How we did it

We tested the security appliances using three primary sites hosted on stock installations of Windows 2000 and Windows 2003 - a base site with simple static content and minimal interactivity for protocol testing, a corporate site with some dynamic database features and a content management system susceptible to application attacks written in Active Server Pages, and a complex intranet/extranet application written ASP.NET. Limited testing also was performed with a vendor-provided PHP application.

We carefully monitored the HTTP interactions using browser proxy tools such as Achilles and Fiddler and other network utilities such as SamSpade. Reconnaissance and exploit-detection tools such as NMAP, HTTPrint, and N-Stealth Security scanner were used to probe the appliance and, where possible, via HTTP the back-end servers. Load testing was performed using freely available load-generation offerings including Microsoft's Web Application Stress Tool. Multiple browsers, such as Internet Explorer, Firebird and Safari, were used during testing.

We encountered occasional problems with Safari, particularly when running an exploit. Because these results could not be attributed solely to the tested devices and might have been related to the browser's handling of chunked HTTP responses of HTTP encoded response, we did not factor this into the findings. We encourage any readers looking to evaluate HTTP terminating devices, such as application firewalls, acceleration appliances and reverse-proxy caches, to carefully evaluate them against their browser population.