According to CSI/FBI 2006 study :
97% of interviewed companies and administrations were using an antivirus, more than 79% have antispam and antimalware solutions, 98% have a network firewall, 69% have intrusion detection systems
However ...
65% of these organisations have undergone a viral or spyware attack, 32% have experienced unauthorized access to their internal data and even 15% have suffered from network intrusions ... not taking into account companies with no tool to detect incidents as well as organisations that prefer not to 'acknowledge' intrusion !
Network security is not web application security !
The perimeter network firewall can not block all flows and attacks. Indeed, it usually lets http flows (ports 80 and 443) come into company's networks as it is usually needed for communication with outside world. As this specific port is open, more and more applications are using this open door, for instance, VoIP as well as peer to peer. This http port becomes a real toll-free motorway to penetrate internal network. More and more applications (including suspicious ones) are encapsulated into http traffic. This is the everything over HTTP phenomenon !
Antivirus and other SECURITY TOOLS (among them, some IDS, IPS and web firewalls) are usually signature based and are mainly efficient for known attacks duly identified by the antivirus vendor. Moreover, an antivirus has to be constantly updated ... the race between vendor, user and hacker is endless ... and you know that a virus generates so many variants !
Other tools include :
- IPS and IDS (other than signature-based) usually defeat to understand business logic and context of an application
- SSL encryption (and VPN solutions) can guarantee against listening and spoofing but not against initially encrypted malicious traffic
- Vulnerability assessment and patch management offers are necessary (but time-consuming !) tasks which will not protect against zero-day attacks
- Authentication tools (such as AAA servers) can only be used with duly known existing customers.
The last article will be the fifth requirement : a need for a layered approach in web security
Richard Touret is manager at Binarysec, http://www.binarysec.com , security software company editing an intelligent web application softwall -or software firewall-. This Apache module adapts on most web sites, learning legitimate traffic to block any malicious request, including sql injection, cross-site scripting, directory traversal, forceful browsing, command injection, parameter tampering, attack obfuscation, buffer overflow...
|
Home Page
