Product Details
Product Rating
Web security (2003)
Protecting your company's web site from all kinds of defacement is crucial, so products which can help are vital to your security arsenal. By Geoff Marshall
Your web site is your shop window. So, defacement of your web site may detract from your company's credibility, as well as losing business and customers. It could lead to unwelcome high-profile publicity. People will think that if you can't secure your web site, how can you be trusted with confidential business transactions. Your competency as an internet business comes into question.
So, protecting your web site with a strong and durable solution that stops this type of attack is a necessity, not a luxury. Here we examine a range of products that protect web site integrity and safeguard against even subtle changes that may not be immediately noticed.
Protecting the most vulnerable
Public web servers are particularly difficult to protect. They must reside outside the corporate firewall, or at least in a demilitarized zone (DMZ), because by their very nature they must be accessible to unauthenticated outsiders. This makes them especially vulnerable to attack by hackers, who may seek to deface the home page or indeed install their own web site to host illegal or pornographic material. Products that protect the web site must protect the operating system of the web server as well as the web server applications themselves.
At the operating system level, super user or administrator is the most targeted user account because hackers know that once that account is compromised, they can do anything they want to the entire system. Hackers typically gain super-user privileges via buffer overflows, HTTP attacks, and other operating system weaknesses. They can then even delete audit trails to cover their tracks. Some products therefore take the approach of enabling you to protect the administrator account with two-factor authentication.
Because it is very difficult to compromise a system without altering a system file, many products work by monitoring such files for changes. These files may include critical operating system files, web server applications, scripts that generate dynamic content, and static content, etc. Many products check on a scheduled basis for changes. But this may not be adequate for some busy public web sites, where even one minute of exposure of a defaced web page would be unacceptable. Such web sites need prevention, not detection.
A by-product of this file-monitoring approach is that it also protects against users introducing viruses, worms and Trojans to the server, by preventing this malware carrying out system-file modifications, the method by which they usually spread. However, it cannot prevent the introduction of such malware by the authenticated super user, if he can persuade the system to run some Trojan code.
Detecting the intruders
Neither can this approach protect against denial-of-service (DoS) attacks, but it would prevent your server being hijacked to participate an attack. While some of these products successfully prevent web site defacement and modification of other important files, they might not prevent a hack that aimed to bring down the server by exploiting operating system bugs and bad web application programming.
Many of the products tested have a lot in common with intrusion detection systems (IDS) - some are even sold as IDS, or have their origins in the IDS world. However, the IDS community is now looking hard at the new breed of intrusion prevention systems (IPS), and 'prevention' is becoming a byword to look for in modern security products. 'Detection' products still have a place, but perhaps increasingly they are being used to verify that 'prevention' systems are doing their job. There is no such thing as 'absolute' security, if only because the weakest link can be human, and often more than one product is required for peace of mind and to dispel your paranoia completely.
Deleting defacements
Some products prevent the exposure of defaced content, without necessarily preventing the defacement itself. This is done by checking digital signatures embedded in the web pages, or using checksums. They may simply prevent compromised content from being viewed, or cache 'good' content for use when compromise occurs.
Others take the approach of preventing changes, although this is very hard to guarantee if the operating system itself is compromised. Yet others are capable of automatically restoring content following unauthorized changes. The problem with that approach is that change detection has to be scheduled and this leaves a window of time during which defaced pages may be exposed to the public .
There is no single solution to fit all needs and pockets. The more expensive products are generally more effective at 'prevention,' while the cheaper solutions tend to focus on 'detection.' Only you can decide what your reputation is worth and how far you need to go to protect your company. We hope these reviews will help you decide.
