Contributed by jolan on from the openbsd-under-the-hood dept.
Just wanted to let you guys know that Armorlogic is using OpenBSD as the core of it's new web application firewall product called Profense. When choosing an operating system to base Profense on, we didn't even have to think about others. OpenBSD gives us complete freedom to re-use the code as we like, unparalled stability, security, robustness, and a clean code base.
If you are interested, check out our website at www.armorlogic.com for more information about Profense. You can also download a free evaluation version.
(Comments are closed)
By submicron (67.67.139.29) on
Comments
By Anonymous Coward (82.236.141.3) on
There are doing a good job to promote OpenBSD :
"Profense is based on a stripped and hardened OpenBSD platform. OpenBSD is regarded as the most secure OS generally available. The web proxy, filtering and administration components run in a non-privileged and closed run-time environment. Technologies like ProPolice, W^X protection, non-executable stack, etc. are used to further harden the system against attacks. With Profense you get a seriously hardened and secured frontend to your web applications - without compromising functionality."
And their system uses CARP for high availability, too :)
Comments
By Anonymous Coward (69.197.95.218) on
Comments
By Anonymous Coward (68.161.196.197) on
Comments
By Anonymous Coward (68.161.196.197) on
By Srebrenko Sehic (195.24.1.195) on
Profense is based on "positive security", pretty much like any well configured firewall. You start with a "deny all" and explicitly allow traffic into your network based on what you want to grant access to.
Profense can do the same for web applications (HTTP and HTTPS based). You basically define access policy for your web application. Eg. you define which pages (URLs) are valid, if they take any parameters, which values those parameters can have, which HTTP method you can access those via (GET, POST, etc.). When a user (or a potential attacker) requests something on your website, it's checked againt the defined access policy. If the request dosen't match the ACL, it's denied and logged.
Profense will automatically generate an ACL based on the outgoing traffic from the website it's protecting. Unless your have a bunch of fancy javascript, you'll have to do minimal manual ACL adjustments.
Profense is not a "security gizmo". It's a positive HTTP/HTTPS filtering reverse proxy, with some extra features like caching, TCP connection offloading, compression and SSL acceleration.
Regarding questions about "zero-day" attacks. Let's imagine a new PHPBB worm that exploits a unknown SQL injection vulrenability in some PHP script. If you played your cards right (eg. defined an ACL that only allows characters a-Z and numbers 0-9 for a vulrenable parameter), the attacks will be stopped before if even reaches your vulrenable PHPBB application. And yes, Profense will provide "sane defaults" for all your paremeters, pages, so unless you specifically shoot your self in the foot, you'll be safe.
Or, say you have a default IIS installation and you forgot to remove the vulernable default scripts. Unless you explicitly add those to the ACL, an attacker will simply receive a "403 access forbidden" trying to request them.
Or, if your web developers forgot to remove "debug.asp" or "index.php.bak" from the website before putting it into the production.
I could provide a bunch of other examples, but you get the idea.
And I agree that fixing your vulrneable web applications if the *correct* approach, but remember that poeple don't always known how, don't care, don't have the ressources or have access to the source. They are left in the blind.
Finally, Profense will protect your custom web applications as well, so forget about your favourite IDS/IPS system. It knows nothing wheter "yourscript.php?login=admin&passwd=test' OR '1=1" is valid or not.
Comments
By m0rph (68.104.17.51) on
Comments
By Srebrenko Sehic (195.24.1.195) on
By Anonymous Coward (217.162.139.33) on
so an easy low-cost solution it is not, but make a nice brochure and I'm sure you'll sell some ...
good luck anyway.
Comments
By Anonymous Coward (82.236.141.3) on
The solution they offer is a workaround. I do agree, and they do recognize this fact too. So what? Packet filters are workarounds, a non-executable stack is a workaround, ProPolice is a workaround, privilege separation is a workaround and so on.
Unfortunately, we do not live in a world where programs are bug-free and are to be totally trusted, even when written by experts who sometimes are tired/lazy/etc. and do make errors. So we have to use workarounds to mitigate the consequences of bugs.
Comments
By Anonymous Coward (68.161.196.197) on
By Anonymous Coward (217.162.139.33) on
Checking user input is not something to be done on a proxy that can get taken out of the loop when something goes wrong: "Oh, yeah btw, we unplugged the firewall 'cos there was some problem..."
Granted, that is not always possible, but that is a project management/human resources issue, not information security.
By Anonymous Coward (147.249.60.21) on
that is the most interesting spellings of "vulnerable" that i've ever seen in one post.