SecureIIS was specifically designed to protect Microsoft IIS (Internet Information Services) web servers from known and unknown vulnerabilities. SecureIIS works within the IIS web server, analyzing incoming and outgoing web server data for possible security breaches. SecureIIS relies on heuristic attack detection acting as a true intrusion prevention system.
Application Layer Protection
Unlike network-layer protection products, an application-layer solution works within the application that it is protecting. SecureIIS inspects requests as they come in from the network level, as they are handed off at the kernel level, and at every level of processing in between. If at any point SecureIIS detects a possible attack, it can take over and prevent unauthorized access and/or damage to the web server.
Integration with the IIS Platform
SecureIIS was developed as an ISAPI filter, which allows it to integrate more tightly with the web server. SecureIIS monitors data as it is processed by IIS, and can block a request at any point if it resembles one of many classes of attack patterns. Because of eEye's extensive knowledge of the many ways in which IIS servers can be attacked, as well as the nature of an application firewall, even undiscovered vulnerabilities specific to IIS are secured.
Blocks Against Entire Classes of Known & Unknown Attacks
Unlike network firewalls and intrusion detection systems, SecureIIS does not rely upon a database of attack signatures that require regular updating. Instead, it uses multiple security filters to inspect web server traffic for such issues as buffer overflows, parser evasions, directory traversal and other attacks. Therefore, SecureIIS is able to block entire classes of attacks, including those attacks that have not yet been discovered.
SecureIIS protects against the following attack types
- Buffer Overflow Attacks: SecureIIS checks the lengths of all client-supplied buffers. If
the data is larger than the maximum size allowed, SecureIIS
will drop the connection, thereby avoiding a buffer overflow.
- Parser Evasion Attacks: Insecure string parsing can allow attackers to remotely
execute commands on the machine running the web server.
- SecureIIS checks for various characters in a string that
would allow an attacker to add on commands to a normal
value. If these characters are found, SecureIIS will drop
the connection.
- Directory Traversal Attacks: In certain situations, various characters and symbols can be used to break out of the web server's root directory and access files on the rest of the file system. SecureIIS checks for these characters and also blocks access to specific directories.
- General Exploitation: By checking for common attacker "payloads" in the exploiting data, SecureIIS can prevent an attacker from gaining unauthorized access to your web server and its data.
- High-Bit Shellcode Protection: Normal English-language web traffic does not contain high-bit characters. SecureIIS will drop all requests containing high-bit characters, which often signal a potential buffer
overflow attack.
- RFC Compliancy: SecureIIS prevents attackers from manipulating the HTTP protocol in attempts to bypass security systems and exploit security holes.
- Other Attacks: SecureIIS has additional checks in place to identify — and drop — requests that contain recognized patterns. Limitations are also placed on the size of uniform resource locators (URL/URI), HTTP variables, request methods, request header size and other HTTP-related content.
Central Policy Management
SecureIIS gives you the ability to manage settings for any number of machines from a single central machine. Once a policy is configured and exported from the central machine, other machines can be set to automatically import the policy and any future changes made to it.
Logging of All Blocked Requests
SecureIIS maintains a log of all dropped requests that is easily accessible from the main SecureIIS interface. The log provides detailed explanations as to why requests were denied. In addition, regular analysis of these logs can help you identify performance issues with your website such as non-existent pages, links to restricted directories and more.
Real-Time Statistic Charts
SecureIIS also allows you to monitor activity in real time by viewing graphs that represent a count of current log entries. There is a chart for each of the most common classes of attack as well as for the number of successful, non-attack hits on the website.
Protection Against SSL Encrypted Sessions
Unlike traditional network firewalls, SecureIIS has the ability to analyze HTTPS sessions before and after SSL (Secure Socket Layer) encryption, and can therefore stop attacks on both unencrypted and encrypted sessions.
Flexible Export Capability
SecureIIS maintains a log of all dropped requests that is easily accessible from the main SecureIIS interface and can be exported in any number of different formats including tab delimited, text, Excel, SQL and more.
Global-Settings Adjustment
If SecureIIS's default settings do not represent the optimal configuration for your web servers, you can reconfigure the application globally across all sites on a server, on a per site basis or on a per virtual directory basis thru an intuitive point-and-click interface.
|