Internet Security products come in various forms. There are products to prevent hacking, detect hacking, encrypting channels of communication, message integrity etc. A Bank for example practices all security measures, but still insures itself to save itself in case of any mishap. WebGuard is such a product. When all the security protections fail, the WebGuard sees to it that the damage is not visible to the outside world, recover from the damage (if possible) thus saving face and reputation.

The WebGuard typically is positioned between the Web Server and the Router/Firewall of the Web Site. It has one Network Interface Card connected to the Web Server and the one another Network Interface Card connected to the Router. We can configure WebGuard NIC cards with the dedicated network subnet ID’s So that even internal pesky users can’t reach the WebGuard machine.

Authorized publishers of your Web site’s content create WebGuard Headers for all new or revised Web objects—such as HTML pages, GIF files, or JPEG files—and store these on the Web Server. WebGuard intercepts all content travelling to and from the Web server, verifying its authenticity with WebGuard Header information. Only approved content is allowed to be published.

• When the WebGuard Header match (authentic content) the data is immediately sent to the user.
• When the WebGuard Header fails to match due to altered data, the content is automatically replaced with a backup of authentic content, which is stored on WebGuard, and forwarded to the user.

Administrators are instantly alerted to any discrepancy via email or SMS. As a result, they can take immediate action or address the problem at a later time given that WebGuard is providing continuous 24x7 protection. WebGuard can also run in Embedded tamper proof Linux box, which has only read only memory and can’t reach from outside network. So hackers cannot detect or attack the system on the network. Instead, they’re left frustrated, unable to determine why your site is impenetrable. Users receive original data, oblivious to any breach and with no significant delay. In addition, WebGuard’s log files enable you to track down issues and pinpoint the exact files that were changed, at what time, and, in most cases, by whom.

Digital Signatures and Hash functions are used in various cryptographic applications and legal e-documents. Similar technology is used in WebGuard too. You can configure WebGuard in two modes to ensure data integrity.

Digital Signature Method: Legitimate webmaster’s or whomever is concern for posting the web contents supplied with private key and the corresponding public certificate will be stored in the WebGuard store by the Administrator. The combination of content digest and private key helps in creation of a Digital Signature. Digital Signature and few more information about the signer comprise WebGuard Header. While delivering the content corresponding certificates are fetched from the store and used for WebGuard Header verification.

HMAC Method: This takes the advantage of hash functions keyed with passphrase. Keyed digest value for the content is stored in WebGuard Header. Legitimate Authors profile information will be loaded in WebGuard as offline process and configured passphrase is used to do the integrity check at the time of content delivery. This method of integrity check is less time consuming process than Digital Signature verification but it comes at the cost of slightly lower security.

1. Why Firewalls and IDS are not enough?

The firewall was designed as a gateway to allow or deny access to network resources. The firewall makes its decisions based on what the user wants to connect to, not what their intent is. When you have a web server, the firewall must grant access to the web site to allow people on the Internet to be able to give Internet visitors access to the web site content. Therefore, when a hacker requests to access the web server, the firewall has essentially been designed to grant access to the hacker.

A firewall does not have the capability to determine if the content on your web server is good content or bad content, it only sees it as content, regardless if you posted it or if a hacker posted it. Firewalls only look at connections, not at the intent of the users attempting to connect or at the content the users may bring into a network environment. As long as firewalls contain openings for users to access resources, a hacker will continually have a method of gaining access and altering web servers - including web site content.

A firewall is not assigned the task of checking the integrity of web content that is served to the world. When a site is defaced, there is nothing a firewall can do to prevent the damage being visible to the outside world.

An Intrusion Detection System detects harm caused to the site, but cannot do anything to prevent the damage being visible to the outside world. IDS works along with firewalls to notify the administrator of any aberrant events or changes caused to the site. IDS does not prevent any defaced page from being displayed to the user.

2. What does WebGuard do and why it is necessary?

WebGuard complements firewall security by adding a last line of defence against hacker sabotage of the corporate Web site, even if all other security systems fail. The WebGuard specializes in foiling Web site defacements, thus saving its users expensive downtime, public embarrassment, and legal complications. It automatically replaces defacements with copies of the proper data. Instead of checking whether the people accessing a Web server are the right people, the WebGuard checks whether the data exiting the Web server is the right data — the right text, numbers, pictures, etc.

3. What WebGuard does not do?

WebGuard does not stop anyone from coming into your site. It doesn’t stop people making changes to files resident on your site. It doesn’t stop particular protocol packets to enter or leave the site. It doesn’t verify the authenticity of the user who accesses the web site. It does not encrypt the channel of communication between the server and user.

4. How can I provide integrity to my web site? Do I need to do make any changes to the existing system?

No. As WebGuard remains transparent to the WebServer, You don’t need to make any changes to your existing system (site or web server). In order to build integrity for your existing system, We will provide you with integrity tool, which webmasters and other legitimate sources can use to securely publish web components.

5. Does WebGuard care about the WebServer or Operating System it is protecting?

No. WebGuard only protects the static web contents that are there in the WebServer. However, it is also possible to protect entire web server files by running the tripwire kind of integrity checker software. But it demands periodic audit of logging and baseline database information’s.

6. Why it’s so difficult to protect dynamic components?

In N-tier architecture, server will contact variety of sources (application server, database server, etc.) in order to get the job done and finally presents html formatted output into the client machine. Because of its diverged behavior it’s difficult to protect.

7. How long it will take to integrate WebGuard product into an existing network?

WebGuard can be implemented in approximately one week. Very little of this time, though, actually requires time from an administrator on site. WebGuard is put onto the network, and requests are redirected to go through WebGuard using IP Tables rule at the Firewall. Once in place, webmasters and publishers can assign with legal roles and start associating WebGuard Headers for each of their web components. This process likewise takes 2 or 3 days and post installation tests will be carried out for 1 or 2 days. Finally, WebGuard will be fully activated in blocking mode to protect the site.

8. How Scalable is WebGuard?

WebGuard prototype setup consists of a 400 MHz Intel Celeron uniprocessor machine with 128 MB RAM, running RedHat GNU/Linux 7.3. This prototype easily scales up to load intensities of 100 page requests per minute.

WebGuard, by itself, doesn’t impose any constraints on total number concurrent connections established with web server. However for web sites that generate high volume traffic, WebGuard can be run in cluster mode with load balancing among different WebGuard instances.

9. How much latency does WebGuard adds to the normal HTTP conversation?

Again with the help of our prototype setup, we found that it typically adds less than 10ms to the HTTP conversation in the blocking mode.