Moving Up The Stack
May 1, 2008 12:00 PM, By Sandra Kay Miller
As networks, both public and private, have become more integral to everyday life, the lines between public and private continue to dissolve. Users connect through common computing devices on both types of networks for personal and professional necessities. Consumers and corporations alike are now doing business online through Web-based applications that traverse the traditional corporate firewall.
Operating in a world of HTTP and HTTPS, the majority of information passing over networks today is being ported to Web-based interfaces. Financial transactions and the movement of private data now dominate the Internet.
“As security people work through networks, it's going to become clearer in the future that there are only going to be two ports that exist — SMTP for e-mail and port 80,” speculates Kevin Rowett, CTO at GigaFin Networks (gigafin.com). He points out that already many applications have been redesigned to operate over port 80 (the standard port for Web servers).
Unfortunately, this shift has not gone unnoticed by malware writers and hackers who now punch through firewalls effortlessly posing as legitimate traffic or by exploiting vulnerabilities in Web-based applications. Once past the traditional network firewall, criminals are marching right up the OSI ladder to the heart of where critical information is stored — in applications and databases.
“You used to be able to do security through obscurity, but Google has changed all that, and it has basically made any application on the Internet open for attack if it has not been well-coded,” explains J.D. Sherry, vice president of technology at NIC Inc. (nicusa.com), a provider of online service portals for 21 state governments.
The new wave of digital attacks includes cross-site scripting, buffer overflows, cookie poisoning, SQL injection, forceful browsing, forms tampering, request forgeries and remote code execution. To effectively protect against such attacks, IT administrators are turning to solutions that operate at Layer 7, commonly referred to as Web Application Firewalls (WAF).
Application security can be challenging since traffic entering through ports 80 and 443 (the two most common ports for HTTP traffic) can appear genuine, yet be attempts at finding weaknesses within the application itself to exploit vulnerabilities in an effort to extrapolate massive amounts of sensitive data undetected. WAFs perform deep packet inspections by examining each request and response within HTTP, HTTPS, SOAP, XML-RPC and Web Service layers. Both software and hardware-based solutions employ a combination of white list/black lists and behavioral analysis to determine if the traffic conforms to the security policies.
For example, Sherry points out that miscreants are now taking advantage of the same automated scanning tools used by legitimate security professionals. “These are not just script-kiddies, but knowledgeable professionals grabbing best practice security methods and buying off-the-shelf scanning tools to launch against Web sites so they can figure out where the vulnerabilities are.” Security engineers at NIC see vulnerability scans launched against its networks every day. “When the scans are coming from places such as Russia, we know they're not legitimate,” Sherry says. “Our WAF allows us to identify those signatures and block those attacks right away.”
Three years ago, NIC added Breach Security's (breach.com) WebDefend WAF to its security arsenal to protect against the burgeoning problem of criminals stealing private information stored online. “There's a huge market out there for data that can be sold on the black market — credit card information, Social Security Numbers — everything that we're tasked with protecting has become a huge target lately,” Sherry laments.
Similarly, Intuition Systems Inc. (intuitioncorp.com) has also turned to WAF to enhance its digital security posture. The Florida-based company is responsible for the management of several states' pre-paid college funds, payment processing for government, commercial and financial institutions and provides a regulatory oversight database for check-cashing and payday loan businesses to ensure their compliance with predatory lending legislation.
Want to use this article? Click here for options!
© 2013 Penton Media Inc.
Today's New Product
In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.