Protection Beyond the Firewall With KaVaDo
KaVaDo ScanDo, InterDo, and AutoPolicy: A suite comprised of an application-layer firewall, security scanner, and configuration tool Logan Harbaugh reviews a suite of products from KaVaDo designed to guard against application-level attacks from which an ordinary firewall will not offer protection. The suite consists of three components: InterDo, an application-level firewall; ScanDo, a scanner that inspects the network for vulnerabilities; and AutoPolicy, which uses the results of ScanDo testing to configure the InterDo application.
A standard firewall may protect the network against TCP/IP attacks, but any server exposed to the Internet is vulnerable to application-level attacks that a firewall will not stop. Examples of such attacks include SQL commands embedded in an HTML reply, HTML GET requests for data that may be on the server, and odd characters used to fill in a field in a Web form that can cause a buffer overflow or other error.
KaVaDo offers a suite of products to guard against these kinds of attacks. The three components are InterDo, an application-level firewall; ScanDo, a scanner that inspects the network for vulnerabilities; and AutoPolicy, which uses the results of ScanDo's testing to configure the InterDo application.
We installed all the three products on a Windows 2000 server, in less than an hour, including installing the Java runtime environment and Adobe Acrobat reader for the documentation. InterDo uses a separate login and password that cannot be simple text. This ensures a high level of security. The applications support SSL, assuming it is in use on the Web server or application server.
InterDo can be configured as a router, using two NICs, or as a proxy server, using a single NIC. It inspects HTTP, SOAP, WebDAV, or WSDL traffic, and looks for requests to the server that are outside appropriate bounds. It does this using "tunnels" and "pipes" as a metaphor -- the tunnels are TCP/IP connections between two networks, and the pipes are filters that look for specific types of exploits or security violations.
If you're not a security specialist, figuring out which pipes are needed in your environment may be quite confusing. This is where ScanDo shows its mettle -- it scans the network for security issues, and returns a report you can use to set up InterDo. If you have AutoPolicy, it will automatically make the appropriate settings in InterDo.
Once InterDo is up and running, ScanDo inspects Web servers, database connections, application servers, XML documents and so forth, using a database that is regularly updated by KaVaDo. It documents necessary patches, known exploits of SQL, HTTP, HTTPS, SOAP, and other protocols, as well as application vulnerabilities. It can fill in forms through a browser, test fields in the form, and parse Perle, JScript, or Visual Basic scripts, as well as check for potential problems. It can also simulate attacks on the Web site, which can then be used to ensure that InterDo is properly configured.
When first started, ScanDo prompts for a license key. The usual key is specific to a particular domain, which prevents ScanDo from being used to find vulnerabilities or attack other domains. When started, ScanDo first scans the Web site, identifies the complete structure of the Web site, including all links, objects (e.g., Flash objects), database access, and XML documents. It then assesses the entire site for security problems, and finally, creates a report listing all the vulnerabilities found.
In our testing, ScanDo found about a dozen potential vulnerabilities on our Web site, including SQL vulnerabilities and files that could be copied or deleted by improper HTTP commands. AutoPolicy was able to set up InterDo to protect against these exploits, and using the attack mode of ScanDo, we verified that InterDo did protect against the attacks.
Some of the potential problems ScanDo can find and InterDo protects against are: unauthorized SQL commands; invalid application parameters; invalid or altered cookies; exploits of known vulnerabilities in Web servers, database products, or operating systems; altered SOAP or Web services (XML) messages; invalid characters in messages; HTTP exploits; unauthorized file uploads; modified application or network protocols; buffer overflow attacks; and requests that use unauthorized data encoding.
Depending on a network's topology, it is possible to use InterDo like a single TCP/IP firewall or in a load-balanced environment protecting a Web farm. The Business Edition of InterDo protects a single server, and the Enterprise Edition can protect an unlimited number of servers.
InterDo provides much-needed protection for Web and application servers. When used in conjunction with ScanDo and AutoPolicy, it makes implementing strong protection relatively simple, without the need for an experienced security specialist.
Vendor Home Page: KaVaDo
Product Home Pages: InterDo Web Application Protection
IScanDo - Web Application Scanner
Price: $25,000 for the bundle of InterDo, ScanDo, and AutoPolicy. As stand-alone offerings, InterDo is $9,000 for the Business version and $15,000 for the Enterprise version; ScanDo starts at $15,000.
Pros: High performance;
Protects against application layer attacks;
ScanDo, InterDo, and AutoPolicy work seamlessly for complete
Cons: Standard ScanDo license scans only one domain