With all the IIS & ASP security problems we've been seeing of late,
you'd naturally expect some software vendors to release products to
try and help fight them. Flicks Software, whose previous offerings include
AuthentiX, WebQuota, and VideoQuota, has released an extremely well timed
product, named Titan, which is aimed at helping you add another level of
security to your web server.
Here's the basic description taken right from Flicks Software's site:
Titan, the application firewall from Flicks Software protects your
IIS server against procedures executed by entire classes of hack attacks, rather
than looking for individual characteristics of known worms and viruses. By
protecting your IIS server procedurally, Titan is able to
protect against both worms and viruses before they are discovered! Unlike other
antivirus applications, such as intrusion detection systems and network
firewalls, Titan is not limited to just previously analyzed viruses!
Heck... while I'm at it... here are some of their banners:
Install
The download and install were pretty standard and uneventful. I did have one
issue. As the instructions said, I disabled my internet services before running
the setup routine. Towards the end of setup, the program asked me if I wanted it
to restart my services and I said OK, yet when everything was done they were
still stopped. It might have just been a fluke or my wacky computer, but
a call to IISReset brought them back up without a hitch and I was off and running.
Configuration
Titan is implemented as an ISAPI Filter and, by default, is installed at the
computer level so its settings apply to all the web sites on the server.
Configuration is straight forward and is done via a simple Windows style configuration screen:
The program gives you enough options to configure it to do most anything you'd
want it to and even lets you add custom querystrings which it will then block.
What the program does when a request is denied is configurable as well. You can
type in a message, pull it from a file, include an explanation, or even redirect
to another URL.
Something I found of particular interest was the number of logging and
reporting options Titan contains. You can log them to a log file, the
system log, or even send them via email. On top of that, you can add custom
filters indicating which type of requests you want to log or ignore making
the reporting quite flexible.
Does It Work
Not having a lot of time to devote to testing or being able to come up with an
overly scientific or systematic way to test it, the tests I ran consisted mainly
of throwing different things at it and seeing if it let them through or not.
The things I threw at it were derived mainly from the log files on my test
machine. This machine had been hit by Code Red as well as a number of
variations of requests including a lot of attempts to get at cmd.exe, using ..
to go up the directory tree, and \ - the physical directory delimiter.
Nothing very exotic in this day and age, but it was the best source I could
come up with.
The default settings apparently worked pretty well and stopped most of the
requests I threw at it. It didn't catch a couple requests for root.exe, which
were obviously bad based on a little log analysis, but after adding it to the
configuration list it stopped them as you'd expect it to. Actually, for our
needs, I added .exe to the list since we don't have any executables in use
that should be requested via the web.
A Nice Surprise
Not really expecting much more then that, I took a look at the directory
where I installed the program. There I found a pleasant surprise in the
ttnAdmin subdirectory. Flicks provides a complete web management
interface that, once installed, lets you configure everything from a web browser.
Just make sure you secure access to it before you publish it for use
on your site. It's nothing earth shattering, but it's a really nice touch!
Conclusion
As far as I could tell, Titan did everything it promised to and
even surprised me with a pre-built and ready-to-use online admin area
that I wasn't expecting. What that really means is I didn't read
their web site very well since when I went back to it, the remote
admin facility is highlighted there plain as day... with screen shots!
The web site, setup routine, and the files installed
all seem to indicate that the product has roots very close to Flicks'
AuthentiX, but quite frankly I see this as a benefit.
AuthentiX has been around for what seems like forever and at a
very basic level provides a similar type of functionality: allowing
or disallowing users access to your site. In some way I guess
this gives me a little more faith in the product then I might
otherwise have had with version 1.0 of any security product.
This faith is based on our experience with AuthentiX and the
assumption that if they are built on a similar code base, that
most of the fundamental bugs were probably found and eliminated
in prior versions of AuthentiX, before anyone had even thought
of releasing this type of product.
While the setup program didn't seem as polished as many
commercial programs on the market, it's on par with most asp component
install routines and, once installed, Titan seemed to work like a charm.
If you're experiencing a lot of this type of attack or are
worried about future ones, I don't see any reason why Titan
wouldn't be an extremely worthwhile investment.
My only words of caution are to make sure you don't lock things down
too much! I had some trouble using FrontPage Server Extensions with
the default settings and if you don't have some other type of access
(Terminal Server, pcAnywhere, etc.), I could easily see someone locking
themselves out of their own web server by accident!
They even provide this warning at the top of the remote admin page:
Be careful not to make changes which make the site inaccessible.
If this happens you will not be able to make changes remotely. You will need to
fix the changes from the console Windows GUI.
But I guess if you can't even get in to your own server,
that would mean that it's pretty secure!
