ASP 101 - Active Server Pages 101 - Web06
The Place ASP Developers Go!

Please visit our partners


Windows Technology Windows Technology
15 Seconds
4GuysFromRolla.com
ASP 101
ASP Wire
VB Forums
VB Wire
WinDrivers.com
internet.commerce internet.commerce
Partners & Affiliates














ASP 101 is an
internet.com site
ASP 101 is an internet.com site
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

ASP 101 News Flash ASP 101 News Flash



 Top ASP 101 Stories Top ASP 101 Stories
Getting Scripts to Run on a Schedule
The Top 10 ASP Links @ Microsoft.com
What is Adovbs.inc and Why Do I Need It?

QUICK TIP:
Quick query design
Show All Tips >>
ASP 101 RSS Feed ASP 101 Updates


A Review of Flicks Software's Titan - Application Firewall for IIS

by John Peterson

Introduction

With all the IIS & ASP security problems we've been seeing of late, you'd naturally expect some software vendors to release products to try and help fight them. Flicks Software, whose previous offerings include AuthentiX, WebQuota, and VideoQuota, has released an extremely well timed product, named Titan, which is aimed at helping you add another level of security to your web server.

Here's the basic description taken right from Flicks Software's site:

Titan, the application firewall from Flicks Software protects your IIS server against procedures executed by entire classes of hack attacks, rather than looking for individual characteristics of known worms and viruses. By protecting your IIS server procedurally, Titan is able to protect against both worms and viruses before they are discovered! Unlike other antivirus applications, such as intrusion detection systems and network firewalls, Titan is not limited to just previously analyzed viruses!

Heck... while I'm at it... here are some of their banners:



Install

The download and install were pretty standard and uneventful. I did have one issue. As the instructions said, I disabled my internet services before running the setup routine. Towards the end of setup, the program asked me if I wanted it to restart my services and I said OK, yet when everything was done they were still stopped. It might have just been a fluke or my wacky computer, but a call to IISReset brought them back up without a hitch and I was off and running.

Configuration

Titan is implemented as an ISAPI Filter and, by default, is installed at the computer level so its settings apply to all the web sites on the server. Configuration is straight forward and is done via a simple Windows style configuration screen:

The program gives you enough options to configure it to do most anything you'd want it to and even lets you add custom querystrings which it will then block. What the program does when a request is denied is configurable as well. You can type in a message, pull it from a file, include an explanation, or even redirect to another URL.

Something I found of particular interest was the number of logging and reporting options Titan contains. You can log them to a log file, the system log, or even send them via email. On top of that, you can add custom filters indicating which type of requests you want to log or ignore making the reporting quite flexible.

Does It Work

Not having a lot of time to devote to testing or being able to come up with an overly scientific or systematic way to test it, the tests I ran consisted mainly of throwing different things at it and seeing if it let them through or not. The things I threw at it were derived mainly from the log files on my test machine. This machine had been hit by Code Red as well as a number of variations of requests including a lot of attempts to get at cmd.exe, using .. to go up the directory tree, and \ - the physical directory delimiter. Nothing very exotic in this day and age, but it was the best source I could come up with.

The default settings apparently worked pretty well and stopped most of the requests I threw at it. It didn't catch a couple requests for root.exe, which were obviously bad based on a little log analysis, but after adding it to the configuration list it stopped them as you'd expect it to. Actually, for our needs, I added .exe to the list since we don't have any executables in use that should be requested via the web.

A Nice Surprise

Not really expecting much more then that, I took a look at the directory where I installed the program. There I found a pleasant surprise in the ttnAdmin subdirectory. Flicks provides a complete web management interface that, once installed, lets you configure everything from a web browser. Just make sure you secure access to it before you publish it for use on your site. It's nothing earth shattering, but it's a really nice touch!

Conclusion

As far as I could tell, Titan did everything it promised to and even surprised me with a pre-built and ready-to-use online admin area that I wasn't expecting. What that really means is I didn't read their web site very well since when I went back to it, the remote admin facility is highlighted there plain as day... with screen shots!

The web site, setup routine, and the files installed all seem to indicate that the product has roots very close to Flicks' AuthentiX, but quite frankly I see this as a benefit. AuthentiX has been around for what seems like forever and at a very basic level provides a similar type of functionality: allowing or disallowing users access to your site. In some way I guess this gives me a little more faith in the product then I might otherwise have had with version 1.0 of any security product. This faith is based on our experience with AuthentiX and the assumption that if they are built on a similar code base, that most of the fundamental bugs were probably found and eliminated in prior versions of AuthentiX, before anyone had even thought of releasing this type of product.

While the setup program didn't seem as polished as many commercial programs on the market, it's on par with most asp component install routines and, once installed, Titan seemed to work like a charm. If you're experiencing a lot of this type of attack or are worried about future ones, I don't see any reason why Titan wouldn't be an extremely worthwhile investment.

My only words of caution are to make sure you don't lock things down too much! I had some trouble using FrontPage Server Extensions with the default settings and if you don't have some other type of access (Terminal Server, pcAnywhere, etc.), I could easily see someone locking themselves out of their own web server by accident! They even provide this warning at the top of the remote admin page:

Be careful not to make changes which make the site inaccessible. If this happens you will not be able to make changes remotely. You will need to fix the changes from the console Windows GUI.

But I guess if you can't even get in to your own server, that would mean that it's pretty secure!

More Information


Home |  News |  Samples |  Articles |  Lessons |  Resources |  Forum |  Links |  Search |  Feedback

Internet.com
The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers