Fortifying Web applications

Back to the evolution of resiliency

So, what else can you do to enhance your network while watching the Sun vision unfold, apart from adding an additional route processor to your Cisco routers and upgrading IOS? For starters, secure your existing Web-based services and confidently extend your network to customers and partners through Secure Sockets Layer.

As browsers have begun to be favored for remote application access for nomadic users — even for traditional client/server applications such as PeopleSoft, SAP and Oracle — SSL VPNs are gaining momentum over IP Security (IPSec)-based alternatives. The latter is difficult to set up for use with roving users.

But what’s securing the SSL connection? Don’t count on the firewall. While firewalls are good at blocking ports and looking at the TCP header level, as more applications are placed on Web servers, more traffic is being let through Port 80. Adding SSL further compromises the firewall, intrusion-detection devices and server load balancers because if they can’t terminate and decipher SSL, they can’t perform deep packet inspection. They have no visibility into the traffic and therefore can’t make intelligent routing decisions, effectively rendering them powerless. And once an attacker is tunneled into a Web server through SSL, what’s to stop a SQL injection attack from running on that server and then spreading inside the firewall-protected data center?

Security vendors such as new entrant NetContinuum and Rainbow Technologies are looking to address the problem. NetContinuum makes an appliance that sits between the firewall and the Web server. The NC-1000 Web Security Gateway provides TCP termination, SSL encryption and guards against “forced browsing” with URL inspection. It also analyzes requested URLs and HTTP headers, serving only those pages that the requestor is authorized to see. “Trying to secure Web applications with traditional security products is like going into a tank battle with a slingshot,” says Wes Wasson, vice president of marketing for NetContinuum. “Dealing with the Port 80 problem will be the single most important security issue of 2003.”

Rainbow also offers an appliance that securely extends corporate intranets through SSL over the Internet. The Rainbow NetSwift iGate augments the usual username/password authentication with an optional physical token — the iKey — about the size of your little finger. With more than 50% market share for USB hardware tokens, Rainbow is well-positioned to provide a valuable added layer of security to those companies desiring SSL VPNs.

VPN SSL vendors often tout the return on investment for their products over IPSec VPNs and ROI was the main reason a leading Canadian financial services firm chose Rainbow. “The cost was what drove the business decision to use this appliance,” the user says. “And also you have some granular access. You can configure the appliance so you can give certain users access to certain parts of the application or portal or intranet that you’re trying to access.”

While iKey beefs up SSL security for those who choose to deploy it, it has its management downsides. “When you use [the iGates] in high-availability mode as a redundant pair, if you make a change to one, you have to make the change to the other,” one user mentions.

Nevertheless, vendors such as NetContinuum and Rainbow offer network executives an overarching advantage: Web security can be improved without touching the applications. Installing a Web application security appliance increases the safety of existing applications while keeping a check on costs.