SecureIIS Application Firewall
SecureIIS protects Microsoft IIS (Internet Information Services) Web servers from known and unknown attacks. SecureIIS wraps around IIS and works within it, verifying and analyzing incoming and outgoing Web server data for any possible security breaches. It combines the best features of Intrusion Detection Systems and Conventional Network Firewalls all into one. Named as one of the "Three Great Security Tools" by Windows 2000 Magazine, SecureIIS has created quite a stir in the market as it has raised the bar for proactive security tools.
The power for SecureIIS Web to stop known and unknown attacks is provided by its use of CHAM (Common Hacking Attack Methods) technology. An eEye innovation, CHAM gives SecureIIS Web the capability to understand the Web server protocol and also various classes of attacks that Web servers are vulnerable to. SecureIIS Web protects against various classes of attacks, and has the ability to give your Web server up-to-the-minute security that is unmatched by any other product in the market.
SecureIIS protects against the following types of attacks:
Buffer Overflow Attacks
Buffer overflow vulnerabilities stem from problems in string handling. Whenever a computer program tries copying a string or buffer into a buffer that is smaller than itself, an overflow is sometimes caused. If the destination buffer is overflowed sufficiently it will overwrite various crucial system data. In most situations an attacker can leverage this to takeover a specific program's process, thereby acquiring the privileges that process or program has. SecureIIS limits the size of the "strings" being copied. Doing this greatly reduces the chance of a successful buffer overflow.
Parser Evasion Attacks
Insecure string parsing can allow attackers to remotely execute commands on the machine running the Web server. If the CGI script or Web server feature does not check for various characters in a string, an attacker can append commands to a normal value and have the commands executed on the vulnerable server.
Directory Traversal Attacks
In certain situations, various characters and symbols can be used to break out of the Web server's root directory and access files on the rest of the file system. By checking for these characters and only allowing certain directories to be accessed, directory traversal attacks are prevented. In addition, SecureIIS only allows clients to access certain directories on the server. Even if a new hacking technique arises, breaking out of webroot will still be impossible.
Buffer overflows, format bugs, parser problems, and various other attacks will contain similar data. Exploits that execute a command shell will almost always have the string "cmd.exe" in the exploiting data. By checking for common attacker "payloads" involved with these exploits, we can prevent an attacker from gaining unauthorized access to your Web server and its data.
SecureIIS also has the following features:
SecureIIS resides inside the Web server, thus capturing HTTPS sessions before and after SSL (Secure Socket Layer) encryption. Unlike any Intrusion Detection System or firewall currently on the market, SecureIIS has the ability to stop attacks on both encrypted and unencrypted sessions.
High Bit Shellcode Protection
Shellcode is what is sent to a system to effectively exploit a hole called a "buffer overflow". High Bit Shellcode Protection offers you a high degree of protection against this type of attack because it will drop and log all requests containing characters that contain high bits. All normal Web traffic, in English, should not contain these types of characters and almost all "shellcode" requires them to produce the effective exploit.
Third Party Application Protection
The power of SecureIIS is not limited to IIS specific vulnerabilities. SecureIIS can also protect third party applications and custom scripts from attack. If your company has developed customized components for your Web site, components that might be vulnerable to attack, you can use SecureIIS to protect those components from both known and unknown vulnerabilities. Let SecureIIS work as your own web based "Security Quality Assurance" system.
Logging of Failed Requests
In the installed SecureIIS directory, we post a file called SecureIIS.log. This file contains a log of all attacks and what triggered the event that caused SecureIIS to drop the connection. This is an effective way to monitor why requests are being stopped, and who is requesting things that they shouldn't. Since SecureIIS enforces a strong security policy for how sites are configured, you can use this log to find places where your Web site may not be acting correctly due to an insecure setting. Also, since Internet Information Server has the unfortunate habit of not logging attacks like buffer overflows that are successful, a twofold security benefit is provided here. Such attacks are not only stopped, but also logged so you can take action accordingly.
Additional checks are in place for attacks that do not follow recognized patterns, such as the common ones listed above. This approach provides extra security and protects against various attacks that involve data conversion problems. Limitations are also placed on the size of Uniform Resource Locators (URL/URI), HTTP variables, Request methods, Request Header Size, and other HTTP related content.
All of these additional protection features make SecureIIS the product of today that protects you from the attacks of tomorrow, making it the ultimate proactive security tool.
Windows NT 4.0
Microsoft IIS (Internet Information Services) 4.0
Service Pack 6a or higher
- or -
Microsoft IIS (Internet Information Services) 5.0
Service Pack 1 or higher
eEye Digital Security papers - (recommended reading)
CHAM (Common Hacking Attack Methods)
A Look Into Application Firewalls