7 security monitoring.
"I believe in an integrated solution. It's very difficult if you have too many partners," Marchand says. "And if you're in the financial business, you cannot permit yourself to have a security incident."
Shielding the operating system
Outside of Sanctum and Ubizen, it's a matter of opinion as to what companies are in the business of protecting applications. Robin Matlock, senior vice president of marketing for Entercept, says her company considers itself a server security company, so applications are logically included.
Entercept 2.0 intercepts calls to the server operating system and compares them against a database of known malicious signatures. Any call deemed suspicious is referred to a policy database that determines how to handle it.
Entercept Web Server Edition works in the same fashion but also adds functions specific to Web servers. For starters, the product won't let any program other than the Web server and Web authoring tool get at Web pages, says Yona Hollander, vice president of strategy for Entercept. Web server administrators likewise have to be authorized to make any changes on the site. The system also ensures the Web server can't be used as an entry point to any data outside the Web server "virtual tree," which defines the parts of a disk dedicated to a specific server, he says.
Frank Prince, online security analyst with Forrester Research, says the Entercept concept could work for any application that can characterize well enough to know what it should - and should not - be doing.
Like Entercept, WatchGuard's ServerLock addresses the security problem at the operating system level. It hardens Win 2000 and NT servers against attacks on operating system components such as user accounts, executables and content. That makes it impossible for an intruder to change elements, including Web pages, says Jack Danahy, vice president and general manager for server security at WatchGuard.
"I'm not relying on a product like Sanctum to protect me from inadequacies in my own application," Danahy says. "There are certain resources, like the [operating system] itself and its binaries, like the front page of my Web site and database records, that should not be changed. It doesn't matter who tries to change them or what vehicle they use to try and change them - you simply can't."
That is, you can't make changes unless you first authenticate yourself to ServerLock, using its built-in public-key infrastructure system. That's an important point, Danahy says, because it prevents the unauthorized removal of the WatchGuard product. Some other application-layer tools - or security tools of any type - can be removed by intruders who manage to break into a Web server, or even by internal administrators.
Forrester's Prince draws a distinction between products like those from Sanctum and Ubizen, which try to ensure that nobody can disrupt an application, vs. the grander vision of building applications with built-in cross-checks that make it impossible to serve unauthorized content.
"That's a much more difficult proposition," he says. Processes must be developed to handle automated cross-checking, such as ensuring that a price served by a Web application is the same as the one in the back-end database.
Likewise, companies need to protect the database that houses its various rules and policies. "If you have business rules that say you always use the lowest-cost shipper and you don't protect that rules base, then somebody may be able to manipulate it to always direct shipments to his brother-in-law in New Jersey," Prince says.
One way to protect a rules base is with a product such as Tripwire for Servers, which detects unauthorized changes to any file. It works by putting a file through an algorithm that creates a unique digital signature. Any changes to the file will result in a different signature, alerting administrators to unauthorized changes.
Tripwire is now applying much the same process to Web content, with the Tripwire for Web Pages product it announced recently. The product creates digital signatures for any Web page a company wants to protect, says Josh Friedman, Tripwire for Web Pages product marketing manager. As users request those pages, the Tripwire product checks the digital signature for the current stage of the page vs. the one in its database. If they match, the page is served up. If not, a error page is served instead, and a notification is immediately sent to an administrator.
Robert Lonadier, director of security strategies for Hurwitz Group, a consultancy, says the field is open for this entire class of products.
"There is certainly a big opportunity once people are convinced that these solutions can help them prevent graffiti attacks and also help improve their uptime, since many times the only response a company can take to an attack is to bring the server down," he says. "In the hacker's eyes, that accomplishes the same thing as a defacement."