Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

The Risk of Application Attacks Securing Web Applications


{LANG_NAVORIGIN} Web Security
By: Bee Ware, 01/07/2005



1 Report on the Information Security Front

1.1 Some Disturbing Numbers
According to statistics from CERT (an independent body specializing in information security), the number of successful, that is to say declared, attacks continues to grow: up 60% in 2002, and expected to grow around 80% in 2003. A simple reading of these numbers shows that protection mechanisms deployed by companies are not discouraging attempts by hackers. Far from it.

A study published in 2002 by the Cyber Crime Division at the FBI (CSI/FBI) showed that 99% of companies use antivirus solutions and 98% have firewalls. In addition, 92% have instituted access control measures for their online services and 73% have deployed IDS systems (Intrusion Detection Systems) within their networks.

These statistics call into question the effectiveness of the security systems currently deployed: either these systems do not work or they are not suited to the nature of attacks carried out today. It turns out, in fact, that current solutions are a response to the need for which they were designed: access control, or in other words, network protection. However, since these network security measures were not designed to analyze traffic carried at the higher level (application transactions encapsulated in the TCP/IP network protocol), the numbers confirm that these solutions offer very limited protection or no protection at all when faced with attacks using the application as a vector for transport and concealment.



1.2 Changing Attitudes and Targets
For a long time, many companies, organizations or administrative bodies considered themselves unaffected or scarcely affected by such threats, since they did not possess highly confidential industrial secrets, state secrets or classified defense material.

This kind of thinking is no longer valid today, though it may have been a few years ago. That is because the main target is no longer these types of document. The interests of today’s uninvited visitors, who are more or less well-meaning, have expanded considerably.

The use of the Web has undergone profound changes. Its use has become generalized in several domains. Because of this, Web applications (internet, intranet or extranet) are accumulating more and more information of a very diverse nature: not only industrial data, but also commercial and social information. The Web is, at the same time, the largest encyclopedia ever assembled and the largest marketplace in the world. There is much to learn on the Web, and new and interesting features have developed.

What kinds of information are people looking for today? Financial transactions? Industrial secrets? Yes, but that is only the tip of the iceberg. Internet attacks today are standardized. The prime pieces of information that are sought or manipulated are lists of client accounts, lists of prospective customers, commercial conditions of sale, purchase or delivery policies, stock statements, and similar data.

1.3 A New Attack Strategy
With few exceptions, the purpose of a computer attack is not to take control of a network, but rather to hijack an application and its data.

To put it simply, an online information system can be infiltrated at three attack levels: the network, the system, the application.

The first vector of attack that hackers utilized was the network. Faced with the deployment of firewalls, they then made the most of vulnerabilities in system components such as operating system or database server. Technologies for intrusion detection, supplemented recently by a new generation of so-called Intrusion Prevention System, provided a first level of response by identifying intrusions, or at least some of them, through a variety of mechanisms.

A third vector of attack then appeared: the application. Based on authorized protocols and implemented through application requests very similar to normal requests, these attacks pass unnoticed by all traditional security systems.

Is it possible to respond to these new attacks? How can they be identified? These and other questions concerning the nature of these attacks are of prime importance and merit considerable attention.


2 Towards a New Generation of Attacks

2.1 The Progressive Development of Attack Techniques
Hackers have adapted their strategy in response to the generalized deployment of firewalls controlling access to private networks. Network layers are no longer an axis of infiltration. They are still used at times to identify open ports and potential targets. But even this step tends to be ignored. All companies now have Web sites, and it is the rare site that is not connected in some way to a database. An HTTP-based attack on port 80 will cross the firewall barrier if it knows how to be discreet. And an HTTPS-based attack on port 443 can slip through without any fear of detection!

The attack cited below cannot be detected by current firewalls, even those equipped with extensive traffic inspection functionality.

http://www.victim.com/cgi-bin/phf?Qalias=%0A/bin/cat%20/etc/ passwd

Hackers have bypassed network security by taking their attacks to a higher level: the application. With this new approach, not only have they circumvented the security mechanisms already in place, but they have also shifted the theater of operations to a new protocol that involved new technologies: HTTP.

The best-known and best-protected attacks take advantage of the network and system layers in attempting to infiltrate an information system. Firewalls acting as access control systems are generally responsible for dealing with network attacks. Today, solutions based on IDSs and IPSs protect against system attacks by working on the principle of listening and comparison, followed by action (reporting or termination).

2.1.1 Network Attacks:
A quick glance at some of these attacks allows us to understand the techniques involved. Making use of protocols such as IP, TCP, ICMP, these attacks are based on the use of certain variable fields. The results can be dramatic, but the possibilities are quickly exhausted.

IP ID: Use of the ID field of the IP protocol for the identification of the OS Servers or a TCP scan.

ISN Prediction: Use of the ISN to identify the servers OS when a TCP connection is made.

SYN Flood Attack configuration: Denial of Service attack using the TCP handshake



Max Ping Size: ICMP Protocol. Buffer overflow using Echo Data field.

Ping of Death: ICMP Protocol. Attempt to crash the system with an incorrect ping

Address Spoofing: Usurpation of IP addresses

Port Scan: Test of open ports to determine running applications.

2.1.2 System Attacks
The example below illustrates a typical system attack: The attack is totally different from a network attack in form and concept. It can logically be inferred that the analytical methodologies and technologies used to counter these attacks are also different. The IDS concept, and later the IPS, arose from the recognition of this fact.

2.2 Application Attacks
By definition, an attack is a normal request or a series of requests modified to become the vehicle of attack. The attacks are based on the principle of parameter or instruction spoofing. Manipulating the expected replies and data in this manner produces unforeseen, and often interesting, program behavior and return messages.

This strategy of attack is not new. However it takes on a much larger scale with reference to applications, because of the variety of options available to the hacker. It is easy to visualize the proliferation of attack options between protocols or languages such as TCP/IP and HTTP/SQL.

This problem is more compounded by the heterogeneity of scripts and other cookies. Dozens of in- house or downloaded scripts coexist, interact and are subject to constant additions and modifications. As a matter of fact, there are at least as many potential attack requests as authorized requests. This leaves the door open to far too many potential vulnerabilities and to the requirement of massive research in order to one day reference and correct them all.

2.2.1 Goals and Means used by a Hacker

2.2.1.1 Code Execution
In the case of code execution, the request itself contains the malicious program in executable form (as with worms, for example). In others cases, the code can take the place of expected application parameters.

2.2.1.2 Command Execution
The attack will attempt to execute existing system commands. - Using command execution on a machine running UNIX, the hacker retrieves the contents of a file via the cat command or lists the files via the ls command on the system being attacked. The files retrieved are more often than not files containing sensitive information: passwords (even in encrypted form, there are other ways to crack them later), remote network configuration through the /etc/hosts file, etc. - On a machine running Windows, the commands executed are often tftp to download files onto the system under attack, or even cmd.exe to execute commands of all types (dir, type, etc.).

2.2.1.3 Access to Unauthorized Information
The information targeted most frequently includes: 2.2.2 Examples of Application Attacks
A quick look at some of these attacks clearly shows how they differ from previous types. Rather than attack names, we will discuss attack strategies, whose two typical examples are commented below.

2.2.2.1 Parameter Modification
This strategy is used to achieve the following type of attacks: SQL injection: Insertion of SQL commands into a parameter providing access to a database. Example: http://www.example.com/showproduct.asp?ID=0%20OR1%3D1 An ID parameter is passed on the assumption that it will be embedded in an SQL request. In order to to make the request valid a clause “OR 1=1” is added which makes the condition always true since 1=1 is always true and OR is an inclusive Boolean operator. Cross site scripting: Insertion of (HTML/ActiveX/JavaScript/…) code on the site, which will be executed on the HTTP/browser clients of users visiting the site. Example: http://www.company.com/a.php?var="> This URL, if posted within a forum using the a.php script, will allow the contents of user cookies to be posted on the host.com site via a script also hosted on this site.

2.2.2.2 Buffer Overflow
The Buffer Overflow attack can be applied in different areas : users entries, parameters Example: http://www.test.com/insecurecgi?ABCDEF..ABCDEFcode_excutable Note that the shell code first contains a large number of characters, as well as code in binary and executable form near the end. In this example, the overflow is in the name of the parameter and not in its value, which illustrate how many numerous the overflow possibilities are.

2.3 Present-Day Repercussions
The repercussions of an attack can be numerous. To begin with, there is loss of time, productivity, damage to reputation, theft of commercial or industrial information, and financial misappropriation.

However, there are also legal repercussions, not only because the victim company might wish to file a complaint, but also due to the fact that the company itself can be accused of not having sufficiently protected the customer data in its possession. In fact, every company, government agency or organization has the obligation to guarantee the confidentiality of data shared with it by its clients, especially financial information or… even its measurement.

This problem has become universal and examples of companies involved in such situations are becoming numerous. Victoria's Secret has just been convicted of not having sufficiently protected client data collected via its website.



Extract from Article 226-17 of the Penal Code (France)
“Carrying out or causing to be carried out the automated processing of registered data without taking all precautions necessary to maintain data security and specifically to prevent distortion, damage or transmission of data to unauthorized third parties shall be punishable by imprisonment of five years and a fine of 2 million francs.”


3 Evaluating the Defense System

3.1 Network Protection: Firewall and Authentication
In response to the numerous vulnerabilities in ACLs (Access Control Lists) implemented by routers, firewalls provided the first true security solution for access control. Pioneered by Check Point, then adopted by almost all vendors, Stateful Inspection technology enabled the implementation of strict and efficient security policies based on connection-oriented traffic analysis.

Access decisions are made based on criteria such as destination and source, ports representing the application used and contextual criteria. This data processing is effective for network layers and offers performance that is quite acceptable.

Strong multi-factor authentication solutions have supplemented this access security approach by enabling granular levels of user identification checking.

Auto Defense
Experience shows that a large number of attacks or attack strategies are used over and over again by hackers: address spoofing, discovery of open ports, and others. To counter these attacks, located at the network level and easy to identify, vendors of equipment such as routers, firewalls and even proxy servers equipped their products with automatic defense mechanisms. Among the attacks most often recognized at this level are: This list of recognized attacks continues to grow, but it can only include attacks with characteristic features that are easy to identify and that have already been discovered. It follows, then, that mechanisms for auto-detection and protection do not apply to application security vulnerabilities, due to their wide diversity.

3.2 System Protection
Once unutilized ports have been closed and traffic brought under an initial level of network control, a second category of potential security breach surfaces: vulnerabilities. Every software program has its own vulnerabilities, or bugs. Attackers have used the full potential of these bugs to bring down, hijack, or take control of systems.

The exploitation of a bug or vulnerability usually takes the form of sending an unexpected message to the application, which will generate an error message, halt the system, grant inappropriate rights, etc., as the case may be. Technically speaking, this implies that a vulnerability can be exploited through an authorized protocol and therefore without the knowledge of firewall systems.

Intrusion detection and prevention systems, as well as integrity checking solutions to a certain extent, provide a first level of response to these new vulnerabilities. These solutions are based on various technologies, one of the best known being signature files.

3.2.1 Signature Files
Attack detection by signature comparison is a commonly used technology. Thanks to public and private monitoring organizations, every time a new vulnerability is discovered or a new attack is registered, a signature is developed after a certain period of time, enabling subsequent intrusion detection and sometimes eradication. This approach is also used in antivirus solutions. But the technology is not exhaustive and quickly come to an end.

3.2.2 Intrusion Detection Systems (IDSs)
IDS technology provides for intrusion detection at the network or system level. The main task of intrusion detection systems, is to identify known attacks, signal them, and sometimes block them. Two methods permit the detection of abnormal events: signature recognition and anomaly detection.

Signature recognition consists of searching for signatures (or imprints) of known attacks in the monitored data traffic. It makes use of a signature library, and can therefore only detect attacks corresponding to the signatures it contains.

At the server level (host system), intrusion detection analyzes system statistics: changes in memory, excessive CPU utilization, etc. This solution model, supplemented by a baseline frame of reference (data during normal system operation) will report any discrepancies noted.

3.2.3 Intrusion Detection Systems (IPSs)
Intrusion prevention systems, or IPSs, are next-generation IDSs. This is more of a product designation than a technology. They detect and attempt to eradicate or block the attacking request. The request is blocked either by the TCP reset command or by dynamically modifying firewall rules. IPSs are generally based on the same pattern matching principle, with additional functionality for anomaly detection. Other IPSs implement newer technologies such as identification.



3.2.4 Integrity Checking
Integrity checking is another approach to intrusion detection. Integrity checking attempts to monitor system state consistency and conformity by monitoring configuration files, rule files, and policies. This technique is used for the comprehensive monitoring of routers, firewalls, servers, etc.

This is a specific approach in response to an equally specific problem, and is particularly well-suited to fairly complex network architectures. However, it is relatively complex to implement and operate.

3.2.5 Intention Detection
A new preventive approach consists of identifying the attacker in such a way as to make it impossible for it to act. By combining recognition of dangerous data traffic with false response mechanisms, the potential attacker is identified, evaluated and, if necessary, relegated to a black list.

This is also a valid, though still not exhaustive, approach. Some attacks can be launched without the need for prior stages of discovery. There are therefore no tell-tale signs allowing the attacker to be blocked. The same holds for very short attacks because they generate traffic consisting of only a few packets, sometimes only one.

Application attacks rarely make use of these approach stages. At this level, the attacker's behavior fully resembles that of a normal user, because the idea is not to circumvent the application but to exploit it.

3.3 Present-Day Application Protection
Effective protection of applications demands specific solutions. This can be clearly concluded from the following two observations:

On the one hand, existing systems have been designed to work at the network level. This has led to technical architectural options that do not correspond, or do so only poorly, to the characteristics (and therefore vulnerabilities) of application traffic.

It is clearly difficult to provide good protection for something that has been poorly analyzed.

On the other hand, techniques used for network and system protection rely on a principle of detection that is itself based on a known baseline frame of reference, such as a signature file. The characteristics of applications, however, are so numerous, that it can become difficult to not speak in terms of uniqueness.

How, then, in this context is one to guard against as yet unidentified vulnerabilities?

Application security demands different responses, and therefore different technologies, from those used previously. Some of these have come to light in the last few months: namely white list/black list or reverse proxy, based on known concepts; protocol compliance is now usually implemented as well.

3.3.1 Enhanced Inspection
The first countermeasures for information security came with the use of ACLs (Access Control Lists) allowing for the implementation of a security policy based on source, destination and protocols. In response to the numerous limits of this approach, Stateful Inspection technology introduced two major innovations. First, thanks to the caching of connections, rules now take context into account. Second, certain mechanisms for the identification of the transport protocol were incorporated.

Today, application traffic forms the vector of attack. In order to identify malicious requests, one should be able to decode the application and the instructions sent to it. Inspection of headers is no longer sufficient. A much deeper analysis of data traffic is called for.

Several solutions today make good use of this type of functionality. However, this analysis process proves to be long and complex. Firewalls need to carry out this analysis multiple times, from the lower layers to the upper layers, and technical characteristics are quite different at each layer. Verification performed using this approach is necessarily limited. This technology is nothing more than a deep analysis method, and does not help in any way in the decision-making process.

3.3.2 Proxy
Proxy is a well-known technology that has been in use for a long time. Briefly, a proxy server is a system or process placed between the client and the server of an application. In terms of communication, it needs to be able to respond to both. It emulates the application client and application server equally well. An application proxy establishes communications between the application client and the application server by reassembling network packets up to the highest layer in order to reconstitute the application traffic. A proxy is, in a way, an amalgamation of limited versions of an application’s client and server. Proxy technology is used in a variety of domains, serving as a medium for the implementation of acceleration solutions or content filtering (cache, SSL Accelerator, anti-virus, URL filtering, etc.). Commercial opportunities for application security have placed proxy servers once again at the forefront of interest, because of their ability to easily decipher traffic in application requests.

3.3.2.1 Proxy Firewalls
Proxy firewalls appeared on the scene with the first firewalls. They were progressively replaced by Stateful Inspection technology due to the proven better performance and greater ease of management of the latter technology. Today, benefiting from changing attack strategies, proxy firewalls are enjoying a new lease on life. Although they have the capacity to decode the application, they cannot provide true application security beyond simple functions such as checking or restricting the use of commands. Today, some proxy firewalls also include white lists and black lists mechanisms.

3.3.2.2 Reverse Proxy
The use of a proxy server as a front-end to a server is called reverse proxy technology, as opposed to simple relay proxy.

By interpreting (and often restricting) requests and allowing only valid requests to pass through, a reverse proxy server carries out some security features. An HTTP reverse proxy server is, in that sense, allowing conformity checking and restricting HTTP data flow. However, Web application security is quite another matter. HTTP is only the transfer protocol and the following also need to be secured: PHP, CGI, PERL, JavaScript, SQL, XML, etc.

Reverse proxy only handles HTTP. It should theoretically be possible to attach an SQL proxy server (a simplified server) to it, but this would be done at the risk of even further performance degradation. As for creating a proxy for languages or scripts… it is maybe not even possible.

Due consideration must be given to the fact that reverse proxy does not really bring any application security to the Web environment. Furthermore the proxy lends itself to the presence of vulnerabilities in the different layers of its own implementation, whether based on open source or proprietary technology. The security from reverse proxy solutions is provided, in fact, by the white list/black list type mechanisms which are bundled with it.

These two similar approaches are based on the universe of authorized entities or the universe of prohibited entities. Though enjoying the advantage of simplicity, this principle is effective only if the White or Black List is exhaustive. Every omission makes possible either a legitimate but prohibited request (incomplete white list) or an undetected attack (incomplete black list). Creating and Maintaining a White List
It is true that, on paper the creation of a very precise white list provides for the implementation of a strong security policy. However, constraints associated with implementation and maintenance very quickly make this a merely theoretical option. Initialization phases are long, the more so when the applications to be protected are numerous and complex. A single entry forgotten in the white list translates into a potential client that will be turned away. What’s worse, every application modificarequires an immediate update to the proxy white list.

Some developers try to provide a solution based on semi-automatic generation and subsequent maintenance of the white list. The creation of a white list begins with a thorough exploration of theand application to be protected. This is called parsing. This stage is followed by an attempt to discover the structure and sensitive areas of the application, including invisible links. This technique is called forceful browsing. There is nothing new in this approach, which is already provided by a number of commercial or public tools.

However, these techniques have significant limitations. Because of the application infrastructures encountered and especially the languages used, any site is more or less highly visible externally. Examination must therefore necessarily be carried out manually if possible, and then the white listthis part of the site must be manually configured a well.
Valid requests must be modeled. Automatic recognition request should have been generalized and parameterized in order to also secure the similar requests.

Experience has shown that this approach does not stand up to real-world conditions, and that security levels go down again after a few months, namely after a few modifications are made to the application. It may be that mandatory supplementary parameterization is no longer being carried out and that open application windows are too permissive. Or it may be the case that the complete white list is no longer active and only the black list is functioning, providing only simple intrusion detection.


4 Securing the Application

4.1 Security at Higher Layers
While network security today is an area that is both well-defined and well protected, security at higher layers still has one area that is quite ill-defined and can to lead to confusion. A more precise classification into distinct subsets is necessary if one wishes to master application security. This confusion can lead one into a false belief that a system is protected, only to be rudely awakened by the unexpected consequences of an attack.

One possible confusion arises from the interpretation of the word “application”. The OSI model defines the topmost layer of communication protocols as the application layer. The word “application” here refers to a set of communication services called by high-level software. Consider the architecture of a Web server, where high-level applications include several levels: the operating system, the Web server, the client application, application servers, and associated databases.



Content security is a separate domain. Today this terminology encompasses numerous technologies: Anti-virus, URL filtering, anti-spam and others which work at different levels.

It is quite logical for access control systems, such as firewalls located at access points, to interface with a content filtering system. It is therefore equally logical for some manufacturers to introduce products incorporating two or more of these technologies. Regardless of such initiatives, a firewall with an integrated antivirus solution is not an application security solution.



4.2 New Application Security Technologies
4.2.1 Protocol Compliance
Spoofing an authorized request to convert it into an attack request is a method used often in application attacks. Sometimes, request spoofing is in fact protocol spoofing. Such spoofing can be blocked at two levels: Protocol non-compliance very often provides a tangible proof of attack. But that is only one of several options, and hackers prefer to target the application itself rather than its protocol. This is both easier and more discreet.

In practice, the use of protocol non-compliance has not proved to be quite so simple. The difficulty arises from the difference in HTTP implementation between different browsers and even between versions of the same browser. An application complying too strictly with the protocol would risk preventing access to entire groups of clients.

4.2.2 Correlation of Events
This idea is neither new in concept, nor is it for its implementation to security. The issue becomes even more significant when dealing with security management or its integration into a more comprehensive monitoring platform.

Events correlation is sometimes applied to the processing of log files produced by security solutions, which are known to be voluminous and difficult to figure out. This is a type of deferred processing, but is nonetheless quite complicated and very rarely implemented.

At the intrusion level, this technique allows one to weigh the anomalies detected, arrive at a more comprehensive decision and put it into perspective. This approach, however, is optimal only when used in conjunction with a baseline frame of reference. It must be possible to compare and balance data traffic and determine whether it is normal or abnormal.

4.2.3 Behavioral Analysis
This approach comprises two distinct areas:
5 Intelliwall by Bee Ware

The increasing power and sophistication of application attacks, and their consequences, could be real threat to Web services deployment. However Web, as a proven place to communicate and make business, is crucial for companies, administrative bodies, associations or any other organization.

It is imperative to have efficient security solutions designed for the Web that are both easy to implement and to monitor. Only then will application developers and communication infrastructure designers be able to fully exploit the formidable communication, collaboration and exchange tools that Web applications represent.

5.1 Characteristics of a Web Security Solution
Web application security presents specific challenges. It has technical repercussions, but also raises questions of a human and organizational nature. Only a comprehensive response to these combined questions can provide a security solution which is simultaneously strong, practical and understandable. 5.2 Presenting Intelliwall
5.2.1 The Concept
The technologies usually used in computing security cannot be relevant in all the areas. The application security issue demonstrates it. Current technologies are generally based on an algorithmic approach which requires the problem to be known and its solution to be written in order to be solved. When the problem is complex, it can be an expensive or impossible stage.

As when each time the algorithmic approach reaches its limit, Artificial Intelligence (A.I.) becomes an alternative to be considered.

The main assumption, which motivated research on artificial neural network, is that the intelligent behaviour is the resultant of the structure of our nervous system and of its basic component, the neuron. The organization of the decision-making mechanism is the foundation for the development of an intelligent behavior.

Technical characteristics of neural network: 5.2.2 Intelliwall: An Expert at Your Service
Intelliwall’s working principle is simple: it functions just like an expert. A security expert armed with a depth of knowledge of attack techniques and Web languages that scrutinizes data traffic and analyzes it in order to detect and block suspicious requests.

Intelliwall’s approach resembles human reasoning: intelligence, knowledge, gathering of clues and decision-making. In addition, it is equipped with learning skills.

5.2.2.1 Intelligence
Intelliwall is a next-generation product. A great deal of development and several years of research have gone into the implementation of this security solution. It takes advantage of the latest advances in software engineering. Rather than a simple analysis engine, it can be compared to a brain.
Intelliwall is artificial intelligence software.

5.2.2.2 Knowledge
The characteristic feature of an information security expert lies not in learning thousands of signatures by memory in order to recognize an attack, but in knowing the possible forms of attack and the strategies and techniques used.

Intelliwall’s exclusive intelligent kernel was trained to mimic the processes of human security experts. For months it was trained to integrate the culture and logic of the best security experts until it incorporated the best of their combined skill sets.

5.2.2.3 Gathering of Clues
Gathering clues is a fundamental part of the process. As in every inquiry or analysis procedure, the relevance of the decision made will depend on the quality of clues gathered. It is therefore necessary not only to have the maximum number of useful clues available, but also the ability to consider them in context, to measure them, and to weight them.

Intelliwall uses its experience and intelligence to collect, classify, categorize and measure all clues available to it.



5.2.2.4 Decision Making
Aside from those few simple cases where the hacker uses a known and signed attack and leaves no doubt as to the nature of the request, the decision-making step is both key and complex: an improper decision leads to a false positive (false alarm) and the blocking of a valid request, while a decision that is too permissive translates into an attack that is not stopped.

Intelliwall makes its decision based on clues gathered and their contextual significance. In contrast to other solutions, Intelliwall bases its decision not on an individual clue or a series of clues, but rather models a behavior on the basis of these clues just as a human security expert would. And it is this behavior that is monitored, checked and measured until the decision is made.

5.2.2.5 Training
Intelliwall’s knowledge and intelligence are not closed-ended. The administrator, in fact, has the option of continuing to educate Intelliwall. Intelliwall will mark as a potential attack any request exhibiting a sufficiently suspect anomaly. But if the request is legitimate on the customer’s Web site, the administrator then has the option of declaring this request valid by simply pressing the Brain Train button. Intelliwall does not limit itself to registering the request as authorized, but also incorporates this request into its general knowledge base, and will integrate not only the request but also its form and structure as a valid behavior. In this way, subsequent requests designed on the same model will be validated, not just identical requests.

5.3 Site Protection Using Intelliwall
Intelliwall secures any Web site, whether on the internet, an intranet or extranet. will have certain common characteristics. These are both technical and organizational in nature.

Plug’n Safe: Not a list, and not a set of signature files. Installation is quick and security immediate.

Application-Independent: Intelliwall adapts to applications and application changes automatically or by learning.

Accurate: Very low rates of false positives at implementation, and none subsequently.

High Performance: A base configuration supports up to 25,000 transactions per second.

Architectural Flexibility: Intelliwall works in Log Only or Log & Reset mode. Installation is serial or parallel.

5.4 About Bee Ware
Bee Ware SAS is a software publishing company in France with a capitalization of 37,000 Euros. Founded by Nicolas Dirand and Christophe Guyard, Bee Ware’s technical and commercial teams offer information security solutions for the protection of Web sites (internet, intranet and extranet) from application attacks.



Based in France at Aix-en-Provence and Paris, and in Belgium at Bruxelles, Bee Ware serves the European market with the support of a partner channel.

Contact:

Bee Ware SAS
Company headquarters: 14 Impasse Carnot, F-92240 MALAKOFF, France
Tel: +33 (0)1 49 65 68 40 Fax: +33 (0)1 49 65 41 52
R&D: 19 Parc du Golf, F-13793 AIX LES MILLES CEDEX, France
E-mail: contact@bee-ware.net
Website: www.bee-ware.net

Version of October 2004
Version 1.2


Copyright Bee Ware SAS, 2003 – 2004. All rights reserved.
Copyright and ownership of this white paper belong to Bee Ware SAS. Copying, duplication, sale or use of this document without prior permission from Bee Ware SAS is strictly prohibited.

This product is based on a software solution developed by Bee Ware SAS.

All trademarks cited in this document are the property of their publishers.













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
3816 Views
3.57/5 Rating
7 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact