App firewall searches for needles in the haystack

Teros' Secure Application Gateway is the sort of insurance policy needed by any IT manager who isn't absolutely certain that all risk of a company-damaging, law-breaking, image-tarnishing, lawsuit causing, compromise in sensitive data has been eliminated.
Written by David Berlind, Inactive
In response to my column about how the HTTP protocol is turning most perimeter firewalls into Swiss Cheese, dozens of security vendors contacted me to confirm that the problem does indeed exist, and that they had the answer. Against the backdrop of more databases becoming accessible via the Web, and the government legislating what data can be exposed, one vendor in particular strikes me as worthy of your consideration.

Teros' Secure Application Gateway (SAG) offers the sort of insurance policy needed by any IT manager who isn't absolutely certain that all risk of a company-damaging, law-breaking, image-tarnishing, law-suit causing, job-termination-causing compromise in sensitive data has been eliminated. I suspect that most compromises occur well after the point that some IT manager determined that all potential holes had been plugged.

Certainly the folks at Valve Software felt that way until the complete source code for Half-Life 2, the forthcoming version of a game with a cult-like following, was stolen from that software publisher's systems and distributed on the Internet. Not only was Valve's original source exposed but, apparently, so too was code that Valve had licensed from other developers. The resulting risk to Valve --- that a product launch may get delayed, that its intellectual property was exposed to competitors, that online game players may still be vulnerable to an attack, or that its licensors may seek monetary damages --- is the sort of risk that can bring a company down.

So, if you're not willing to take any chances with your security and you've got an extra $25,000 to ear-mark against risks not worth taking, perhaps Teros Secure Application Gateway (SAG) is for you. Like many of the more advanced application firewalls, SAG-an appliance that sits just upstream from your Web servers--works on the basis of deep packet inspection. As SAG drills deep into the payload of the outbound HTTP stream, it reconstructs the information that's about to exit the company onto the Internet, and looks for information that shouldn't be allowed into the wild.

Using a filter-like algorithm, SAG not only watches traffic for strings of characters that match a specific mask, but can also alter the string before it heads out onto the Internet.

"For example," says Teros product marketing director Greg Smith, "we can prevent the leakage of credit card numbers because we can identify them within a Web server's response. What happens next is up to you. You can choose to entirely block it. You can choose to X-out a configurable number of leading digits. So, as the stream is on the way out, we can block it, modify it, or let it through."

One reason Smith chose the credit card example is because, currently, SAG is pre-configured to prevent the leakage of Social Security numbers and credit card numbers. The reason for this, according to Smith, is that the company wanted to focus on one of the biggest areas of risk and liability on the Internet--identity theft.

But those string types are not hard-coded into SAG's algorithms. Instead, SAG has coded them as different types of data objects. This object-orientation gives SAG some flexibility it might otherwise not have. Teros can offer new standard objects; better yet, Teros customers can define their own. Says Smith, "Moving forward, we'll give users a way of defining their own business objects, thereby giving them a way of customizing the sorts of data that [SAG] will look for and act on."

Smith acknowledges that using an appliance external to the Web server isn't the only way to secure outbound traffic. (It watches inbound traffic as well.) IT managers could choose to internalize those functions into Web or application servers which, to some degree, provides the sort of flexibility that those looking to customize inspection routines might want. However, the more you ask your Web server to do, the more you're going to negatively impact the performance of that Web server.

SAG has a few other tricks up its sleeve. In addition to off-loading the inspection routines for performance reasons, SAG can help improve the performance of Web applications by taking on the responsibility for other performance-intensive operations such as encryption (for outbound traffic) and decryption (for inbound traffic). In addition, Smith says, SAG optimizes I/O to the Web server, can replace dedicated proxy servers such as those from Microsoft and Netscape, and performs SSL acceleration and key management. All these activities are either directly or tangentially connected to making sure that the right information is getting into the right hands and without compromising performance.

Lastly, SAG provides one other security measure that is increasingly becoming an issue for large Web sites. Using digital watermarking, SAG's Web site defacement protection feature will prevent the transmission of any Web page that has been altered since it was last authored by someone with the authority to make changes. Smith admits that this feature doesn't work as well for dynamically driven Web pages as it does for static ones. "But you can trap for key words," says Smith. "So, if certain words should either always be present, or never be present, regardless of how much the other content on the page changes, then you can take action based on either of those conditions."

SAG has a number of other interesting countermeasures to thwart the various perpetrations used by hackers. For example, Smith says, it can minimize the impact of Denial of Service (DoS) attacks as well as stop attempts to compromise data through cross-site scripting. But, at the end of the day, SAG's most critical function is to keep predictably formatted confidential data from making it past the periphery of your company. Getting that sort of insurance without negatively impacting a Web application's performance might not only save your job; it might just save your company.

Use TalkBack to let your fellow ZDNet readers know what you think. Or write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.

Editorial standards