phion Product Guide - Info-Point-Security

Web Application Security
≥ phion airlock Product Guide valid for release 4.1
011100 01101 0011010010 10 1 10 10 10010000001101110011001010111010001100110011001010110111001100011011001010010000001110000011010000110100101101111011011100100000011011100110010101110100011001100110010101101110011000110110010100100000011100000110100001101001011011110110111001000000110111001100101011101000110
010 0 0 11 0011010000110100101101 1101101 10010000001101110011001010111010001100110011001010110111001100011011001010010000001110000011010000110100101101111011011100100000011011100110010101110100011001100110010101101110011000110110010100100000011100000110100001101001

Security and
Availability for your
Web Applications and
Web Services
≥ Uncompromising Security: Protection
for business information and online
transactions
≥ High Availability: Maximizes application
availability and accessibility
≥ Cost reduction: Reduced cost in Web
application development, integration and
operation
≥ Application Acceleration: Accelerated
access to Web services and extremely
scalable
≥ Single-Sign-On (SSO): Support for
modular authentication schemes and
flexible integration with Identity Access
Management (IAM) solutions
≥ Monitoring and Audits: Recording of
benchmarking information about user
behaviour and application usage

Table of
contents
The Callenge
Open for business – Open to attack 4
The Solution
phion airlock Web Application Security 5
WAF Module
Web Application Firewall (WAF) 6
Add-ons
Additional Modules 8
Q & A
Questions & Answers 11
Appendix A
Ordering Information 12
Appendix B
System Requirements 13

The
Challenge
Open for business – Open to attack
There is an increasing utilization of the public internet for business transactions, as every new business and
internet commerce model contains new security risks. Web applications and web application servers should be
accessible by anybody from anywhere. Web applications can be hi-jacked or shut down quickly and the number
of vulnerabilities at the application level is growing at an alarmingly fast pace. Since web servers need to
connect to valuable internal resources, they represent a prime target. This certainly is an invitation to hackers
to exploit them as commonly deployed network firewalls, intrusion detection and prevention systems as well
as virus scanners simply cannot protect web servers adequately.
In order to minimize these threats, security aware companies are facing three
challenges to effectively protect their web applications:
Security Challenge: How do
you effectively protect Web
Applications against attacks
and secure their availability?
Web applications continually face
new attacks. Therefore it is crucial for
secure business that all web services
in the Internet and Intranet are secure
around the clock and available with fast
response times – even under the most
difficult conditions, such as traffic peaks,
manipulation attempts or denial-ofservice
attacks.
Cost Challenge: How do
you reduce your costs for
integration and implementation
of Application Security?
Continuously maintaining web applications
and web services at a high security level
and connecting them with surrounding
systems (e.g. user directories, identity
and access management solutions, antivirus
gateways etc.) quickly skyrockets
costs – particularly in operation. New
applications require all security measures
to be incorporated and updated time and
again. This makes implementing a secure
application environment a slow, involved
and expensive process.
Compliance Challenge:
New security standards require
clearly defined measures in
Web Application Security.
To date, security measures do not provide
adequate protection against application
level attacks. New standards such as the
Payment Card Industry Data Security
Standard (PCI DSS) or ISO 27001 define
measures to increase web application
security and sectors such as the major
credit card industry demand compliance.
In order to meet their compliance targets,
companies need to upgrade their security
infrastructure accordingly.

Thanks to phion airlock, companies can successfully make use of
the Internet’s diverse opportunities without limiting the security
and availability of their web applications and web services. Phion
airlock is the only software-based, high security Web Application
Firewall (WAF) on the market covering the entire spectrum of
protection and optimization techniques for web environments
of arbitrary complexity. With its high security architecture and
physical independence from application servers, phion airlock
completely shields web applications in the trusted network from
any unauthorized access and malicious attacks.
phion airlock
Web Application Security
The
Solution
Overview
phion airlock is a software appliance based on a secure
reverse proxy technology with optional Single-Sign-On (SSO)
authentication and access control capabilities. Its main purpose
is to reduce the exposure of web applications while at the same
time maximizing service uptime and responsiveness. By deploying
phion airlock in front of the web server, any company can offer
a transparent, secure and always-on connection to their web
applications, while lowering costs of application integration,
deployment and maintenance.
In order to provide all relevant aspects of web application
protection and guarantee maximum performance, phion airlock is
based on a highly-efficient modular security architecture. The core
component is the comprehensive Web Application Firewall (WAF)
module which forms the foundation of any airlock system, onto
which optional security and reporting modules can be added. As a
natural extension to the WAF functionality, phion airlock optionally
offers strong and uniform user authentication and authorization
features, a SSL VPN remote access module and a convenient
Portal Application module as shown in the building block overview
below:
Feature Overview
Web Application
Protection
Application Acceleration
and Data Compression
Sophisticated content
switching and content
rewriting options
Interface to external
filter services such as
Anti-Malware-Detection
Systems
SOAP/XML Validation of
Web services
Powerful log analysis
and automated reports &
statistics
Single-Sign-On
and Access
Control
WAF
Module
ICAP
Module
SOAP/XML
Module
4 - - -
4 - - -
4 - - -
- 4 - -
- - 4 -
- - - 4
Authentication
Enforcement
Module
Authentication
Service
Module
Application
Portal
Module
4 4 - -
Web Portal - - 4 -
Graphical
Reporting
Module
SSL VPN
Service
Module
Secure TCP Port
Forwarding
- - - 4
Note: For system requirements please check Appendix B
Target Market
Any organization that is looking for an ‘easy to implement’ and
cost saving enterprise class solution to protect its web servers
and web applications and/or has to comply with the Payment Card
Industry Data Security Standard (PCI DSS).

WAF
Module
Web ApplicationFirewall (WAF)
phion airlock’s secure system architecture is based on a strict
zone separation and multi-level filtering. Every web access request
passes the WAF which then verifies and validates it before
transferring it to the next filter layer, and finally to the application
server. Illegal requests are eliminated at every filter level.
White List and Black List Filter
A request only passes to the next layer if at least one rule of the
white list (i.e. path length, variable formatting, HTTP methods,
etc.) fits and no rule of the black list (identification of SQL
injection, XSS, request splitting, etc.) fits. It is not possible for
requests to circumvent the predefined sequence of multiple
validation and screening/verification processes. The intelligent
URL encryption approach adapts itself to the business logic
and provides strong protection without the need to maintain
thousands of signatures and filter rules. phion airlock’s filter
engine therefore provides real dynamic white list functions. After
having completed the white and black list filtering, phion airlock
executes several additional security filter layers to effectively
prevent web attacks:
‰ Protocol Validation and Rebuilding
‰ Character Encoding and Unicode Verification
‰ Smart Form Protection
‰ Response Rewriting
‰ Response Content Filter
‰ Response URL Encryption
Application Acceleration, Load Balancing
and Data Compression
The performance and availability of web applications is increased
as critical security functions and performance-relevant tasks (e.g.
SSL termination, or data compression) are offloaded for efficiency
and scalability to the WAF. Thus web applications and web servers
can focus on their ‘primary business’.
Total Cookie Protection and
Application Data Exchange
Cookies are not sent automatically to the connecting client’s
browser by default, but are held in the WAF’s cookie store. phion
airlock only transfers an encrypted session cookie, which is
valid only while the session is active, to the client. In order to
save persistent information on a client, phion airlock offers the
possibility to save encrypted cookies on the client. These cookies
are resistant against manipulation as they are always validated
against a signature. If cookie information should be changed (e.g.
by JAVA script) passthrough cookies can be defined and sent on to
the client as plain text. Application data can be exchanged safely
between back-end applications by making use of the phion airlock
cookie store. The transferred data does not touch the browser and
therefore cannot be be stolen or hi-jacked.

WAF
Module
Seamless environment integration
and easy administration
The phion WAF module can easily be integrated into the DMZ
without the need to relocate existing systems or change the
network infrastructure. Additionally, a cost-saving consolidation of
the DMZ infrastructure is facilitated.
Purpose
Operating system software requirements
Combined white and black list filters on
different levels
Cryptographic URL encryption 4
HTML form protection 4
Systematic protocol termination and
rebuilding
Positive security model without
complicated rule management
Secure session tracking with session
anomaly detection
Web Application Firewall Module
Effective Web application protection
None. The WAF Module includes
all necessary operating system
components
4
4
4
4
Provides effective Protection against
‰ Cross Site Scripting (XSS)
‰ Cross Site Request Forgery (CSRF)
‰ SQL-Injection
‰ Denial of Service
‰ Forceful Browsing
‰ HTTP Response Splitting
‰ Session Hijacking
‰ Session Riding
‰ Session Fixation
‰ Cookie Poisoning
‰ Buffer Overflowing
‰ Phishing Protection
‰ Identity Theft
‰ Content Type Masquerading
‰ Unicode Hacking
Complete Cookie Protection
Cookies are not transferred to the browser
and are held in phion airlock
Encrypted Session Cookies are send to the
browser
4
4
Licensing:
The WAF module is licensed to protect a given number of
applications. An application is defined as a combination of a
IP address and a TCP port. The minimum number of licensed
applications is two.
Application Delivery Acceleration
SSL termination and offloading 4 1
Application level load balancing 4
Failover clustering 4
Real-time data compression 4
1
Optionally with cryptocard acceleration. phion airlock 4.1 supports nCipher nFast Ultra SSL Offload
and Safenet Luna SA cryptoengines.

Add-Ons
Additional Modules
ICAP Module
External content filtering and proxy services (e.g. anti-virus,
anti-malware, IDS/IPS or Data Leakage Protection software) can
be integrated via the standardized ICAP interface. Thus servers
and clients can be protected simultaneously by monitoring all data
transfers to and from the web servers (uploads and downloads) for
dangerous or illicit content. The co-operation of external filtering
services via the standardized ICAP interface, provides an optimally
combined usage of the participating systems.
Graphical Reporting Module
phion airlock’s Graphical Reporting Module consistently provides
critical information on request structures, security setups,
violations of filter rules and much more. By using diagrams,
interesting time periods can be rapidly and efficiently identified
and selected for evaluation. Automated reports serve a statistical
purpose and regularly provide key figures and important
performance data on load, functionality of the system and your
entire web environment.
ICAP Module
Graphical Reporting Module
Purpose
Integration of external security proxy
services
Purpose
Complete assessment of protected
Web applications and Web servers
Operating system software
requirements
Combined usage of security proxy
services
Standardized integration 4
SOAP/XML Validator Module
WAF Module
With the optional validation module, phion airlock offers a further
layer of protocol validation which provides systematic monitoring,
filtering and validation of SOAP/XML web service data traffic.
This ensures that defined interfaces between the services are
preserved and servers cannot be attacked.
4
Operating system software requirements
Automated reports and statistics 4
Central log analysis with search functions 4
Uniform displaying of log notifications 4
Zoom function for easy selection of relevant
sections
Consolidation of specific events into alert
notifications
Traceability through unique request IDs 4
Seamless connection to external monitoring
systems
WAF Module
4
4
4
SOAP/XML Validator Module
Purpose
Operating system software
requirements
Instant protection against SOAP/XML
attacks
Validation for SOAP/XML Web services
WAF Module
4

Add-Ons
Authentication Enforcement Module
Only authenticated and authorized connections are permitted
to the relevant application servers. Thus the number of possible
attacks is reduced substantially, and the applications are
relieved. All common authentication methods against external
metadirectories (LDAP, MSAD, Radius, RSA ACE, etc.) and SQL
databases are supported by phion airlock, and can be used
simultaneously for different requests. It also provides full
support for client certificates. Phion airlock may even connect to
proprietary authentication servers via a publicly available Control-
API. Additionally, the Authentication Enforcement module allows
for the implementation of a Single-Sign-On (SSO) for multiple
backend web applications. The option to implement role-based
access is also provided by the airlock Authentication Enforcement
module.
Purpose
Operating system software requirements WAF Module *
Directory and Authentication support 4
Single-Sign-On (SSO) 4
Integration with existing directories, IAM
and PKI solutions
Role based access control 4
Flexible connection to any authentication
software via Control-API
Authentication Enforcement Module
Strong User Authentication to ensure
maximum security
4
4
Authentication Service Module
The phion airlock Authentication Service Module allows
for flexible and customizable integration of multiple backend
authentication databases and directories and links the data
with the phion airlock Authentication Enforcement Module
via Control-API. The service module supports the following
authentication methods as building blocks:
‰ User-ID + password
‰ Multifactor authentication (e.g. one-time passwords)
‰ PKI/X.509 client certificates (soft and hard tokens).
Purpose
Operating system software requirements
Highly customizable access control
by integrating multiple user directory
authentication servers
Supports LDAP, Open LDAP, MSAD, Novell
eDirectory, Radius, RSA/ACE, SQL-Server,
MySQL, Oracle
Authentication Service Module
Customizable integration of multiple
authentication databases and
directories
WAF Module
Authentication Enforcement Module
4
4
* The Authentication Enforcement Module requires a WAF module licensed for at least two
applications as the authentication service and the user directory count as one application each.

10
Add-Ons
Application Portal Module
The phion airlock Application Portal Module is a flexible and
easy to maintain portal application. Its purpose is to provide the
user with an overview of the available applications on one page.
By simply clicking on an entry in the list, the user is forwarded to
the selected application. The module may be configured to display
applications depending on the credentials of the logged in user.
SSL VPN Service Module
phion airlock’s SSL VPN Service Module allows secure remote
access from any internet browser and can be integrated into
existing user directories. The applet shows the current status of
the connection at any time. The design may be adapted easily to
an individual company corporate identity.
Portal Application Module
SSL VPN Service Module
Purpose
Application overview and
management
Purpose
Secure remote access from Internet
browsers
Operating system software requirements
WAF Module
Operating system software requirements
WAF Module
Role-based list of application links 4
Quick start with default icon for each
mapping
Custom icon for each application 4
Show/Hide icons depending on role and
permission
Order and group icons 4
Logout / Back Frame 4
Customizable Style (jsp + css) 4
Authentication
Enforcement Module
4
4
Secure TCP Port Forwarding 4
Authentication Enforcement Module

Q & A
Questions and Answers 11
Q: What can phion airlock do for me?
A: phion airlock offers 360° 24-7 protection for your web
applications and web services.
Q: Why is it necessary to protect web applications and web
services
A: Web servers and web applications can be easily hacked
(even undetected). This may lead to severe losses of money and
credibility. Additionally, introducing phion airlock as strategic web
application security solution reduces operational costs and timeto-market
for new web applications and web services.
Q: Why is it not enough to implement a firewall?
A: Having access to an application means inevitably that the
firewall is open. An attacker may attack any component behind it
and they can usually access the backend unhindered. A firewall
allows or blocks packets to and from the network. It directs the
traffic, but does not test its content. Think of phion airlock as a
‘digital bouncer’ who not only checks IDs but also the ‘pocket
contents’ of incoming requests.
Q: What exactly is PCI DSS?
A: PCI DSS (Payment Card Industry Data Security Standard)
has been created to provide a common data security standard
across all payment brands. All merchants, financial institutions
and processors who process, transmit or store credit cardholder
data, have to comply with the standard. Non-compliance will lead
to restrictions, fines and additional fees. Phion airlock significantly
helps companies comply with the strict security standard.
Q: Am I affected by PCI DSS?
A: PCI compliance is required for any business that accepts
payment cards for online payment or stores credit card data, even
if the quantity of transactions is just one.
Q: Why is it not enough to deploy an Intrusion Prevention/
Detection System on top of the firewall?
A: Normally, these systems are signature-based (similar to virus
scanners) and blind to encrypted traffic (HTTPS). An attacker may
pass all checks unnoticed over an encoded connection. The data
stream can not be checked.
Q: How can phion airlock help to protect web applications
and web services?
A: phion airlock combines multilevel filtering with authentication
enforcement when attacks have shifted from the network layer
to the application layer. Usually, the web application is used as a
link to the backend network. It is here where valuable data, which
may be stolen or forged, is saved. Every request has to pass
the WAF and is verified and validated before being transferred
to the application server. Phion airlock also helps to increase
the performance of web servers. Critical security functions and
performance-related tasks are efficiently offloaded on the WAF.
The web servers are relieved accordingly, leading to shorter
response times and higher availability.
Moreover you can make sure that with its strong authentication
service, phion airlock allows only authenticated users to access
the backend network.
More information about PCI DSS and the security requirements
can be found here: http://www.pcisecuritystandards.org

12
Appendix A
Ordering Information
phion airlock is delivered on a single, bootable CD-ROM and
includes all necessary operating system components. Software
modules are activated with phion airlock license keys. phion
airlock licenses are node-locked and apply to a single phion airlock
server. The licenses scale according to the software modules used
and to usage parameters (max. number of applications and max.
number of concurrent users). An application in reference to the
license is the combination of a backend IP address and used port.
Thus, the number of applications is defined as the sum of used
ports per IP address.
The software license fee for all modules of the first phion airlock
servers is called First phion airlock Software License Fee. The
Total Software License Fee includes the license fee for the first
phion airlock plus all High Availability and Test phion airlocks.
The one-time Software License Fee provides the right to use the
phion airlock software and requires a separate annual Software
Subscription and Support Fee.
How to calculate the license dimension
‰
Number of applications
An application in reference to the license is the combination
of a backend IP address and used port. Thus, the number
of applications is defined as the sum of used ports per IP
address. See the following examples and the general formula
below.
‰ Example:
• 1 backend IP address with used ports 80 and 8080 -->
1 IP * 2 ports = 2 license relevant applications
• 2 backend IP addresses, on one IP are used two ports,
80 und 8080, on the other IP is used just the port 80 -->
(1 IP * 2 ports) + (1 IP * 1 port) = 3 license relevant
applications
• 3 backend IP addresses, on one IP are used port 80, 8080
and 8081, on the second are used port 80 and 443 and on
the third are used the ports 9080, 9081, 9082 and 9083 -->
(1 IP * 3 ports) + (1 IP * 2 ports) + (1 IP * 4 ports) = 3+2+4 =
9 license relevant applications
• 2 backend IP addresses, on both IP’s are user 80 and 81 -->
(1 IP * 2 ports) + (1 IP * 2 ports) =
4 license relevant applications

Appendix A
13
Product
phion airlock WAF Module
Max. Number of Applications: 1, 2, 4, 8, 16, 32, unlimited
Order Number
AL-CORE-1...32...UL
Please note that the number of applications is defined as the number of backend applications addressed by phion airlock. A backend application is defined as the
combination of an IP address and the port number.
phion airlock ICAP Module
This module requires the Web Application Firewall Module.
AL-ICAP
phion airlock SOAP/XML Validator Module
The SOAP/XML Validator Module includes the ICAP Module and requires the Web
Application Firewall Module.
AL-SOAP-XML
phion airlock Graphical Reporting Module
This module requires the Web Application Firewall Module.
AL-GR
phion airlock Authentication Enforcement Module
Max. Number of Concurrent Sessions: 10, 100, 500, 1.000, 2.000, 5.000, 10.000
AL-AE-10, AL-AE-100, AL-AE-500, AL-AE-1000, AL-AE-2000, AL-AE-5000, AL-AE-10000
Please note that the number of authenticated concurrent sessions is defined as the number of authenticated sessions managed by phion airlock at any given time. The
authentication enforcement module requires the Web application firewall module licensed for at least two applications as the authentication service/user directory counts as
on application.
phion airlock Authentication Service Module
This module requires the Web Application Firewall Module and the Authentication
Enforcement Modules.
AL-AS
phion airlock Portal Application Module
This module requires the Web Application Firewall and the Authentication
Enforcement Modules.
AL-PA
phion airlock SSL VPN Service Module
This module requires the Web Application Firewall and
Authentication Enforcement Modules
AL-SSL-VPN

14
Appendix B
System Requirements
Virtual Environments:
phion airlock supports various virtual environments such as
VMware –workstation, -server and –ESX. It is recommended to use
a VMware server or ESX-Server. Virtual environments are suitable
for evaluation and demo situations and laboratory operations
tests. For performance tests we recommend using dedicated
hardware.
Hardware
The choice of the correct hardware is dependent on the
applications to be protected and the configuration of phion
airlock. The following factors have direct influence on the system
performance:
‰ Number of simultaneous requests
‰
Number of functions used in phion airlock (content rewriting,
URL encryption, number and type of filter pattern, etc.)
‰ Size and number of documents in an application
‰ Number of links inside the application
These are the recommended hardware profiles for
phion airlock 4.1:
x86 (Intel/AMD)
Profile
Small
(up to 500 concurrent sessions)
Medium
(up to 1.000 concurrent sessions)
Large
(up to 2.000 concurrent sessions)
Sun SPARC
Profile
Large
(up to 2.000 concurrent sessions)
Requirements
1 Single-Core CPU > 2.5 GHz
[Pentium 4, Xeon, Athlon] or >
2 GHz [Opteron, Xeon/Core2]
4 GB RAM
80 GB Hard Disk 10K RPM
DVD-ROM Drive
1 Dual-Core CPU > 2.2 GHz
[Opteron, Xeon/Core2]
6 GB RAM
2 x 80 GB HDD
DVD-ROM Drive
2 Quad-Core CPUs > 2.4 GHz
[Opteron, Xeon/Core2]
12 GB RAM
2 x 160 GB HDD 10K RPM
DVD-ROM Drive
Requirements
Sun Fire T2000
1.2 GHz/8 Cores
12 GB RAM
2 x 146 GB HDD 10K RPM
DVD-ROM Drive
phion does not recommend using SPARC processors older than
UltraSPARC T1 (like UltraSPARC III or IV).

Appendix B
15
Notes
‰ The actual performance and the average CPU usage very much
depend on the web application(s), the protocols (http/https) and
the enabled phion airlock features. For example, enabling URL
encryption or content rewriting normally doubles the CPU load.
‰ The performance numbers contained in the profiles above are
based on a number of constraints. The most important are:
• Average application response time: 200ms
• 15 HTTPS requests per minute and user
• Active phion airlock features:
> HTTPS on Virtual Host, HTML Rewriting,
General Response Rewriting
‰ SSL accelerator cards are only recommended for high volume
traffic sites (> 500 https Requests/s). For low to medium volume
traffic systems, phion recommends to buy a faster CPU (or
multicore CPU) for the same money.
‰ With recent hardware, phion airlock is able to answer up to
7000 https requests/second, which corresponds to a network
traffic of almost 1 GBit/s!
‰ The suitability of the hardware should be tested with a load test
Hardware RAID Controllers
Using the built-in Soft-RAID of phion airlock has the following
advantages:
‰
‰
‰
‰
There is no advantage to use a hardware RAID controller
for phion airlock.
phion recommends to use software RAID instead.
Disk mirroring (RAID 1) for redundant logs
and configuration data
Integrated disk monitoring (automatic logging/alerting in case
of disk failure)
Standard Installation (no additional third party drivers needed)
Performance similar to HW-RAID
System compatibility
phion airlock 4.1 is based on Sun Solaris 10 Update 3 (11/06). It
should therefore run on every system that is compatible with this
particular Solaris release.
Sun Hardware Compatibility List
Sun provides a large list of compatible systems in their Hardware
Compatibility List (http://www.sun.com/bigadmin/hcl/). Please
search the list for your preferred system and check for available
drivers and patches. Please note that some systems are very
similar to others which are not listed on the HCL but still would
work fine.

phion AG
Eduard-Bodem-Gasse 1
6020 Innsbruck
Austria
Phone: +43 (0)508 100
Fax: +43 (0)508 100 20
Email: office@phion.com
www.phion.com
000110100001101001011011110110111001000000110111 011 01010 1010 0110011001100101011011100110001101100101001000000111000001101000011010010110111101101110010000001101110011001010111010001100110011001010110111001100011011001010010000
000110100001101001011011110110111001000000110111001100101011101000110011001100101011011100110001101100101001000000111000001101000011010010110111101101110010000001101110011001010111010001100110011001010110111001100011011001010