• United States
Neal Weinberg
Contributing writer, Foundry

Turillion’s eServer Secure

Oct 02, 20032 mins
Network SecurityNetworkingSecurity

* The Reviewmeister continues looking at the newest Web app firewall products

Continuing our analysis of Port 80 firewalls, here’s a look at Turillion’s eServer Secure.

This product is designed specifically for the IIS Web server environment. Based on Internet Server Application Program Interface (ISAPI) technology, eServer Secure combines a host-based architecture with the flexibility of a Web-based management interface.

This is a strictly negative-model firewall, with a respectable blacklist of attack signatures that are blocked by default – long URLs, disallowed methods and directory traversals, for example – and the ability to revise these policies for tighter security.

In our testing, these attacks were blocked as expected. SQL injection can be combated, but this is addressed through keyword filtering, and you likely will want to strengthen the default policies to make them more robust. This product does not obviously address manipulation of form-field sizes. An update subscription service is offered to keep the attack signatures current. Error pages are fully configurable.

The HTTP management interface is a convenient way to handle remote administrative duties, but is also a liability. Security for remote management is provided via basic IP filtering. This is a nice feature, but the wise user most likely will want to employ SSL as well to further secure communication with the firewall.

The Web interface suffers from the statelessness and latency one would expect from HTTP, and some quirks exist – probably a function of the tricky interprocess communication between the ISAPI extension that supports the user interface and the ISAPI filter that is responsible for actually carrying out the security policies.

Changes to the administration interface do not always seem to take effect immediately or consistently, and some of the integrated reporting and statistical features display disconcerting inaccuracies. For example, a single request generated approximately 60 “requests processed,” and a number of common attacks were miscategorized.

In general, eServer Secure struck us as a good example of an entry-level product. In that sense, its most direct competitors in this review are iSecureWeb and SecureIIS.

For the full report go to to