PDA

View Full Version : Any Firewall Appliance to Front End Web and Mail Server?



Will
03-19-08, 10:46 PM
To protect internal users and networks I really like the approach used in
the Fortinet Fortigate firewall appliances, which integrate a lot of
anti-virus, intrusion protection, and other higher level abstractions
directly into the firewall. The Fortigate is just a standard firewall,
however, when it comes to protecting internal servers against hackers.
For example, you can design a set of firewall rules that might limit
incoming connections to the web server to port 80, but there is no protocol
level inspection of incoming HTTP requests, to detect or block specific
kinds of probes or attacks against the web server.

Does any vendor make a firewall appliance that is specifically focused on
protecting internal web servers and blocking against specific kinds of
attacks? Any references to such appliances are appreciated.

--
Will

Arjun
03-20-08, 02:46 AM
On Mar 20, 7:46*am, "Will" <westes-...@noemail.nospam> wrote:
> To protect internal users and networks I really like the approach used in
> the Fortinet Fortigate firewall appliances, which integrate a lot of
> anti-virus, intrusion protection, and other higher level abstractions
> directly into the firewall. * *The Fortigate is just a standard firewall,
> however, when it comes to protecting internal servers against hackers.
> For example, you can design a set of firewall rules that might limit
> incoming connections to the web server to port 80, but there is no protocol
> level inspection of incoming HTTP requests, to detect or block specific
> kinds of probes or attacks against the web server.
>
> Does any vendor make a firewall appliance that is specifically focused on
> protecting internal web servers and blocking against specific kinds of
> attacks? * Any references to such appliances are appreciated.
>
> --
> Will

hi will...

u might want to try checkpoint firewall with Web Intelligence which
provides specilised protection against web servers...

i don guarantee on their UTM appliance series...but software on a
hardended platform/Nokia appliance works well...

Will
03-20-08, 02:57 AM
Under $1K total cost including hardware would also be nice....

--
Will


"Arjun" <arjunhegde@gmail.com> wrote in message
news:713f93e2-b20d-4a18-bc1a-0d51695bbd42@a70g2000hsh.googlegroups.com...
On Mar 20, 7:46 am, "Will" <westes-...@noemail.nospam> wrote:
> To protect internal users and networks I really like the approach used in
> the Fortinet Fortigate firewall appliances, which integrate a lot of
> anti-virus, intrusion protection, and other higher level abstractions
> directly into the firewall. The Fortigate is just a standard firewall,
> however, when it comes to protecting internal servers against hackers.
> For example, you can design a set of firewall rules that might limit
> incoming connections to the web server to port 80, but there is no
> protocol
> level inspection of incoming HTTP requests, to detect or block specific
> kinds of probes or attacks against the web server.
>
> Does any vendor make a firewall appliance that is specifically focused on
> protecting internal web servers and blocking against specific kinds of
> attacks? Any references to such appliances are appreciated.
>
> --
> Will

hi will...

u might want to try checkpoint firewall with Web Intelligence which
provides specilised protection against web servers...

i don guarantee on their UTM appliance series...but software on a
hardended platform/Nokia appliance works well...

Leythos
03-20-08, 05:10 AM
In article <RqadnXWAKqauQ3zanZ2dnUVZ_rSrnZ2d@giganews.com>, westes-
usc@noemail.nospam says...
> Does any vendor make a firewall appliance that is specifically focused on
> protecting internal web servers and blocking against specific kinds of
> attacks? Any references to such appliances are appreciated.

Watch Guard as a SMTP Proxy that will allow you to control MANY things,
including only allowing approved file types, file sizes, etc...

Same with their HTTP Proxy rules.

For medical sites we always use the SMTP and HTTP Proxy rules to clean
content before it reaches the servers or the users sessions.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Wolfgang Kueter
03-20-08, 07:55 AM
Will wrote:

> To protect internal users and networks I really like the approach used in
> the Fortinet Fortigate firewall appliances, which integrate a lot of
> anti-virus, intrusion protection, and other higher level abstractions
> directly into the firewall. The Fortigate is just a standard firewall,
> however, when it comes to protecting internal servers against hackers.
> For example, you can design a set of firewall rules that might limit
> incoming connections to the web server to port 80, but there is no
> protocol level inspection of incoming HTTP requests, to detect or block
> specific kinds of probes or attacks against the web server.

If the internal servers are on a separate subnet traffic to them can be
inspected by a suitable filtering device just the same way that the device
can inspect traffic to/from external servers.

> Does any vendor make a firewall appliance that is specifically focused on
> protecting internal web servers and blocking against specific kinds of
> attacks?

Any UTM box can do that.

Wolfgang

Van Helsing
03-20-08, 09:31 AM
Will wrote:
> Under $1K total cost including hardware would also be nice....
>
If price is a key issue you this might suit you needs ...

http://www.untangle.com/

VH.

Todd H.
03-20-08, 09:32 AM
"Will" <westes-usc@noemail.nospam> writes:

> To protect internal users and networks I really like the approach used in
> the Fortinet Fortigate firewall appliances, which integrate a lot of
> anti-virus, intrusion protection, and other higher level abstractions
> directly into the firewall. The Fortigate is just a standard firewall,
> however, when it comes to protecting internal servers against hackers.
> For example, you can design a set of firewall rules that might limit
> incoming connections to the web server to port 80, but there is no protocol
> level inspection of incoming HTTP requests, to detect or block specific
> kinds of probes or attacks against the web server.
>
> Does any vendor make a firewall appliance that is specifically focused on
> protecting internal web servers and blocking against specific kinds of
> attacks? Any references to such appliances are appreciated.

Hi Will,

Yes. What's yer budget? What sort of speed do you need?

Unified Threat Management boxes may be one solution.

There was a recently a roundup of these devices in SC Magazine.
http://www.scmagazineus.com/UTM-2008/GroupTest/121/

Among those, I have some experience with the ISS (now part of IBM)
Proventia M that runs about $1400 plus support. What I like about
those is that the IPS/IDS in them doesn't block whole IP
addresses--they just swallow the subset of the traffic that represents
the detected threat when in blocking mode. Many other vendors seem to
lock out IP's when threats are triggered which makes them rather
vulnerable to DOS with spoofed traffic.

--
Todd H.
http://www.toddh.net/

Robby Cauwerts
03-20-08, 03:16 PM
On Mar 20, 4:46*am, "Will" <westes-...@noemail.nospam> wrote:

> Does any vendor make a firewall appliance that is specifically focused on
> protecting internal web servers and blocking against specific kinds of
> attacks? * Any references to such appliances are appreciated.
>
> --
> Will

Check Point with a Web Intelligence license will do some "basic"
checks.

If web services are part of you core business:
(in no particular order)
www.denyall.com
F5 Big-IP with ASM
Reactivity
...
Patching you systems, writing secure code and an audit from time to
time might also help.

Will
03-20-08, 06:30 PM
"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:frtmmp$f8s$1@news.shlink.de...
> Will wrote:
>
>> To protect internal users and networks I really like the approach used in
>> the Fortinet Fortigate firewall appliances, which integrate a lot of
>> anti-virus, intrusion protection, and other higher level abstractions
>> directly into the firewall. The Fortigate is just a standard firewall,
>> however, when it comes to protecting internal servers against hackers.
>> For example, you can design a set of firewall rules that might limit
>> incoming connections to the web server to port 80, but there is no
>> protocol level inspection of incoming HTTP requests, to detect or block
>> specific kinds of probes or attacks against the web server.
>
> If the internal servers are on a separate subnet traffic to them can be
> inspected by a suitable filtering device just the same way that the device
> can inspect traffic to/from external servers.

The attack is usually different. The user inside the network using a
browser goes to a page with a trojan and it is embedded as an Active/X, for
example. So a defense against that would be to inspect the active/x binary
during download for metainformation as well as checksum that might identify
it and then block it.

The attack against the web server you own is more likely to focus on trying
to force buffer overloads on your server, so the defense against that is
more about inspecting for bad URLs, SQL injections, etc.

--
Will

Leythos
03-20-08, 08:15 PM
In article <XsOdnV-pdKE9bn_anZ2dnUVZ_t6onZ2d@giganews.com>, westes-
usc@noemail.nospam says...
> The attack is usually different. The user inside the network using a
> browser goes to a page with a trojan and it is embedded as an Active/X, for
> example. So a defense against that would be to inspect the active/x binary
> during download for metainformation as well as checksum that might identify
> it and then block it.

Actually, blocking ActiveX completely is the best method. There is no
reason to allow ActiveX except from known good sites that require it for
your business.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Will
03-21-08, 01:35 AM
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.224cd6445050602c98969b@adfree.usenet.com...
> In article <XsOdnV-pdKE9bn_anZ2dnUVZ_t6onZ2d@giganews.com>, westes-
> usc@noemail.nospam says...
>> The attack is usually different. The user inside the network using a
>> browser goes to a page with a trojan and it is embedded as an Active/X,
>> for
>> example. So a defense against that would be to inspect the active/x
>> binary
>> during download for metainformation as well as checksum that might
>> identify
>> it and then block it.
>
> Actually, blocking ActiveX completely is the best method. There is no
> reason to allow ActiveX except from known good sites that require it for
> your business.

Agreed and that is for the web browsers behind our firewall.

I'm trying to protect a web server, so blocking Active/X at the browser
isn't addressing my need.

What I am looking for is a web application firewall that is commoditized as
an appliance for low-end servers, similar to what Fortinet has done with
their 50B and 60B firewall appliances for small businesses.

--
Will

Wolfgang Kueter
03-21-08, 07:35 AM
Will wrote:


> What I am looking for is a web application firewall that is commoditized
> as an appliance for low-end servers, similar to what Fortinet has done
> with their 50B and 60B firewall appliances for small businesses.

You are looking for IDP/IDS functionality. As I said, UTM boxes offer that
service usually, Fortigate boxes can do it as well. Subscription for
IDP/IDS service will often cost some extra money.

Wolfgang

Leythos
03-21-08, 08:10 AM
In article <DMCdnYZPDIXdyn7anZ2dnUVZ_qiinZ2d@giganews.com>, westes-
usc@noemail.nospam says...
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.224cd6445050602c98969b@adfree.usenet.com...
> > In article <XsOdnV-pdKE9bn_anZ2dnUVZ_t6onZ2d@giganews.com>, westes-
> > usc@noemail.nospam says...
> >> The attack is usually different. The user inside the network using a
> >> browser goes to a page with a trojan and it is embedded as an Active/X,
> >> for
> >> example. So a defense against that would be to inspect the active/x
> >> binary
> >> during download for metainformation as well as checksum that might
> >> identify
> >> it and then block it.
> >
> > Actually, blocking ActiveX completely is the best method. There is no
> > reason to allow ActiveX except from known good sites that require it for
> > your business.
>
> Agreed and that is for the web browsers behind our firewall.
>
> I'm trying to protect a web server, so blocking Active/X at the browser
> isn't addressing my need.
>
> What I am looking for is a web application firewall that is commoditized as
> an appliance for low-end servers, similar to what Fortinet has done with
> their 50B and 60B firewall appliances for small businesses.

If a web server is all you want to protect, then a simple NAT router
will do all you need if you properly secure the server and web services.

What OS/Web service are you running?

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Jens Hoffmann
03-21-08, 09:05 AM
Hi,

Leythos schrieb:
> If a web server is all you want to protect, then a simple NAT router
> will do all you need if you properly secure the server and web services.

How does NATting ensure protocol integrity and stop inline attacks?
Answer: It can't. You need some application layer proxy to do that.

Cheers,
Jens

Will
03-21-08, 05:12 PM
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.224d7db149e565c498969c@adfree.usenet.com...
> In article <DMCdnYZPDIXdyn7anZ2dnUVZ_qiinZ2d@giganews.com>, westes-
> usc@noemail.nospam says...
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.224cd6445050602c98969b@adfree.usenet.com...
>> > In article <XsOdnV-pdKE9bn_anZ2dnUVZ_t6onZ2d@giganews.com>, westes-
>> > usc@noemail.nospam says...
>> >> The attack is usually different. The user inside the network using
>> >> a
>> >> browser goes to a page with a trojan and it is embedded as an
>> >> Active/X,
>> >> for
>> >> example. So a defense against that would be to inspect the active/x
>> >> binary
>> >> during download for metainformation as well as checksum that might
>> >> identify
>> >> it and then block it.
>> >
>> > Actually, blocking ActiveX completely is the best method. There is no
>> > reason to allow ActiveX except from known good sites that require it
>> > for
>> > your business.
>>
>> Agreed and that is for the web browsers behind our firewall.
>>
>> I'm trying to protect a web server, so blocking Active/X at the browser
>> isn't addressing my need.
>>
>> What I am looking for is a web application firewall that is commoditized
>> as
>> an appliance for low-end servers, similar to what Fortinet has done with
>> their 50B and 60B firewall appliances for small businesses.
>
> If a web server is all you want to protect, then a simple NAT router
> will do all you need if you properly secure the server and web services.

How is an NAT box going to inspect a URL request and block SQL injections or
any other known vulnerability of a web server.

Of course you configure the server as well, but that's not mutually
exclusive with a web application firewall, and the two complement each
other.

--
Will

Will
03-21-08, 05:12 PM
"Jens Hoffmann" <jh@bofh.de> wrote in message
news:fs0fhu$pjk$1@murphy.mediascape.de...
> Leythos schrieb:
>> If a web server is all you want to protect, then a simple NAT router will
>> do all you need if you properly secure the server and web services.
>
> How does NATting ensure protocol integrity and stop inline attacks?
> Answer: It can't. You need some application layer proxy to do that.

Yes, thank you.

--
Will

Leythos
03-22-08, 05:25 PM
In article <fs0fhu$pjk$1@murphy.mediascape.de>, jh@bofh.de says...
> Hi,
>
> Leythos schrieb:
> > If a web server is all you want to protect, then a simple NAT router
> > will do all you need if you properly secure the server and web services.
>
> How does NATting ensure protocol integrity and stop inline attacks?
> Answer: It can't. You need some application layer proxy to do that.

It doesn't as you've so nicely put it, but, if your server is properly
secured, since I don't know what OS/Service, there is a good chancec
that you're not going to get much more protection that would do you much
good.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

John Mason Jr
03-22-08, 05:44 PM
Will wrote:
> Under $1K total cost including hardware would also be nice....
>

<http://www.modsecurity.org/>