NetSec Letter #25, 7 March 2003
Exit Control

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

Next to e-mail servers -- and by inference, e-mail clients systems, the most vulnerable computers on our networks are our web servers. Because of their function, they are Internet-facing and accessible. Firewalls, IDS, and host "hardening" are all part of defensive steps, as I discussed in September (http://www.avolio.com/columns/20-NeedforWebSecurity.html). Recently, I looked at a company with a different slant on the problem, something Gilian Technologies (http://www.gilian.com/) calls "exit control." [Disclaimer: Gilian is not nor ever was a client of Avolio Consulting. I analyzed their company and product on behalf of a client.] This month I will briefly explain why I found Gilian's approach to be innovative and interesting.

Attacks

There is a large unknown number of potentially successful attacks, based on system vulnerabilities, an attacker can launch against a web server. Out of that large number, the number of attacks that any attacker will ever launch is a smaller number.

We can break down web server attack vectors two ways:

Firewalls protect the web server by blocking unfriendly activity. IDS "notice" such activity. The unfriendly activity is well-defined. As opposed to the indefinitely large number of potential attacks, there are really only three results of a successful attack: content changes, the server crashes, or a web application performs an unintended action. Gilian's G-Server primarily deals with the results, while keeping the web server running, and continuing to deliver *uncorrupted* web page content. In fact, they guarantee it. Through the G-Server appliance, Gilian guarantees, "that altered, corrupt, or unauthorized information will never appear on your Web site in public view." How they do it is interesting. It has to do with something they call ExitControl(TM)

Exit Control

I assume everyone reading this knows why a defaced web page is a bad thing. If you imagine it was your web site, you might agree the first thing you would do was take down the offending site (probably by taking it off line) as a prelude to examination and repair.

Web content providers -- the people updating web pages in an organization -- "check-in" pages through the G-Server first, which digitally signs the pages. (For a discussion of digital signatures and explanation of why this is important, please see http://www.avolio.com/columns/Crypto101.html.) Then after a request comes in from the Internet, as the server "serves up" the page requested, the G-Server checks that the content is unaltered. If all is well, it sends the page to the requester. However, if the page has been modified, an alarm goes out to the administrators (this is policy-driven, of course), and a cached, known-to-be good copy of the page is sent. Hence, "exit control." If we're talking "dynamic data," such as is built from a form, the G-Server returns a "Having technical difficulties" page. G-Server further protects software on the web server through an "agent" that sits on the server, and responds in similar fashion in the event someone has modified scripts on the server (though you will still want to harden the web server). G-Server also performs web-specific screening on the incoming requests to make sure they are valid.

What I found interesting about their approach is that no matter what the cause of the web defacement, G-Server will catch the change and intercept it. I looked at competitors (see list below), though not in as much detail. None that I saw will guarantee that corrupted pages will never leave your site. And I think that's worth a look.

#

Competitors:

Sanctum AppShield, http://www.sanctuminc.com/

KaVaDo InterDo, http://www.kavado.com/

Stratum8 APS100, http://www.stratum8.com/

Lockstep WebAgain, http://www.lockstep.com/

MultiNet iBroker Secure Web, http://elitesecureweb.com/

Promotions, Self and Otherwise

My 2003 calendar is finally up on my web page. Please see http://www.avolio.com/calendar.html.

"Investigative Response" is new and I believe is one of my best classes.See if it might not fit into your corporate security training. It is a workshop to walk you through developing an incident response plan and first responder team. If your company needs such a team (all medium and large companies do) and do not have one (many do not), consider kicking it off with this class. See http://www.avolio.com/courses/InvestigativeResponse.html.

Next week, I will be in Orlando at the MIS Training Institute’s InforSec 2003. (http://www.misti.com/). March 12, I teach for 90 minutes on "Evaluating Firewalls." That afternoon is a half-day class called "Advanced Firewalls." (I teach a full day on the topic in Las Vegas in April at Interop.) March 13 is a full day on VPNs.

My March *Information Security Magazine* "Just the Basics" column is entitled "Practical Patching," six steps to help decide when you must patch, and when it's okay to wait. You can find it at http://www.infosecuritymag.com/2003/mar/justthebasics.shtml.