|
Webgate
Plus™
Webgate Plus
is a web Application Protection System (APS) that protects web servers
and their applications from known and unknown forms of attack.
Highlights
- Webgate Plus
acts as an in-line Network Intrusion Prevention System for web servers.
- Protocol Anomaly
Detection provides Zero-Hour™ defenses that block unknown forms
of attack in real-time.
- Stateful Signature
Analysis blocks known forms of attack.
- Webgate Plus
provides concurrent use of "allow unless blocked" and "block
unless allowed" rules.
- Fault tolerant
architecture provides High Availability (99.999%) protection for mission
critical environments.
- All HTTP and
HTTPS commands are examined: valid requests are permitted; invalid requests
and attacks are blocked.
- Webgate Plus
offloads SSL processing from busy web servers
- Webgate Plus
protects against unauthorized modification or destruction of content.
- Webgate Plus
defends against denial of service attacks.
- Administration
tools with integrated strong user authentication and encrypted communications
allow for secure remote administration.
- Workload balancing
provides higher server throughput and availability.
- Multiple access
log formats are supported including: Common Log Format with extensions,
Web Trends multi-homed format, and Common Log Format with Virtual Host
information.
- Unequaled scalability
and performance supporting more than 10 Gbps throughput for non-SSL
traffic and more than 1600 Mps throughput for SSL traffic using a single
system.
Introduction
Many organizations
deploy web servers on the Internet to engage in e-commerce, to provide
clients or staff with the ability to receive information or to update
data bases. Devastating attacks against these web servers are escalating.
In 2003 the FBI reported that 80% of the successful Internet attacks
exploited application level vulnerabilities on web servers. Application
level attacks pass undetected through network level firewalls and stateful
packet filters.
Network level
security products such as stateful packet filters and IDS systems are
poorly suited to defend against application level attacks. They look
at packets rather than complete requests so they can be fooled by packet
fragmentation schemes that obscure the attack. IDS systems rely on attack
signatures which are adequate to identify known methods of attack but
fail to identify previously unknown attacks.
Most web application
developers do not have the time or expertise to develop applications
that are resistant to determined attackers. Even the largest software
firms have done a poor job in securing their web server software. As
a result there seems to be an endless list of new security alerts followed
by an equally endless list of patches that must be applied to web sever
software and applications.
The only way to
secure web servers from these types of attack is to use an in-line application
level firewall that can be tailored to unique application requirements.
Application level firewalls can block both network level attacks as
well as sophisticated application attacks. Application level defenses
should block known forms of attack as well as new (previously unknown)
forms of attack. The APS should be able to detect malformed requests
that: violate HTTP standards, use known attack methods including worms
and exploitation of known vulnerabilities. It should be able to block
requests for restricted objects and file types. It should be able to
concurrently make use "allow unless blocked" and "block
unless allowed" rules to provide tight security without blocking
valid requests.
Solution
Webgate Plus is
an advanced Application Protection System (APS) and an in-line Network
Intrusion Prevention System designed to secure HTTP and SSL connections
for web servers. Webgate Plus examines all HTTP and HTTPS commands and
permits valid requests while blocking invalid requests and attacks.
Webgate Plus uses an advanced pattern recognition engine that detects
and blocks hundreds of attacks that exploit web server and web application
weaknesses. Webgate Plus also blocks attacks which are not detected
by network firewalls and intrusion detection systems. For example, Webgate
Plus:
- blocks buffer
overflow attacks that can result in Denial of Service (DoS) attacks
or the installation and execution of attack programs.
- blocks attacks
that exploit published vulnerabilities in web servers and application
servers
- prevents insertion
of Trojan horses that cause web applications to issue unintended commands.
- prevents exploitation
of mis-configured servers and sever applications
Webgate Plus
provides in-depth protection against known and unknown forms of attack.
Protocol Anomaly Detection (PAD) blocks previously unknown forms of
attack and Stateful Signature Analysis (SSA) blocks known forms of attack.
PAD:
Protocol Anomaly Detection blocks malformed and invalid HTTP requests.
PAD blocks buffer overruns that can be used to insert trojan horses
or perform denial of service attacks. Webgate normally checks that
submitted URLs are properly encoded UTF-8 Unicode. This cheek can
be deactivated if the protected web servers generate URLs in some
other format such as ISO-8859-1.
SSA:
Stateful Signature Analysis uses a high performance pattern recognition
engine to identify attacks. Webgate Plus ships with a policy data
base containing pre-defined attack patterns. The policy data base
may be customized by the local administrator to accommodate any local
requirements.
Webgate Plus can
be configured to "allow unless blocked" or to "block
unless allowed" or a combination of both methods. There can be
multiple blocking lists and multiple allow lists. All of the rules in
all of the allow lists will be checked before the blocking lists are
applied. If all or parts of the web site are relatively static it makes
sense to code them in a one or more allow lists. An allow list can be
generated from the output of an "ls -l" command in the web
servers html directory.
Detailed examination
of inbound commands and data permits Webgate Plus to detect and block
application level attacks which pass through the best of the stateful
packet filters and most proxy based firewalls. Webgate Plus also provides
better network level defenses than those found in Stateful Packet Filters.
Webgate Plus deactivates IP packet forwarding eliminating direct IP
connectivity between the Internet and the web server. The only way to
communicate from the Internet to the web server is through Webgate Plus.
This prevents low level network attacks from reaching the web server.
Webgate Plus defends against multiple types of denial of Service attacks
including but not limited to SYN Flood, Ping-of-Death, Teardrop2, Named
Buffer Overflow, MS Exchange and Netscape Mail Server Buffer over runs,
BackOrfice, Smurf Attacks, BlueButton and others. Attacks that exploit
low level operating system features do not get past Webgate Plus.
Webgate Plus permits
connections to the web server using explicitly defined ports and IP
addresses. Access to other ports are denied unless explicitly permitted.
The permit rules control which clients are allowed access to which servers.
Webgate Plus provides
secure remote administration of the web server with strong user authentication
and encrypted data streams. This allows administrators to maintain the
web content from a remote location without the risk of an unauthorized
intrusion.
SSL
Webgate Plus
supports three methods of handling SSL traffic.
SSL Offload:
Webgate Plus uses SSL to encode/decode traffic between the client
and proxy. Traffic between Webgate Plus and the server is in clear
text. This offloads encryption from busy web servers. System are available
that can support more than 1,600 Mbps SSL throughput.
SSL Parsing:
Webgate Plus uses SSL to encode/decode traffic between the client
and the proxy as well as between the proxy and the server. This allows
Webgate Plus to examine the HTTP traffic permitting full logging and
detection and blocking of web based attacks.
SSL Tunneling:
SSL tunneling passes the encrypted data between the client and the
sever. Since the data stream is not decrypted the commands are not
examined by Webgate Plus preventing inspection and logging. Basic
connection information including date and time, the clients IP address
and the number of bytes processed is logged.
Performance
Webgate Plus
provides high speed, load sharing and load balancing in a transparent
manner to one or more web servers. Hardware configurations are available
to support any throughput requirement. Webgate Plus achieves unparalleled
performance by eliminating 90% of the systems overhead found in most
application proxies and by fully exploiting the performance advantages
of multiple processor systems. Its distributed architecture provides
linear scalability by load sharing between clusters of SMP machines.
| Product |
No. Proc. |
GHz |
Arc |
Ops/Sec |
Mbps |
SSL |
| Webgate Plus-x346 |
2 |
3.6 |
Xenon |
20,160 |
2,052 |
No |
| Webgate Plus-x346 |
2 |
3.6 |
Xenon |
20,160 |
548 |
Yes |
| Webgate Plus-p630 |
4 |
1.45 |
Power4+ |
19,300 |
2,290 |
No |
| Webgate Plus-p630 |
4 |
1.45 |
Power4+ |
5,464 |
657 |
Yes |
| Webgate Plus-p5-550 |
4 |
1.65 |
Power5 |
46,200 |
5,700 |
No |
| Webgate Plus-p5-550 |
4 |
1.65 |
Power5 |
12,900 |
1,640 |
Yes |
| Webgate Plus-p5-570 |
4 |
1.90 |
Power5 |
49,896 |
6,160 |
No |
| Webgate Plus-p5-570 |
8 |
1.90 |
Power5 |
94,835 |
11,708 |
No |
Note: Performance
of Power5 systems has been extrapolated from Power4+ measurements, using
the relative performance numbers (rperf) published by IBM. Power5 performance
is more than twice that of Power4+ due to a series of design improvements
including a dual-threaded dual core chip, faster cache, faster memory
and improved I/O.
Workload
Balancing
Webgate Plus
can be configured to balance the workload across multiple web servers
allowing intelligent distribution of incoming requests across the servers.
Since all connections are session based there is no confusion regarding
which network Interface is used to return packets. A higher percentage
of the workload can be dispatched to the fastest web servers. Should
a server get overly busy or completely fail Webgate Plus will temporarily
stop dispatching work to the slow/dead server. It will automatically
detect when a failed web server comes back on-line and will immediately
begin dispatching work to it.
Webgate Plus allows
you to dynamically increase total web server capacity with non-disruptive
addition of new web servers or new Webgate Plus nodes.
High
Availability
Webgate Plus
is designed to support mission-critical applications where a disruption
in service will have a measurable impact on the organization. With the
cost of an outage varying from a few hundred dollars per minute to thousands
of dollars per minute it is essential that a web security system be
designed to operate without disruption for extended periods of time.
Mission critical applications require the use of a high availability
product. Webgate Plus is the first application protection system designed
to support mission critical applications and can be configured to deliver
unprecedented 99.999% availability. Unlike other solutions Webgate Plus
has a true high availability architecture.
Webgate Plus is
designed to be more reliable than the web servers it is protecting.
Webgate Plus systems provide fault detection, fault isolation and automatic
recovery. The high degree of fault tolerance assures very high availability,
data integrity and security. Systems can be configured with multiple
levels of hardware and software redundancy to meet the organization's
availability requirements.
Webgate Plus is
designed to detect, report and isolate errors to prevent error propagation
to other functions. There are multiple levels of functional recovery
routines designed to automatically recover from software failures.
Multiple nodes
can be configured as load sharing hot backups of each other. The work
load can be evenly distributed between multiple nodes minimizing overall
system response times. This can also be used to evenly distribute the
workload for a cluster of web servers. Each node monitors its partner
and can automatically takeover its functions in the event of a failure.
Since all the nodes are actively sharing the workload the unscheduled
outage of a node will be picked up by another node that has been in
active use. There are no surprises caused by switching a production
workload to a system that has been idle backup.
Webgate Plus-ES
(Embedded System) is designed to support High Availability (99.999%)
for mission critical applications. This requires a fault tolerant architecture
that incorporates both hardware and software error detection, error
reporting, fault isolation and recovery. Advanced memory architecture
virtually eliminates system outages due to memory failures.
Logging
Webgate Plus
provides a complete log of all web operations. The HTTP access log can
be written in several standard formats including Common Log Format plus
extensions, WebTrendsMultiHomed format or CLF with Virtual Host information.
The extensions are appended to the CLF and include Agent and Referrer
information. Records can also be written using CLF and Virtual Host
information making it easier to process the logs for virtual hosts.
Third party web analysis tools such as analog and WebTrends can process
the http access log. The analog program is included and can be used
to produce up to 32 customizable reports.
The HTTP access
logs can be written in real-time to another system and used for real-time
analysis. With a multi-node Webgate Plus system all the log information
can be consolidated onto a single machine for real-time analysis. To
improve efficiency the Plog daemon buffers log entries before sending
them to the log analysis machine. Logs are written in large file (64-bit)
format to reduce log rotation frequency for busy sites.
Non-standard traffic
including errors and attacks are logged in the syslog. Alerts are issued
when attacks are identified and blocked.
A built-in real
time monitor shows the number of concurrent connections, the transaction
rates and data rates.
Management
Most administrative
tasks can be completely automated minimizing administrative overhead.
Reports can be automatically generated and mailed to the appropriate
administrators and managers.
There are GUI
interfaces for systems administration and for administering the access
control rules. A GUI utility is available for secure remote administration.
Security is maintained through the use of strong user authentication
and an encrypted data stream.
Changes to the
access control rules, configuration information, including NIC IP addresses,
can be made in a non-disruptive manner while the system is running .
Use of single
level store and buffered writes to contiguous storage minimize disk
fragmentation eliminating the need to defragment disk space. The Volume
manger allows dynamic extensions to the file system without disrupting
on-going operations.
Webgate Plus is
a complete security solution and does not require another firewall to
secure the web servers. However, Webgate Plus is compatible with firewalls
and workload balancers.
Webgate Plus is
available on a CD and ships with a policy data base containing pre-defined
attack patterns. Included with each license is a one year subscription
for automatic updates of attack signatures. Webgate Plus is supported
by AIX, Solaris and Linux operating systems. Webgate Plus is licensed
by the number of concurrent connections you wish to support.
Webgate Plus is
available as a turnkey solution for your business incorporating state
of the art hardware.
|