A Web application firewall provides protection whenever sensitive data is exchanged or displayed using Web applications (HTTP, Web services). Typical examples are Webmail applications (e.g. Outlook Web Access), file management systems (e.g. MS Sharepoint), and more complex applications for transactions such as e-voting. The USP Secure Entry Server^TM (SES) Web application firewall protects these applications from Internet-based attacks and the users of Web applications from data manipulation and identity theft.
Web applications that are authenticated by the user’s name and password are extremely vulnerable to trojans and keyloggers. The Web application firewall from United Security Providers enables these applications to be upgraded to a state-of-the-art two-factor authentication system (such as mTAN/SMS, RSA SecurID, Aladdin eToken OTP, VASCO, Kobil, etc.) without affecting the existing environment or functionality. This increases the security level at a single stroke.

A Web application firewall monitors all data traffic (HTTP/S, SOAP) and checks data content (HTML, XML, JavaScript,). The data is classified on the basis of built-in heuristics, extensible rules and information from third-party systems, such as virus scanners. As soon as the system identifies suspicious data content, it either blocks the query or takes corrective action. The user is either asked to log on again or to verify that the data is from a trusted source, or the event is forwarded to another system (such as a monitoring system or a fraud detection system) for evaluation. This ensures for instance that no one can hack into your system to read your e-mails and that no files infected with viruses can get into your Sharepoint or e-mail attachments.
Our Web application firewall, the USP Secure Entry Server^TM, supports two different operating modes. The “negative security mode” blocks all access attempts that trigger a rule infringement. The “positive security mode” blocks all access attempts that do not relate to a valid URL or registered application. The two operating modes can be used side by side. The deliverables include a simulation tool which enables the administrator to ensure that the negative security mode rules do not block any valid queries (“false positives”). A learning mode supports the administrator in generating constraining rules for the positive security mode to prevent manipulated queries (“false negatives”) from getting through.

Our Web application firewall, the USP Secure Entry Server^TM, is an appliance which is simply installed between the Internet connection and your Web servers. Two different network connections can be used for this. The USP Secure Entry Server^TM can also be installed as a software package in special cases, e.g. on virtualized servers.
The appliance can protect users and user transactions as well as Web servers. This involves integrating an existing authentication infrastructure using RADIUS or LDAP. Your infrastructure does not need to be homogenous. The USP Secure Entry Server^TM supports an unlimited number of logon procedures within the same installation. This makes it an ideal tool for implementing two-factor authentication for employees, customers or other users and/or for migrating to other technologies.

Our USP Secure Entry Server^TM can provide basic protection for your Web servers and standard applications within hours. Via the Web configuration the applications you want to protect (e.g. Outlook Web Access) and the target system are defined. The USP Secure Entry Server^TM just has to be networked correctly and then its built-in mechanisms protects the registered applications from all unauthorized access attempts.
The protection of customer-specific Web applications requires an in-depth analysis of the accessible URLs, the data exchanged and the administration data (cookies). The USP Secure Entry Server^TM can collect this data in a learning mode. If a high degree of protection is required, access can be restricted to the addresses seen in the learning mode (positive security mode). This procedure is very secure but has the drawback that the USP Secure Entry Server^TM blocks any addresses that were not used during the learning phase. We therefore recommend a long learning phase during which the simulation mode is used extensively. This process can involve several days’ integration effort.
Providing support for different authentication procedures and Web Single Sign-On (SSO) are other functional areas of the USP Secure Entry Server^TM. If you already have an authentication infrastructure or an IAM system, it only takes a few minutes to integrate a RADIUS, RSA ACE or LDAP server. If a Web authentication procedure has to be set up, the amount of effort involved depends largely on logon procedure. An external device should always be used for secure logon. This means you will have to implement processes to distribute and replace these devices or add processes on top of existing ones (e.g. mTAN). Evaluating and implementing the tokens and processes requires the most effort.

Security is an ongoing process. The defence mechanisms of the USP Secure Entry Server^TM are regularly aligned with the latest attack scenarios. These updates are published approximately every two months and should be imported as quickly as possible. We also recommend monitoring your log files regularly to detect unavoidable false positives/false negatives and other events relating to security. United Security Providers offer a subscribable managed security service for customers who prefer to have trained security specialists handle these tasks. This service guarantees high security standards at calculable costs. Modifying applications or installing new ones always entails some adjustments. The training and simulation software included in the deliverables helps you to keep these costs to a minimum.
The SES enables you to access all integrated Web applications with a single logon. If you decide to activate the Web Single Sign-On (SSO) option, each Web application has to be integrated into the SSO mechanism just once. The interfaces and filters for standard applications built into the USP Secure Entry ServerTM guarantee that the majority of applications can be switched to Web SSO within minutes without any modifications having to be made to the application or the Web server.

The USP Secure Entry Server^TM provides multiple interfaces for the integration of third-party systems. Examples include systems management software (SMS), fraud detection systems, virus scanners, monitoring systems, load balancers, etc. These interfaces are documented in detail and placed at customers’ disposal for them to extend their systems. On request, requirements that are of interest to a wider group of customers are included in the product roadmap and addressed in a later version.
United Security Providers also ship the software under licence. This allows customers to configure the system architecture and the distribution of the system components across servers and network zones in any way they choose. The unrivalled flexibility achieved by this combination of documented interfaces, open architecture and standardized system components gives the USP Secure Entry Server^TM a leading edge over other products in this field.

You specify which applications you want to protect and the approximate number of accesses and users for the Web services concerned. These specifications determine the size of the USP Secure Entry Server^TM appliance. You decide whether you want the appliance to monitor HTML/SOAP data traffic only, or whether you want to implement Web Single Sign-On (SSO) as well and possibly upgrade your authentication procedures.
The first installation phase involves connecting the USP Secure Entry Server^TM to the network and configuring the IP address, machine name and X.509V3 certificates via the browser. You choose the application type and connection data for each standard application that you want to protect. The learning mode can be activated for customer-specific Web applications and appropriate rules can be generated after the end of the learning phase. In the second phase, you change the network layout and routing, so that all accesses to Web applications are routed through the Web application firewall. This protects the Web servers from Internet-based attacks. Two-factor authentication and Web Single Sign-On can be activated in an (optional) third phase. After this phase, users are well protected from identity theft. Even better protection can be achieved by analysing Internet transactions and activating the USP Secure Entry Server^TM transaction protection feature. This is the highest security level, and it enables critical transactions to be executed securely, even from infected servers.

A conventional firewall controls access to services. It either permits or blocks all data traffic on a Web server (port 80/443). A Web application firewall blocks Web services much more selectively, depending on the content of the data, and places the whole transaction in context based on the current status of the HTTP and SOAP protocols. Queries are only forwarded to the Web server provided the sequence of protocol steps is correct, the administration data (HTTP header) complies with W3C standards and the data content (HTML/XML) does not match any attack vectors.

Conventional firewalls (deep inspection firewalls) are unable to ward off attacks on Web applications because they don’t place data in the context of the transaction as a whole.

A Web application firewall protects HTTP- and SOAP-based applications and services. The system configuration must permit users to access the Web servers through the Web application firewall only. If you do not have any Web applications or cannot force your users to access them through a Web application firewall, there is no point in implementing one.

The threats are constantly changing and vary according to the target groups under attack. The main attack techniques include:

• Data manipulation (form data tampering, injection flaws, forceful browsing, HTTP request smuggling)
• Executing code in an Internet user’s context (cross-site scripting, drive-by infection)
• Stealing the identity of a legitimate user (session riding, session hijacking)

These attacks are usually aimed at procuring information or preparing further attacks (trojans). Often hackers will just try to block access to services (denial of service).

The purpose of phishing attacks is to trick Internet users into revealing their passwords. A Web application firewall can only provide limited protection from phishing attacks. The problem is that passwords are valid for several months and users often do not even realise that their password has been stolen.
The USP Secure Entry Server^TM (SES) can, however, provide indirect protection from phishing attacks by reducing the consequences of password theft: It requires users to enter a transaction authorization number (TAN), which only has a limited validity, in addition to their password. TANs can be sent as text messages or generated by RSA SecurID or similar tokens. This mechanism prevents hackers from logging on with a stolen password, so even if a phishing attack is successful it does not have any con-sequences.

 Where security is concerned, there can be no compromise. We enhance the USP Secure Entry Server^TM on an ongoing basis in the light of the latest Internet-based challenges and our security experts’ insights. Useful technologies are integrated and supported. We continuously improve cooperation and information exchange with third-party systems such as virus scanners, monitoring systems, fraud detection systems, etc. and align them with the latest standards, if applicable.

Security is an ongoing process. The defence mechanisms of the USP Secure Entry Server^TM are regularly aligned with the latest attack scenarios. These updates are published approximately every two months and should be imported as quickly as possible. We also recommend monitoring your log files regularly to detect unavoidable false positives/false negatives and other events relating to security. United Security Providers offer a subscribable managed security service for customers who prefer to have trained security specialists handle these tasks. This service guarantees high security standards at calculable costs.

If so, please e-mail us at solutionsales@united-security-providers.com or call us on +41 31 959 02 02.