Pundit – Guard the Application Layer

Back in the day, just before the launch of a dotcom I now regret being associated with, I asked our chief developer about security risks to subscriber data. “We’ve put two network cards in the Web server,” he grinned. “So the database communicates with the Web server on a separate network. Anyone who hacked into our Web server wouldn’t even know the database was there.”

Maybe that was good enough for 1998. But today, hackers and their attack strategies are smarter and much more ambitious. The threat of the day is the application attack, which sneaks through your firewall and into your Web applications. And yes, some of these attacks like to dine on tasty customer data.

If you’ve got a low-profile site, you probably don’t need to worry. But if a lot of people know about you, you’re at risk. It may sound paranoid, but someone could abscond with your customers’ Social Security numbers and you’d never know.

So why don’t ordinary firewalls stop these attacks? Because they’ve been designed to appear as well-formed traffic, with no unusually large packets or suspicious mismatches between address and content to sound the alarm. One of the most frightening examples is the SQL injection. Here, hackers can use one of your own HTML forms to run unauthorized queries on your database. Another threat: command execution. Whenever Web applications pass commands to a shell application, a clever hack can cause arbitrary commands to execute on the server.

Other attacks are simpler. For example, HTML comments often contain sensitive information, including log-ins left by incautious programmers. Ultimately, the lines of attack on the application layer-from altering cookies to changing hidden fields in HTML forms-are limited only by hacker imagination. But the good news is that most of these attacks can be stopped cold.

Two complementary approaches, when combined, provide a solid defense. First, use an application scanner to scour your Web apps for vulnerabilities. Then get yourself a Web application firewall to keep the bad guys from breaking and entering.

Application scanners basically launch a host of simulated attacks on your server and report on the results. KaVaDo ScanDo, Sanctum AppScan Audit and SPI Dynamics all do a pretty thorough job itemizing flaws and recommending fixes. AppScan Audit is particularly interesting, because it’s the after-the-fact member of a suite of products that help programmers catch vulnerabilities as they code. None of these packages, however, can beat a full-scale audit by security pros.

Once you’ve plugged the holes as best you can, it’s time to deploy a Web application firewall. These work in an interesting way: by learning what well-formed traffic to and from an application looks like and identifying the unexpected. To do this, Web app firewalls must inspect packets at a deeper level than do ordinary firewalls. Check Point is the best-known brand in this area, but the other vendors are relatively obscure: KaVaDo, NetContinuum, Sanctum and Teros. Some of these Web app firewalls are available as software, others as appliances, others as either. But don’t mistake this for plug and play, even in the case of the appliances. As with intrusion detection, you need to calibrate Web application firewalls carefully to reduce false positives without letting sneaky attacks through.

In the end, I wish such elaborate defense measures were unnecessary. Thanks to spam and ever more sophisticated attacks, it seems inevitable that the public Internet will devolve into overlapping virtual private networks. Meanwhile, we have no choice but to turn to increasingly clever gadgets to stave off the barbarian hoards.