Imperva and Sentryware pad layer 7 security

Hive and SecureSphere deliver enhanced protection to Web applications

Vulnerabilities in Web-based applications are a big problem, compounded by the fact that most apps are not well behaved and are usually overly complex. Solutions such as IPSes (intrusion protection systems) and application firewalls help lock down your app servers, but they have not been the security panacea many have expected them to be. (See our special report on Web application firewalls.)

Two companies have joined the security fray, offering products that aim to provide an even greater measure of security than what is found in traditional application firewalls. The two solutions — Hive from Sentryware and SecureSphere from Imperva — vary, however, in approach.

The Hive appliance sits transparently in front of application and Web servers and uses encrypted tokens to lock down the applications, preventing unauthorized access.

SecureSphere, available as a software package or as an appliance, is a server-based system that uses SecureSphere Gateways to unobtrusively log network traffic, analyzing the packets in real time and comparing the patterns to previously profiled traffic stored in a SQL database.

Although their methodologies differ, both systems can stop attempts to hack or otherwise disrupt application or database servers.

Sentryware Hive

Hive is a proactive security device, unlike most IPSes, which are reactive. Instead of using set policies or rules to protect your Web applications, Hive embeds AES (Advanced Encryption Standard)-encrypted tokens in the HTML stream on the fly.

These tokens are specific and unique to each HTML page and each object on the page. When a user accesses the home page of an application, Hive actually takes the HTML while it’s in transit and rewrites it to include the token information, a long hex key. Token creation and HTML rewriting take place at near wire speed and are completely transparent to the application.

When a user chooses a Hive-secured object, the associated token is presented to Hive. If the token is valid, Hive sends the request to the Web server. If a request is made for a page that doesn’t have a token associated with it or some part of the URL is modified, Hive rejects the request and, depending on configuration, redirects the user to a different page or displays an error message.

One common attack is to tamper with the URL string. If a user were to modify the URL, Hive would deny the connection attempt, even if it matched that of a valid page, because the user would not have made the page request via the secured objects. Furthermore, because tokens are created for each session, an attacker cannot reuse a token to circumvent Hive’s security.

The approach is indeed effective. I tested Hive in my lab against a live e-commerce Web site, and no matter how I tried to get around the tokens, I was stopped at every turn.

Installation is straightforward and Hive’s Web-based management interface is easy to use. Implementing the solution requires a little planning and understanding of the Web site layout. You will want to define entry pages for the application and to identify forms and objects to ensure that everything is protected. Sentryware says the next major release of Hive will automatically identify these objects. 

Hive is more resilient to changes in the underlying HTML interface than traditional IPSes and application firewalls. It will still secure HTML objects even if, for example, the page layout changes or page names are different.

Hive includes Sanity Checks — optional, built-in, rules-based protection — to make sure no one tries to use an SQL injection attack, cookie poisoning, a shell code exploit, or cross-site scripting against your Web application. Hive will also protect the contents of Web forms and all the fields in the form. Using HTags — proprietary HTML tags you define in Hive and insert in the HTML — you can validate the data entered into a form has a specific format and length.

Using multiple Hives in a load-balanced or fault-tolerant deployment is very easy because there are no state tables to maintain across devices. Although Hive will log to syslog or any SNMP platform, there isn’t a central management built into the system.

Sentryware definitely has come up with a secure and unique method of protecting Web applications and database servers. Overall, however, I’d like for Hive to have built-in centralized management and found configuring Hive to be somewhat time-consuming.

Imperva SecureSphere

Imperva’s Web application protection takes the essence of an IPS and adds to it advanced heuristics and attack correlation. It doesn’t just rely on a preset list of known application vulnerabilities, and it can protect against unknown attacks on Web servers and database servers.

Unlike Hive, SecureSphere is a reactive form of application security. The solution detects anomalies or outright attacks and, based on your policy, can stop the troublemaker dead in his or her tracks or simply log the occurrence for future analysis.

SecureSphere uses two appliances. The SecureSphere G4 Gateway looks at all the traffic on your LAN and logs each Web page request or database lookup to SecureSphere’s other appliance, the MX Management Server. This appliance stores the collected information in a SQL database where it is sorted and collated, providing a centralized management platform. You can deploy the G4 Gateway alongside the LAN so that it sniffs packets only as they move across the wire, or you can deploy it in line with the LAN so that all traffic has to pass through it.

The gateway is also the point where the SecureSphere console implements and enforces its policies. To stop an attacker, SecureSphere issues a TCP reset based on the session ID and kills the attacker’s session. In my tests, I saw how quickly a TCP reset can kill a user session, even at LAN speeds.

The SecureSphere console is where all the collected traffic is analyzed, sorted, and stored in a provided SQL database engine. In it, you can monitor multiple gateways and push your policies out to them at the same time from a single console.

What I found most innovative about SecureSphere is that it learns what normal traffic patterns are for your Web app and database server. Based on what it learns, SecureSphere can detect attempts to manipulate URL strings or to change field contents. For example, if a form is submitted with some fields containing more than 1,000 characters, SecureSphere will know that this could be a buffer overrun attempt and will then implement your policy for this type of anomaly. You can override the learned values to tailor it to suit your requirements.

The real power of SecureSphere comes into play with its CAV (Correlated Attack Validation) engine. The CAV engine takes collected data and compares it to known vulnerabilities and against learned traffic patterns. It then distills all data and looks for patterns. It only alerts you when there is sufficient reason to believe an attack is taking place. SecureSphere can track user activity over time and help determine the true intent of the user.

Installing SecureSphere can take less than a day, but you will want to put it in learning mode for a week or more to allow it to learn what traffic to expect on your LAN. The Irregular Events and Alerts pages in the Activity Console are well laid out and easy to read. My overall impression is that with proper tuning SecureSphere can provide a level of security for your Web and database servers not found in most other layer 7 security products. Unfortunately, the price tag my prove to be too high for all but the largest of companies.

Both Sentryware and Imperva have taken layer 7 protection to new heights. Although I like SecureSphere’s CAV engine and ability to learn application behavior, I believe Hive’s proactive approach to security is going to be the model for future application security devices.

InfoWorld Scorecard
Management (25.0%)
Value (10.0%)
Scalability (15.0%)
Performance (15.0%)
Security (25.0%)
Configuration (10.0%)
Overall Score (100%)
Sentryware Hive Version 2.0 9.0 9.0 10.0 10.0 9.0 7.0 9.1
Imperva SecureSphere Version 2.0 9.0 8.0 10.0 9.0 9.0 9.0 9.1