Webgate Plus Technical FAQ
1. What does Webgate Plus do?
Webgate Plus is an advanced Application Protection System (APS) designed to secure HTTP and SSL connections. Webgate Plus examines all HTTP and HTTPS commands and permits valid requests while blocking invalid requests and attacks.
2. Why is Webgate Plus Necessary?
Today most networks are protected by firewalls, which are designed to block unauthorized network level access to servers and other internal systems. However the most damaging attacks are those that exploit weaknesses in the application server itself or which exploit vulnerabilities in the applications that run on the server. These types of attacks pass through the best of the stateful packet filters and the majority of application proxy firewalls. As a result 80% of the successful Internet attacks in the year 2003 were application level attacks directed against web servers. Webgate Plus is designed to block these attacks.
3. What does Webgate Plus do that firewalls and Intrusion Detection Systems (IDS) do not?
Firewalls control access to servers based on IP address and port numbers defined in Access Control Lists. They also offer Network Address Translation (NAT), and some offer proxy services. These firewalls pass HTTP requests sent to port 80 without examining the content. Today there are more than 400 application level attacks that can be mounted against web servers and their applications.
Intrusion Detection Systems (IDS) do not examine what is happening with normal port 80 traffic, nor are they operating in real time.
Webgate Plus examines all HTTP and HTTPS commands in real-time and permits valid requests while blocking invalid requests and attacks. As a result, invalid commands are never sent to the web servers.
4. How does Webgate Plus determine which commands are valid and which are not?
Webgate Plus uses an advanced pattern recognition engine that detects and blocks hundreds of attacks that exploit web server and web application weaknesses. For example, Webgate Plus:
- blocks buffer overflow attacks that can result in Denial of Service (DoS) attacks or the installation and execution of attack programs.
- blocks attacks that exploit published vulnerabilities in web servers and application servers
- prevents insertion of Trojan horses that cause web applications to issue unintended commands
- prevents exploitation of mis-configured servers and sever applications
The patterns are stored in a file that is loaded into memory for rapid access. Webgate Plus automatically detects when new patterns are available and downloads them from the FAS site. Since the patterns are coded as regular expressions a single expression is capable of blocking many existing and even new methods of attacks. As a result, pattern uploading is not done on a regular basis.
5. How does Webgate Plus handle HTTPS (SSL) traffic?
Webgate Plus supports three methods of handling SSL traffic: SSL Parsing, SSL Offload, and SSL Tunneling..
SSL Parsing: Webgate Plus uses SSL to encode/decode traffic between the client and the proxy as well as between the proxy and the server. This allows Webgate Plus to examine the HTTP traffic permitting full logging and detection and blocking of web based attacks. Since the data stream is re-encrypted all data transmission is encrypted.
SSL Offload: Webgate Plus uses SSL to encode/decode traffic between the client and proxy. Traffic between Webgate Plus and the server is in clear text. This offloads encryption from busy web servers. A cryptographic coprocessor is available to enhance SSL performance. System are available that can support more than 650 Mbps SSL throughput without requiring a cryptographic co-processor.
SSL Tunneling: SSL tunneling passes the encrypted data between the client and the sever. Since the data stream is not decrypted the commands are not examined by Webgate Plus preventing inspection and logging. Basic connection information including date and time, the clients IP address and the number of bytes processed is logged.
6. Can Webgate Plus be used to offload SSL processing from the web server?
Yes the SSL Offload option can be used reduce the processor workload on busy web servers.
7. Can Webgate Plus handle high volume web sites?
Webgate Plus is the highest performing and most scalable HTTP Application Protection System on the market. Hardware configurations are available to support any throughput requirement. The following table shows Webgate Plus performance for HTTP traffic on two medium sized systems.
Proccessor Webgate Plus-ESp630
Higher levels of throughput are possible using faster configurations or by clustering groups of systems to share the workload.
8. How scalable is Webgate Plus?
Webgate Plus runs on a variety of systems that offer both horizontal and vertical scalability. Horizontal growth is achieved by configuring multiple Webgate Plus systems in a load sharing cluster. An unlimited number of systems can be configured in this manner. Yet, to the web browser it looks like a single web site. Webgate Plus also offers the greatest vertical growth path in the industry. Webgate Plus is available on variety of systems that provide cost effective solutions for web sites of all sizes. A the high end, one SMP system running Webgate Plus can support up to 60,730 Web Ops/second with a system throughput of 7.2 Gigabits/second. Another 19" 7U rack mounted unit can support 14 Gigabit/second throughput. It's throughput is only limited by its maximum configuration of 28 Gigabit Ethernet adapters.
9. How much SSL traffic can Webgate Plus support?
The following table shows Webgate Plus performance for HTTPS (SSL) traffic on two medium sized systems.
Proccessor These systems can be clustered for higher performance and availability. Large systems are also available.
10. What types of logging support does Webgate Plus provide?
Webgate Plus provides a complete log of all web operations. The HTTP access log can be written in three different formats: Common Log Format plus extensions adds Agent and Referrer information to the end of the CLF data;WebTrendsMultiHomed format provides support for the Webtrends report generator; Common Log Format for Virtual Hosts places the target host name at the end of the record making it easier to process data when support virtual hosts.
11. Can Webgate Plus logs be sent to another system?
The HTTP access logs can be written in real-time to another system and used for real-time analysis. With a multi-node Webgate Plus system all the log information can be consolidated onto a single machine for real-time analysis.
To improve efficiency the Plog daemon buffers log entries before sending them to the log analysis machine. This utility is essential for large scale web sites that produce large quantities of log data. The HTTP Log Analysis program can process log data at a rate of more than 5 MB per second!
12. What types of reports can be generated by Webgate Plus?
Webgate Plus includes a web log analysis tool that produces up to 32 customizable reports allowing you to analyze how the Internet community is using your web server. The HTTP reports can be generated either in HTML, Delimited Text or plain text. Reports can be automatically generated an hourly, daily , weekly and monthly basis. Reports can be sent to an internal web server for review, e-mailed to the appropriate persons, or sent to a FTP server.
In addition, use of CLF allows the use of third party web analysis tools such as analog, WebTrends and others.
13. Are Real time Alerts Available?
Yes. Security Alerts can be displayed on a remote administrators console in real time.
14. How are HTTP attacks and errors logged?
Non-standard traffic including errors and attacks are logged in the Webgate Error Log. This log can be monitored in real time from a remote administrator system.
15. Is there a real time performance monitor?
Webgate Plus has a built-in real time monitor shows: the number of concurrent connections, the number of connections/second, operations per second, and the number of KB/second read from and written to the clients. The processor utilization is also shown. Both 60 second an d 5 second averages are displayed.
16. Does Webgate Plus support workload balancing among a group of web servers?
Webgate Plus can be configured to balance the workload across multiple web servers allowing intelligent distribution of incoming requests across the servers. A higher percentage of the workload can be dispatched to the fastest web servers. This feature allows multiple web servers to appear to the outside world as one fast server.
17. How does the workload balancer effect web server availability?
The workload balancer improves overall reliability and availability of the Web server. Should a server get overly busy or completely fail Webgate Plus will temporarily stop dispatching work to the slow/dead server. When a failed web server is returned to service Webgate Plus will automatically detect the server is online automatically begin dispatching work to it.
18. Do all the systems in a WG+ High Availability configuration participate in the workload balancing?
Yes. Since all connections are session based there is no confusion regarding which network Interface is used to return packets.
19. Can new web servers be added to the pool without disrupting existing operations?
Yes. One can dynamically increase total web server capacity with non-disruptive addition of new web servers. New Webgate Plus systems can also be added to the configuration in a non-disruptive manner.
20. Can multiple copies of Webgate Plus be administered from a central location?
Yes. Webgate ships with a remote administration tool that allows you to manage multiple copies of Webgate Plus.
21. Is Webgate Plus available in a High Availability configuration
(99.999%)?
Yes, FAS pioneered High Availability (99.999%) Application Protection systems more than 7 years ago. Webgate Plus was designed from the start to be a fault tolerant system. It can dynamically detect, isolate and recover from both hardware and software errors. As a result, Webgate Plus has proven to be far more reliable than the web servers it is protecting. Systems can be configured with multiple levels of hardware and software redundancy to meet the organization's availability requirements.
22. What Fault Tolerant Features are available with Webgate Plus?
WebgatePlus is available in a variety of configurations. Some of the hardware configurations supported by Webgate Plus have measured Mean Time Between Failure (MTBF) exceeding 10 years. One model has an measured MTBF 40 years!
Listed below are some of the features that make unequaled level of Reliability and Availability possible.
Robust Error Logging and Reporting: The operating system provides automatic logging of hardware and software errors. In the unlikely event of a hardware or environmental problem (loss of power) the system automatically captures and stores the error signature in Non Volatile RAM. When the system reboots the error is automatically logged by the operating system. The Error Log Analysis program can be used to display the cause of failure and the physical location on any hardware failure. Sophisticated analysis and reporting tools allow many problems to fixed before they can disrupt service.
Journaled File System: The Journaled File system maintains data consistency and prevents data loss when the system is abnormally halted by a power failure. The Logical Volume Manager allows file systems to be dynamically added or expanded while the system is running.
Automated disk and log management software prevent disk full conditions that can disrupt operations. Administrators are automatically notified of pending shortage before they can disrupt service.
Disk drive fault tracking automatically alerts the systems administrator of an impending disk failure before it impacts operation. This permits corrective action to be taken to avoid an unscheduled outage.
Dynamic file system extensions permit extensions of existing file systems or the creation of new files systems while the system is running. Additional swap space can be dynamically added if required.
Firewall Monitor: Specialized functions monitor firewall daemons for proper operation and dynamically recover failing processes. Three layers of software redundancy minimize the impact of hardware and software failures.High Availability Feature: The integrated High Availability feature allow a pair of redundant systems to act as load sharing hot backups of each other. Should one system fail the other will automatically diagnose the problem and dynamically take over the functions of the failing unit. Multiple pairs can be configured to form a highly redundant cluster.
Reliability and Availability Features of the hardware:
The Webgate Plus -Espxxx systems offer advanced features that allow the system to recovery from hardware errors without disrupting operations.
Hot-swappable SCSI drives that allow concurrent additions or replacements of drives while the system is running.
Environmental Monitoring functions monitor fan speed and AC power loss and can perform a an orderly shutdown if the fan is not operating or the AC power is failing.
Automated error logging: The operating system provides automatic logging of hardware and software errors. In the unlikely event of a hardware or environmental problem (loss of power) the system automatically captures and stores the error signature in Non Volatile RAM. When the system re-boots the error is automatically logged by the operating system. The Error Log Analysis program can be used to display the cause of failure and the physical location on any hardware failure. Sophisticated analysis and reporting tools allow many problems to fixed before they can disrupt service.Disk drive fault tracking automatically alerts the systems administrator of an impending disk failure before it impacts operation.
ChipKill Memory: Chipkill memory detects and corrects multi-bit errors within a single byte making it 100 times more reliable than ECC memory. This virtually eliminates system outages due to memory errors.
Cache and Memory Error Recovery: The processors, L1 Cache, L2 Cache, system busses and memory are all protected by error correction code (ECC). All single bit errors are corrected on the fly and double bit errors are detected to maintain system integrity. Memory is organized so that failure of any memory module only affects a single bit within an ECC word. This allows operations to continue in the event of a chip failure.Built-in memory scrubbing performs continuous checking and correction of memory errors.
I/O Recovery: The Remote I/O interface supports dynamic packet retry to allow recovery from transient error conditions. I/O packets will be automatically rerouted on an alternate path should the retries fail. Thus, no single error will cause the system to go down.
Environmental monitoring functions monitor fan speed and AC power loss and can perform a an orderly shutdown if the fan is not operating or the AC power is failing.Service Processor: The systems have an service processor that provides advanced system environmental monitoring and alerting functions. The service processor monitors AC/DC voltages, fan speed, and temperature and can provide power off warnings, as well as alerts and error log analysis. If potential component failures are detected the service processor can dial-out to a service center and take preventative measures in an effort to prevent a costly outage.
Redundant hot-plug power supplies provide greater availability in the event of a power supply failure. Power supplies can be replaced while the system is running. There are even two power cords.
Redundant hot-plug cooling fans: Four hot-swap cooling fans provide allow the system to continue running in the event of a cooling fan failure. Fans can be replaced while the system is running.
Hot-plug PCI Adapters provide concurrent additions or removals of PCI adapters while the system is running.
Dynamic CPU Deallocation: Processors are continuously monitored for errors. When a predetermined threshold is reached a warning messages is written to the system error log and the processor is marked for deconfiguration at the next boot. The OS will attempt to migrate all resources associated to the failing processor to another processor. When there are more than two processors in the system the failing processor will be dynamically deallocated to prevent scheduling additional work on it.
Persistent CPU and Memory Deconfiguration: CPU and memory modules that are marked as "bad" are not configured at boot time. When the processor or memory module is replaced the new components are automatically configured with re-boot.
PCI Bus Error Recovery: Each PCI slot is logically and physically isolated to its own PCI bus. This allows the system to isolate PCI errors to a single adapter. Future releases of the OS will provide for device recovery within the device driver.
23. How Secure is remote administration?
FAS designed the remote administration for Webgate Plus to meet the NSA security requirements for mission critical systems of the U.S. DoD. Remote administration requires Strong User Authentication and all data transmissions are encrypted using DES3. A complete audit trail is maintained for all administrative actions. No other Application Security System has been designed to such a stringent security standard.
24. What Web Servers does Webgate Plus Support?
Webgate Plus works with the HTML protocol and does not care which web server or OS it is running on. As a result, it supports all types of web servers including Apache, Netscape, Web Sphere, MS IIS and others.
25. How difficult is it to integrate Webgate Plus into an existing network?
Depending on the complexity of the server network, it may take anywhere from an hour to a day to implement Webgate Plus.
26. How much latency does Webgate Plus add to server response time?
Less than one eighth of a millisecond ( < 0.00012 sec) for most transactions.