Many consider firewalls and intrusion-detection systems (IDSs) to be the main line of defense from malicious hackers. These systems are excellent at keeping out harmful packets on your network; however, the methods used by firewalls and IDS have problems when it comes to determining a good packet from a bad packet that’s headed to or coming from a Web server and the database server that resides behind it. These requests, typically coming through port 80, can pass through firewalls and IDS relatively unchecked.
Vulnerabilities of this type have inspired many Web security solution providers to pick up where firewalls and IDS leave off. Teros (formerly Stratum8 Networks) is one such company that has developed a product that acts as a second line of defense to protect your Web and data servers from hackers. Named Teros-100 Application Protection System (APS), this product analyzes the HTTP packets that flow through port 80 by intercepting them and throwing out any malicious request, all without slowing down Web traffic. Let’s take a peek inside this venerable security device.
Vulnerabilities faced by Web and data servers
While many data centers are regularly updated to protect against known threats, the real threats are of the unknown variety. Teros-100 APS has a multilevel configuration in place to deal with these new threats:
- Distributed management framework: This GUI interface allows you to manage security policies across the network. You can create reports and produce logs on events after they occur or as they occur, depending on the severity of the alert.
- Adapters: Provides compatibility with other devices.
- Flexibility: Allows for customization of security policies.
- Dynamic update: New features can be uploaded and installed automatically.
- Adaptive learning engine: Described below, this feature helps to eliminate the potential of false positives during screening.
- Modular architecture: As HTTP changes, Teros-100 APS will incorporate the new extensions of the technology to keep pace.
Teros-100 APS in a nutshell
Teros-100 APS runs on a hardened Linux 1U server with an installed proprietary operating system for added security. The product’s price tag begins at $25,000 and is targeted to the medium-to-large distributed computing environments of today’s Fortune 1000. The product checks all HTTP and HTTPS data to make sure it’s suitable within the framework of the exchange. Teros-100 APS also ”learns” as it spends more time checking regular traffic, which enables it to speed up the time spent verifying data. Without adding latency to the Web traffic (it adds less than 1 ms to most Web transactions, according to technology assurance solution provider KeyLabs), Teros-100 APS checks all traffic coming into or leaving your Web server without aggravating your users or customers with long wait times.
For larger Web server environments, load balancing is supported and multiple Teros-100 APS systems can be implemented should the need arise.
Teros-100 APS verification methods are based on the HTML interaction model (HIM), which provides the standards for what types of sessions can transpire between the browser to the Web server, and what can be returned by the server. The Teros-100 APS application uses HIM to block all traffic that strays from the standard, yet the learning engine of the application allows for individuals focused on Web development (who often need to code outside this standard) to bypass the security controls of the application.
The learning engine is perhaps the most critical piece of the Teros-100 APS system, since it develops a baseline for standard and nonstandard traffic patterns when the system is initially put into service. The learning engine provides the IT manager with a listing of policies the system will abide by; the manager can accept or reject these for future Web transactions. As nonstandard Web traffic is introduced to the network, Teros-100 APS takes its lessons learned from the past to deal with potential vulnerabilities.
Perhaps most important to all IT managers who have to balance security and performance is the issue of latency. With Web content pushing some servers to their capacity limits, it is critical that an extra device put in the path of this traffic does not add latency.
Another KeyLabs study perhaps best explains the Teros-100 APS’s impact on performance. Using an Intel 933 MHz PIII server with 1 GB of RAM, the Teros-100 APS system was found to handle 64.7 million transactions per day at a rate of 32.48 Mb per second per unit of HTTP traffic. The maximum latency experienced by the system was 4.86 ms for a server with only 20 percent processor capacity available.
When to use Teros-100 APS
While there is no price too great for a highly available secure network, many IT managers must make tough choices when it comes to protecting their Web traffic. The question of when Teros-100 APS could be beneficial really depends on the makeup of your Web site traffic content. For static Web sites that receive little packet exchange, the basic firewall protection you already have in place should suffice. For more active sites that are interacting with extranet, intranet, and Internet traffic, a security solution such as Teros-100 APS should be strongly considered, especially if the data sent back and forth is sensitive in nature.