John Pescatore

I do a lot of calls with Gartner clients on the various aspects of protecting their corporate Internet-exposed web servers. Web server security is a tough problem – web servers are like the parking lots outside of sports stadiums. You basically have to let everyone in, let them tailgate (party) and have a good time – but then only let ticket-holders in to see the actual game. Plus, you also still have to worry about if the goings on in the parking start to get out of hand.

Gartner has put out a lot of research notes on securing corporate web servers (like here, here and here) – there are a lot of tools in our toolboxes to deal with the “keep the bad guys out” side of web security. However, a lot of the recent talk with clients have been more on the problems of the partying going on in the parking lot. The basic issue is the wide variety of automated browsers out there that are pounding on web sites. I’ve blogged previously about the good, bad and ugly automated spiders out there, but there are a bunch of other things happening, too:

• Andrew Frank of Gartner blogged about the latest data on click fraud. Somewhere between 12% and 23% of clicks on Internet ads are fraudulent, driven by bot clients and other automated browsers used for financially oriented attacks. In a consumer-driven world, lots of web-based services rely on advertising revenue – this is a big deal.
• Bot armies have evolved mechanisms that no longer rely on direct bot client to command and control center communications. Instead, innocuous looking content may be posted on your web site and later on thousands of bot clients start searching for “purple pumpkin” or other odd phrases to find and download the attack code.
• “Dis-intermediating” services that look to get between you and your customers by tracking every change in pricing, delivery confirmation or product listings on your site.
• Good old DDoS attacks using web methods instead of syn floods and the like

Determining if a “visitor” is a human being or just a piece of software is a tougher problem. This is different from the problem of moving beyond passwords for registered users. We’re still in the parking lot here – we can’t limit access to ticket holders yet. Many have thrown CAPTCHA screens at the problem, but everyone hates those things.  Some decent solutions are starting to show up, from scripts on load balancer/application delivery controllers to smarter DDoS detection algorithms to web application firewall filters.

The problem is not that much different from the email spam problem when you get right down to it. So, I think the most effective solutions will show up in “security as a service” offerings. From carriers offering “clean bits” in their pipes to your web sites, to “good guy man in the middle” services like the Akamais and the Dasients of the world have started to offer, the accuracy of determining if an inbound HTTP connection is human or not can be much higher when there is a broad view of where things are coming from and what else they have been doing.

Bottom line – when you are looking at upgrading your approach to protecting your corporate web servers, include requirements for taming those parking lots, too.

Submit a Comment »

Category: Uncategorized     Tags:

Share