Keeping the Web Server Safe With Stratum8's APS-100

by Logan Harbaugh

Stratum8 Networks' APS-100 offers a unique approach to intercepting potential hacks. The server appliance sits in front of a Web server and follows a model that defines correctness and assumes anything outside of that model to be a hack.

APS-100: A security appliance that protects at the application layer as well as by standard firewall methods

The typical firewall is essentially a router that operates at the protocol layer. It determines which kinds of traffic are let through based on the source or destination, or by the type of traffic, such as HTTP, FTP, or SMTP. However, this approach is limited -- it can't keep a hacker out of a site unless the hacker's IP address is already known, or the hacker is using a different and detectable protocol.

Stratum8 Networks' APS-100 (APS stands for Application Protection System) on the other hand is intended to protect Web sites against hackers because it identifies atypical behavior by clients attaching to a web site and locking them out.

The APS-100 is actually a 1U rack mount appliance that runs a hardened Linux kernel and sits in front of the Web server, protecting the Web server and associated applications from potential attacks.

The initial installation of the APS-100 took us less than an hour, and it involved setting the admin IP address and then doing the rest of the configuration through the browser interface. The first decision that must be made is whether to install the APS-100 in bridge or reverse proxy server mode.

Bridge mode requires a bit more initial setup, but it doesn't use an IP address for incoming or outgoing traffic or require separate subnets on either side of the device. It also passes all traffic through without changing IP addresses, which may be a requirement for some types of logging functions on Web servers. The reverse proxy mode works like a regular firewall, with two separate IP addresses for the internal and external nets. It is, however, simpler to configure.

Once the basic information is entered, the device is intended to be set to its "learning" mode for two to three days. This mode examines traffic and determines what constitutes typical traffic. The network manager can then look over the recommended security measures and implement them as required.

What the APS-100 actually does is examine all HTTP and HTML traffic and look for anything that indicates improper attempts to access a Web site. For example, it can detect an attempt to access a URL outside the site's allowed URLs, an incorrect entry on a form, multiple attempts to enter a password, modified cookies, URLs, or HTML headers, buffer overflow attempts, HTML gets or posts that are improper (trying to access restricted areas or trying to add data to the site). Because it doesn't rely on a filter list or a virus-type signature file, the device should be able to identify attempts to crack a site on the first occurrence, without requiring regular updates.

The APS-100's performance should be adequate for most sites -- our testing showed it was able to inspect traffic at more than 700 hits per second without adding to latency or causing dropped connections. Since the APS-100 also supports load balancing of multiple APS-100 units, performance can scale to very large sites.

In addition to the standard sorts of attacks the APS-100 looks for, the administrator can also place "stop" or "go" on pages. The APS-100 will then either block access to pages lacking the "go" word or those that have the "stop" word. It can also be configured to check fields on forms for correct entries, blocking attempts to fill in forms with incorrect data.

The APS-100 supports all Web servers, all major Web browsers, all major load balancers, and all application servers. It handles HTTP 1.0 and HTTP 1.1, and HTML 4.0, including cascading style sheets. The device also supports SSL in both 40-bit and 128-bit security versions, and allows Web servers running on multiple machines (load-balanced clusters) and multiple Web sites on a single server.

While there is no security device that cannot eventually be circumvented, the large number of things the APS-100 looks for should add greatly to the security of any site. Between the standard protection suggested by the learning mode, and the additional capabilities to verify specific content, the APS-100 provides a high level of security without overhead on the server. It should also provide a high level of security even on servers with security holes, since it can block attempts before the server sees them.

Vendor Home Page: Stratum8 Networks
Sever Home Page: APS-100 Application Protection System
Server Pricing: Starts at $25,000; each device protects 5-10 Web servers; enterprise pricing also available for larger installations.

Pros: Provides a high level of security for web sites, regardless of patch levels on the server; Transparent bridging makes installation very simple, makes it impossible to get to the device from the outside network; Learning mode can report suggested protective measures before implementing them; Secures a Web site against all types of hacker attacks by examining traffic content, providing more security than a simple firewall;
Cons: Smaller sites may find the $25,000 price tag somewhat onerous; Only supports HTTP and HTML -- can't secure other types of servers such as SMTP, FTP or DSN

This article was originally published on Thursday Sep 12th 2002
Mobile Site | Full Site