Any Firewall Appliance to Front End Web and Mail Server?

To protect internal users and networks I really like the approach used in the Fortinet Fortigate firewall appliances, which integrate a lot of anti-virus, intrusion protection, and other higher level abstractions directly into the firewall. The Fortigate is just a standard firewall, however, when it comes to protecting internal servers against hackers. For example, you can design a set of firewall rules that might limit incoming connections to the web server to port 80, but there is no protocol level inspection of incoming HTTP requests, to detect or block specific kinds of probes or attacks against the web server.

Does any vendor make a firewall appliance that is specifically focused on protecting internal web servers and blocking against specific kinds of attacks? Any references to such appliances are appreciated.

Reply to
Will
Loading thread data ...

hi will...

u might want to try checkpoint firewall with Web Intelligence which provides specilised protection against web servers...

i don guarantee on their UTM appliance series...but software on a hardended platform/Nokia appliance works well...

Reply to
Arjun

Under $1K total cost including hardware would also be nice....

Reply to
Will

Watch Guard as a SMTP Proxy that will allow you to control MANY things, including only allowing approved file types, file sizes, etc...

Same with their HTTP Proxy rules.

For medical sites we always use the SMTP and HTTP Proxy rules to clean content before it reaches the servers or the users sessions.

Reply to
Leythos

If the internal servers are on a separate subnet traffic to them can be inspected by a suitable filtering device just the same way that the device can inspect traffic to/from external servers.

Any UTM box can do that.

Wolfgang

Reply to
Wolfgang Kueter

If price is a key issue you this might suit you needs ...

formatting link
VH.

Reply to
Van Helsing

Hi Will,

Yes. What's yer budget? What sort of speed do you need?

Unified Threat Management boxes may be one solution.

There was a recently a roundup of these devices in SC Magazine.

formatting link
Among those, I have some experience with the ISS (now part of IBM) Proventia M that runs about $1400 plus support. What I like about those is that the IPS/IDS in them doesn't block whole IP addresses--they just swallow the subset of the traffic that represents the detected threat when in blocking mode. Many other vendors seem to lock out IP's when threats are triggered which makes them rather vulnerable to DOS with spoofed traffic.

Reply to
Todd H.

Check Point with a Web Intelligence license will do some "basic" checks.

If web services are part of you core business: (in no particular order)

formatting link
F5 Big-IP with ASM Reactivity =2E.. Patching you systems, writing secure code and an audit from time to time might also help.

Reply to
Robby Cauwerts

The attack is usually different. The user inside the network using a browser goes to a page with a trojan and it is embedded as an Active/X, for example. So a defense against that would be to inspect the active/x binary during download for metainformation as well as checksum that might identify it and then block it.

The attack against the web server you own is more likely to focus on trying to force buffer overloads on your server, so the defense against that is more about inspecting for bad URLs, SQL injections, etc.

Reply to
Will

Actually, blocking ActiveX completely is the best method. There is no reason to allow ActiveX except from known good sites that require it for your business.

Reply to
Leythos

Agreed and that is for the web browsers behind our firewall.

I'm trying to protect a web server, so blocking Active/X at the browser isn't addressing my need.

What I am looking for is a web application firewall that is commoditized as an appliance for low-end servers, similar to what Fortinet has done with their 50B and 60B firewall appliances for small businesses.

Reply to
Will

You are looking for IDP/IDS functionality. As I said, UTM boxes offer that service usually, Fortigate boxes can do it as well. Subscription for IDP/IDS service will often cost some extra money.

Wolfgang

Reply to
Wolfgang Kueter

If a web server is all you want to protect, then a simple NAT router will do all you need if you properly secure the server and web services.

What OS/Web service are you running?

Reply to
Leythos

Hi,

Leythos schrieb:

How does NATting ensure protocol integrity and stop inline attacks? Answer: It can't. You need some application layer proxy to do that.

Cheers, Jens

Reply to
Jens Hoffmann

How is an NAT box going to inspect a URL request and block SQL injections or any other known vulnerability of a web server.

Of course you configure the server as well, but that's not mutually exclusive with a web application firewall, and the two complement each other.

Reply to
Will

Yes, thank you.

Reply to
Will

It doesn't as you've so nicely put it, but, if your server is properly secured, since I don't know what OS/Service, there is a good chancec that you're not going to get much more protection that would do you much good.

Reply to
Leythos

Reply to
John Mason Jr

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.