There are several products that do exactly what you describe - and in
some cases more.
There are application-level firewalls (Gauntlet has the finest
granularity of control) which can enforce access rules at the level of
specific HTTP operations (allow GET but not PUT, etc.), or to block or
allow specific URLs. There are some MAJOR cavetas in implementing an
HTTP proxy in the inbound role, however. It CAN be done safely, but a
naive implementation can leave you wide open.
At higher levels of granularity there are tools such as the e-Gap from
Whale which allow you to set rules which permit or deny specific
combinations URL/HTTP operation/parameter/POST-field-name-and-value
combinations... so you could specify e.g. that a specific URL to a form
on your site is permitted only for POST, and only if the value suplied
by the user for the NAME field is alphanumeric and 40 characters or
less.
We've implemented both these types of solutions for major telecomm and
banking clients, and they work quite well. The performance impact is
quite acceptable in most scenarios.
--
.
. Richard Reiner, Ph.D.
. FSC Internet Corp. / SecureXpert Labs
. 229 Yonge Street
. Toronto, Ontario
. Canada M5B 1N9
. Tel: +1 416 921 4280, Fax: +1 416 966 2451
. [EMAIL PROTECTED], http://www.fscinternet.com
.
============================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated.
> > I run a medium sized web site and am looking for a
> > firewall/application gateway solution to secure the
> > site. I am looking for something more than the typical
> > Checkpoint style packet filtering firewall though (we
> > already run a Checkpoint firewall). I'd prefer
> > something that can protect against malicious
> > manipulation of web applications, for example,
> > repeated attempts to log into the site with
> > random passwords, or malicious data in a posted form,
> > or cookie reverse eng. These attacks pass right
> > through the open http port on the packet filter or
> > application gateway firewall.
> >
> > Basically, I need something that secures applications
> > by enforcing security policy at the application layer
> > through _semantic_ rules. For example, a browser will
> > not be allowed to GET a url that was never sent to it
> > in some html response earlier. Or POST a form with
> > hidden fields changed, or send back a cookie that was
> > not issued to it by the server etc.
> >
> > Performance is fairly important -- we get a few
> > hundred requests per second at peak load and the
> > firewall must be able to handle that.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
