- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
Industry statistics show that 80% of malicious attacks target Port 80, the Web traffic pass-through. Why, then, does the onus for Web application protection still fall largely on network-layer devices? Web applications clearly need special security.
Firewalls specifically designed to protect Web applications would recognize a hacker's attempt to create a buffer overflow, to inject false SQL or system commands in program variables, or to otherwise manipulate the datastream for ill purposes. Web application firewalls see the breaches that a network-layer firewall (or intrusion-detection system) is not capable of detecting.
Security experts have begun to call the Web application firewall a must-have.
"I would never deploy a Web application today if I haven't deployed a Web application firewall," says Ravi Ganesan, vice chairman of NSD Security, which helps user organizations build secure Web infrastructures.
Training Web developers to build secure applications and to conduct initial and periodic vulnerability tests are musts, but don't suffice. Ganesan equates doing those things but not also deploying a Web application firewall to calling Windows or other operating system secure and throwing out the perimeter firewall. "You'd be crazy," he says.
Ed McNachtan, program manager with the Family and Children First (FCF) office serving Montgomery County, Ohio, can testify to the benefits of Web application firewalls. He discovered them early - four years ago, when FCF used Health Insurance Portability and Accountability Act (HIPAA) draft documents to perform a Gap Analysis of the security architecture it planned to use for interagency communications via the Web. "We found our security plan failed around Web applications, and we needed to make reasonable efforts to block that hole," McNachtan says.
He is using AppShield, a software-based Web application firewall from start-up Sanctum, to protect two particularly complex and politically touchy applications that have taken years to develop. The first, in pilot tests now, is a family violence cross-jurisdictional database application. The second is a collaborative case-management application that will go into pilot tests by year-end. "We have privileged and confidential information that we have to protect, plus HIPAA rules and guidelines to follow," McNachtan says. "I'm married to AppShield. It does a great job."
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment