Imperva adds deployment modes for its Web apps firewall

Imperva says it has designed its Web application firewall to fit into networks in four different modes to let customers pick the one that best fits their needs.

The SecureSphere Web Application Firewall devices can be installed inline as a bridge, off a span port in monitoring mode, as a reverse proxy to terminate traffic before passing it along, and as a router performing network address translation. The routing option is a new feature.

Earlier versions of Web application firewalls typically had just one or two deployment modes, says Andrew Jacquith, a senior security analyst with the Yankee Group.

SecureSphere sits inline to protect the Web reservation system that books half the rooms for Accor North America, which owns more than 1,200 hotels, including Motel 6 and Red Roof Inn, says Harvey Ewing, senior director of IT security for the firm.

But when he first installed it last year, he did so in monitoring mode while the device and his staff learned what normal traffic looked like. After a week, the company placed it inline and had it block attacks, particularly cross-site scripting and SQL injection attacks. “It will notice if a SQL-injection attack occurs – it’s not a quick attack; it takes several steps – and it stops it,” says Ewing.

The device will flag new URLs that users call on so administrators can check whether they are legitimate new ones or part of an attack. SecureSphere also detects new, legitimate application code that is not written according to policy and may be accessing backend databases improperly, Ewing says. In such cases, the applications can be referred to development teams for rewriting.

Because the device can intercept and decrypt SSL sessions independently, it gives Ewing more visibility into what is in SSL traffic hitting servers. “Before it was difficult to detect what was in an SSL session,” he says.

Most customers deploy the devices in monitoring mode first to determine what its capabilities are and to get a handle on what their traffic patterns are like, says, Shlomo Kramer Imperva’s founder, president and CEO. He says more than 90% of customers install the devices in bridge mode, which adds no new IP address to the network. “It’s just a bump in the wire,” he says, performing inspection without affecting performance.

Imperva is also announcing a new, high-end model of SecureSphere, called the G16 that supports up to 2Gbps throughput. Pricing for the new box starts at $30,000. In addition, the existing smaller G8 and G4 models are now available in fault-tolerant models that have extra fans and power supplies. The devices can now be installed in redundant pairs as well so if one device fails, its pair can take over.

In addition, the company is announcing that Imperva SecureSphere software is available for Crossbeam multi-server platforms.