Application Firewall Overview
For the latest information, please see http://www.IVOappliance.com/iag/index.htm
Contents
IAG Application Firewall: An Overview........................................................................................1
Features and Benefits .................................................................................................................2
Technical Outline ........................................................................................................................4
Application Request Filtering ..................................................................................................4
Broad Application Attack Prevention and Prevention Capabilities ..........................................5
IAG Application Firewall: An Overview
The Intelligent Application Gateway (IAG) 2007 application firewall component is a nextgeneration positive logic firewall designed to secure applications from network and applicationlayer attacks through an easy-to-manage and integrated approach. Recognized by industry
analysts as a leading secure application firewall in its own right, the application firewall is a
critical element in delivering a complete application access and security solution for the most
demanding enterprise customers.
The gateway’s ability to ensure that only valid resource requests are forwarded to the internal
server protects application infrastructure and support for event-driven rules allows for the
inclusion of dynamic, session-specific variables to ensure complete functionally for external
access.
The IAG application firewall combines Web-based connectivity, flexible authentication and
authorization, endpoint compliance and sophisticated application filtering in a single appliance
with a unified policy framework.
The IAG application firewall can support a hybrid approach to ensure complete protection
against all application-layer threats while allowing authenticated users the ability to access
critical business applications from any unmanaged endpoint in conjunction with IAG endpoint
compliance enforcement.
In a normal, risk-free environment, administrators can assume that in the context of Webbased connectivity the user’s browser is only sending legitimate HTTP queries to the Web
server. However, there are a number of scenarios that mandate the implementation of
application filtering.
A public browser or other non-corporate machine might be contaminated with a worm "sitting
and waiting" for someone to authenticate in order to launch an attack. In addition, legitimate
user credentials can be hijacked by a hacker looking to gain unauthorized access to corporate
data.
Another risk is that a rogue user potentially exploiting a semi-trusted connection as a partner
or even a non-trusted connection as a customer can assume control over the application
access gateway before or after authentication, essentially creating an open door to the internal
network.
Application-layer attacks may result in level of impact from a small disturbance in network
availability to information theft and unauthorized control of back-end application servers. The
application firewall’s role is to protect the Web application servers and the application access
gateway from these exploits and malicious attacks while allowing legitimate requests to pass
through to the server, enabling the business benefits of browser-based application access.
The functionality of the IAG application firewall extends beyond that of the capabilities provided
by other SSL VPNs that are restricted to simply protecting their own appliance from attacks.
The ability to shield the application servers behind the appliance from attacks enable IAG
customers to expand the number of unmanaged endpoints that can connect to internal
resources while ensuring that infrastructure is not put at risk.
IAG Application Firewall
1
Features and Benefits
Implementing the IAG application firewall as part of an overall application access deployment
provides the following benefits:
Comprehensive security for sensitive applications and data
Streamlined security processes through an integrated application access policy framework
Policy-driven security enforcement
Simplified architecture and minimized need for additional third-party elements
Ability to adhere to corporate policies forbidding the opening of firewall ports
Lower total cost of ownership than custom in-house solutions
The application firewall can be configured to pass through only legitimate server requests
based on a dynamic, event-driven white list of acceptable application transactions, and can be
customized through a toolkit that includes a rule set editor, recorder and the rule set
optimization tool to allow for easy policy definition.
In order to reduce the complexity and minimize the overhead associated with protecting
application infrastructure potentially exposed by broader access, IAG 2007 provides
application-specific rule sets as an integral element of Intelligent Application Optimizers™ that
will protect servers with out-of-the-box policy configurations.
The application firewall’s positive logic filtering technology with support for event-driven
variables is successfully shields systems from current and future potential threats through
enforcing acceptable application actions.
The IAG component has been proven in large-scale deployments with stringent security
requirements, and incorporates rule sets for widely-used enterprise applications including
Microsoft®, IBM Lotus and SAP environments.
Integration of the application firewall at the product and policy levels empowers administrators
to implement application access in a simple – yet secure – manner without the need for
additional expensive and complicated infrastructures in order to avoid security breaches.
Application-level control includes thoroughly inspecting URLs, methods, and parameters, and
any other incoming data. The inspection rules can be based on the positive logic of the
application, indicating a controlled set of legitimate URLs, method, and parameter
combinations to which the requests are expected to conform. This prevents application-level
attacks based on malformed URLs or HTTP requests.
IAG 2007 also supports negative logic rules that utilize signature identification to block known
attacks from reaching internal servers.
In addition to its powerful technical features, the IAG application firewall centralizes and
simplifies the process of managing and enforcing security, thereby reducing the likelihood of
security breaches due to human error. Thanks to an integrated approach focused on the
session lifecycle, organizations utilizing the IAG application firewall need not worry about
conflicts between the various moving parts of their security architecture.
Because IAG 2007 can provide native endpoint checking or integrate with third-party software
to ensure that only healthy clients connect to the network, assign user rights and enforce
acceptable session parameters through a single policy framework, administrators have a tool
for upgrading or patching a single component without creating further the need for changes in
security infrastructure.
Of course, the application firewall itself must be internally impervious to attacks so as to
ensure that internal servers are completely protected. Incorporation of Microsoft Internet
IAG Application Firewall
2
Security and Acceleration (ISA) 2006 protects the IAG appliance itself from Internet-based
attacks. In addition to the application firewall features, the IAG 2007 handles additional
security functions such as authentication. When requests are deemed to have passed security
tests, the IAG 2007 uses pre-defined configuration to determine to which application server
the request must be sent, builds a TCP/IP communication channel to that server, and relays
the request across the internal network. Inappropriate requests are terminated by the
appliance when it inspects inbound traffic.
Responses work in a similar fashion, with the IAG 2007 translating and encrypting traffic from
the various application servers prior to transmission to the user. The IAG 2007 can be
configured to modify application source data on the fly, changing content and adding features
as desired or needed.
The IAG 2007’s Host Address Translation feature supplements this capability by publishing
encrypted URLs to external browsers. The Host Address Translation’s dynamic URL rewrite
enables secure publishing to the Internet through resource cloaking while preserving integrity
of server requests.
A screenshot of the firewall rule policy definition tool.
IAG Application Firewall
3
Technical Outline
The IAG application firewall offers the most robust filtering available today. It utilizes a
combination of negative logic, positive logic, and event-driven dynamic rules.
Application Request Filtering
There are several different types of filtering architectures available today.
1. Negative logic based filtering: Negative logic filtering relies on signatures of known
attacks and allows security systems to prevent any requests that appear to match the attacks’
signatures from reaching protected servers.
Filters relying on negative logic are quite accurate at preventing known attacks, but are
powerless when it comes to shielding against unknown exploits. They also require regular
updates to their signature sets.
2. Positive logic based filtering: Positive logic filtering allows valid requests based on a
signature set detailing what types of communications protected servers know-how to handle; it
prevents any requests not known to be valid from reaching secured servers.
To minimize the performance overhead of a filtering engine utilizing positive logic, the set of
valid requests is normally defined in some optimized format such as through the use of regular
expressions. Valid Method-URL-Parameter combinations can be defined, as can appropriate
parameter value ranges (e.g. month should have a value between 1 and 12).
Defining the set of valid requests requires some upfront investment, but positive logic engines
typically require less ongoing maintenance than negative logic engines, given that it is
dependent on internal changes rather than emergence of new security threats. Since the set
of valid requests rarely changes, maintenance is appreciably lower. Also, rule set automation
and optimization tools can simplify the task as well.
3. Dynamic rules based filtering: Some security vendors proposed the idea of dynamically
scanning each outgoing web page at the filter, and establishing rules accordingly – rules that
would allow only the URLs that were part of the outgoing HTML page to be submitted as
requests by the user. This “dynamic rules” concept has several limitations in real world
implementations for a number of reasons:
Technical issues – Many Web-based enterprise applications utilize Java Applets, Java
Scripts, ActiveX®, Flash, and other non-HTML elements, all of which prevent the filter
from properly analyzing the outgoing data stream and establishing correct rules.
Security – Attempts to generate “on the fly” rules defining the lexicon of an application create
the requirement for absolute accuracy. Any error made by the filter such as recognizing an
invalid link as valid will immediately be implemented in a production environment since
there is no testing or inspection stage. Automatically enabling all links on a web page is an
insecure practice. An internal user may upload a file that when downloaded through the
appliance will contain links that lead directly to the application server. Such inappropriate
links could become hackers’ path to the internal network given that the appliance will do
nothing to block the attack since it is a "legitimate link" which appeared in the page.
Inconvenience – Filtering can frequently disable the use of bookmarks to offer convenient
quick access to a web page.
Performance – The overhead of analyzing web pages during production usage severely
impacts the performance of systems utilizing dynamic rules.
IAG Application Firewall
4
4. Positive logic based filtering with event-driven dynamic rules – This type of filtering
offers the strength of positive logic based filtering together with many of the benefits of
dynamic filtering (and without most of the drawbacks). Essentially, event-driven dynamic
filtering utilizes positive logic based rules but allows the inclusion of variables in the rule set.
The values of the variables are set dynamically during user sessions. For example, a variable
called USERNAME may be set to the user’s username once he logs into an application. The
capability to utilize variables in positive logic rule sets allows for the creation of extremely strict
rules (and tight security) – for example, a user’s name can be included in a URL path – and
even after authentication, every request to reach the application firewall will be checked to
ensure that that username on the URL matches the authenticated user. Only the one
authenticated user is capable of accessing the information in the current session, and the user
cannot access anyone else’s data.
Before relaying any data to application servers on the internal network, the IAG 2007 subjects
the incoming application-level data to stringent security checks. Application-level control
includes thoroughly inspecting URLs, methods, and parameters, and any other incoming data.
The inspection rules can be based on the positive logic of internal applications, utilizing a
controlled set of legitimate URLs, method, and parameter combinations to which the requests
are expected to conform. The rules may contain variables that are set upon the occurrence of
specific events. The application firewall’s application-request filtering prevents application-level
attacks based on malformed URLs, the most common method of exploiting buffer overflows in
Web servers. In addition, the application firewall also supports negative logic rules to specially
block known attacks from reaching internal servers. The IAG 2007 further supplements
application-layer negative logic rules with the ability to generate an IP address block list, which
will prevent users from a particular IP address (or set of IP addresses) from accessing the
application – helping to avoid Denial of Service conditions at the application layer.
Broad Application Attack Prevention and Prevention Capabilities
Some of the types of attack techniques that the IAG application firewall’s application filtering
engine can mitigate include:
Parameter tampering – The filtering engine inspects all parameters before transmitting
requests to back-end Web servers. Only parameters that are expected and whose names,
sizes, and values conform to the stringent rules defined in the filter configuration are
accepted. If a user has tampered with a parameter in an effort to attack an internal
system, the filtering engine will not allow the parameter to reach the intended target.
Debug options – The filtering engine can block requests that contain parameters with Debug
options.
Buffer overflows – Buffer overflow attacks typically utilize long URLs or long parameter
values, which will not conform to the rules in the filter configuration, and will, therefore, be
blocked by the engine.
Encoded attacks – The filtering engine is Unicode and escape-sequence aware, and will
block Unicode and escape-sequence encoded attacks, including double encoding and
overlong UTF-8 representation.
Code injection – Code injection involves the submission to the Web application of code
where simple data is expected. For example, a user might add a short script instead of his
address – in the hopes that the system might execute the script. Alternatively, the script
may be added as a parameter value added to the URL. Since the application firewall
inspects requests, parameters and values, such attacks will be blocked by the filtering
engine.
Cross-site scripting – Cross-site scripting is a special form of code injection in which the
hacker attempts to submit code in a field that a Web application that will later let other
IAG Application Firewall
5
users view, in an attempt to have that code execute on other users’ machines. For
example, a hacker may submit code to an online bulletin board with the hope that when
users view the hacker message their browsers will execute the code instead of displaying
it as text. Since the application firewall inspects requests, parameters and values, such
attacks will be blocked by the filtering engine.
SQL Injection – Similar to code injection, this type of attack involves embedding SQL calls to
a database within a data field. As with the general case of code injection, the filtering
engine will block attempts to tunnel SQL.
Tunneling OS shell commands – Similar to code injection, this type of attack involves
embedding operating system commands within a data field, and will be blocked by the
application firewall in a similar manner to tunneled SQL commands and other injected
code.
Tunneling proprietary protocols – Similar to code injection, this type of attack involves
embedding commands to some application on the internal network within a data field. Like
the other aforementioned examples of injected code, it will be blocked by the application
firewall.
Inappropriate HTTP Methods – Utilizing inappropriate methods – POSTing when a GET is
expected, using WebDAV methods, etc. The filtering engine checks that the METHOD for
every URL is appropriate as defined in the rule set in the filter configuration.
Unexpected file uploading – When files are not expected, the filter will not allow the
uploading of files (e.g., through POSTs).
Other application-level attacks – Positive logic based application-request filtering (with
event-driven dynamic capabilities) is a powerful tool against known attacks, and even
against vulnerabilities not yet discovered or patched. It reduces the likelihood of a Denial
of Service attack against internal systems, as invalid requests will not be transmitted to
internal servers, and servers issuing large volumes of so-called “valid requests” can be
blacklisted as well.
IAG Application Firewall
6
The information contained in this document represents the current view of Whale Communications on the issues discussed as of the
date of publication. Because Whale Communications must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Whale Communications, and Whale Communications cannot guarantee the accuracy of any information
presented after the date of publication.
This White Paper is for informational purposes only. WHALE COMMUNICATIONS MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Whale
Communications.
Whale Communications may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events
depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred.
© 2007 Whale Communications. All rights reserved. Whale Communications is a wholly owned subsidiary of Microsoft Corporation.
Whale Communications®, e-Gap®, Attachment Wiper™ and the Whale logos, Microsoft and ActiveX are either registered trademarks or
trademarks of Whale Communications in the United States and/or other countries.
IAG Application Firewall-WP-200702.doc
IAG Application Firewall
7