Any web pro worth his or her salt should be able to secure a basic site running under Apache and Microsoft ISA or IIS – especially because by default, features that might lead to hacking are typically turned off. Yet these measures do little to guard web applications against sophisticated techniques such as SQL injection, cross-site scripting, worms, and other assaults. Applicure dotDefender 3.0, an easily managed server plug-in, protects against these types of attacks.

Think of dotDefender as a web application firewall. Installation required just a few minutes on Windows Server 2003 running IIS 6 (the software also supports Apache on a variety of Unix and Linux platforms). I found in the my testing that the out-of-box configuration then immediately starts comparing incoming requests for signs of trouble – without any noticeable performance drain on the server.

More specifically, dotDefender works by evaluating HTTP requests using a combination of three technologies: pattern recognition, session protection, and a signature knowledgebase. For example, patterns look for attacks such as cookie tampering. Similarly, the software watches sessions for header tampering, probes, remote command execution, and path traversal. Finally, there's a set of signatures that scan for known spammers, worms, and compromised servers.

Using a simple server interface, I managed each technology, such as updating a whitelist with known good servers. Next, I quickly added custom rules for other pattern or signature areas. Applicure provides automatic updates to dotDefender's security rules and signatures, so there should be little ongoing maintenance. What's more, these settings can be customised for each website or application you run.

When I intentionally sent attacks against my server, dotDefender responded according to how rules were designed: logging an incident, sending a default (or customised) error page, or redirecting the request. I monitored the server by looking at detailed attack attempt reports, and then adjusted dotDefender rules as needed. Further, you can send alerts to existing monitoring and management systems.
This application, additionally, worked well in a simulated DoS (denial of service) attack at the application level, something that could slip by network security solutions.

dotDefender, of course, is only one of many options for enterprises to safeguard web applications. Developers should start by checking for coding vulnerabilities using products like Watchfire's AppScan. And IT managers might consider turnkey solutions, including eEye's REM Security Management Appliance.

Still, these alternatives can be complex and costly. As such, dotDefender's reasonable price and simple management make it a good complement to network firewalls. One limitation for e-commerce sites is dotDefender doesn't currently provide HTTPS security. That said, dotDefender does find malicious code transferred in secured SSL sessions and then prevents its execution. Moreover, SSL is often provided by standard e-commerce packages.

OUR VERDICT

This rapidly deployed Web server plug-in provides HTTP security against application attacks, session attacks, and requests originating from known rogue servers. The predefined security rules are very thorough and provide best practices for Website protection, yet can be easily edited. Additionally, enterprises received automatic security updates against new threats.