SecureIIS: URLScan on steroids

PUBLISHER’S NOTE: Please note that, as of 9/29/03, all of your valued Network World Fusion newsletters will be delivered to you from nwfnews.com. If you use filters to manage your newsletters based on domain name, please adjust accordingly.

To combat potential exploits, a Web application firewall will take one of two approaches. A negative model or blacklist product looks for common attack signatures and warns the administrator or blocks the user when it encounters one. A positive-model or whitelist firewall determines all the allowable requests, and inputs and disallows everything else. Some products try to blend the two approaches, but, essentially, all the products tested emphasize either a positive or negative model.

If you’re looking for a URL-Scan device on steroids, check out eEye Digital Security’s SecureIIS. This baby has by far the best user interface of all the products tested. The program uses an interface similar to Microsoft Outlook’s that makes configuring this negative-model application firewall trivial.

Unfortunately, SecureIIS lacks the depth of some other products.  For example, while SecureIIS could deal with malformed requests exceeding size limits and basic URL tampering, it couldn’t detect and block any form tampering or careful SQL injection.

SecureIIS does have some nice features to ease deployment in a multi-server environment by letting policies easily be replicated to other systems. The product also has some basic file-integrity monitoring features that could be useful if an intruder penetrated a machine.

SecureIIS is targeted at users looking to have the support and ease of use missing from Microsoft’s URLScan. Interestingly, eEye recently announced a free personal-use version of its software that makes this product an obvious replacement for URLScan and obvious first step for those IIS administrators new to application firewalls.

For the full report, go to https://www.nwfusion.com/reviews/2003/0818rev2.html