Whale Competitive Differentiation - Built-in Application Firewall

This thumbnail value story highlights a key capability Whale Communications believes significantly differentiates its SSL VPN gateway from other vendors' products.

Whale's integrated Application Firewall provides extensive protection for both popular and custom web applications that are accessed via its SSL VPN gateway. In contrast, most other SSL VPN gateways provide perimeter security that only protects the appliance itself.

When SSL VPNs enable users to access internal Web applications, particularly from untrusted and unmanaged endpoints, these back-end Web application servers should be protected from application-level attacks, ranging from automated threats such as worms and viruses to targeted attempts to gain access to confidential corporate data. Unfortunately, security administrators often assume a user's browser is only sending legitimate HTTP queries to a Web server, but this is not always true. For example, a public browser or other non-corporate machine might be contaminated with a worm "sitting and waiting" for someone to authenticate in order to launch an attack. A legitimate user's credentials could be hijacked by a hacker looking to gain unauthorized access to corporate data. And a rogue user might assume control over the SSL VPN gateway before or after authentication, creating essentially an open door to the internal network. And finally, even a legitimate user might attempt to gain unauthorized levels of access. Application-layer attacks may result in level of impact from a small disturbance in network availability to information theft and unauthorized control of back-end application servers. The Application Firewall's role is to protect the Web application servers and the SSL VPN gateway from these HTTP vulnerabilities and malicious attacks while allowing legitimate requests to pass through to the server, enabling the business benefits of browser-based application access.

The Application Firewall sits between the browser and the application server, intercepts each request and inspects it before the request reaches its destination, analyzes whether it is a legitimate request or a hacker trying to penetrate internal systems and retrieve information. The Application Firewall is complementary to application gateways (the category that includes SSL VPNs) in the same sense as the network firewall complements network gateways such as routers, providing a security overlay for data transfers. From the perspective of enterprise security policy, there are distinct advantages such as improvements in operating overheads in integrating the Application Firewall and application gateway. These advantages mirror those delivered by a unified network firewall and gateway.

Whale's Intelligent Application Gateway (IAG) integrates an Application Firewall in order to ensure that external access to applications and network resources does not come at a heavy cost to critical business assets such as the network and corporate data. Whale is the only vendor in the SSL VPN category that has also been profiled in Gartner's Application Firewall Magic Quadrant Report as a visionary. The functionality of Whale's Application Firewall extends beyond that of the capabilities provided by other SSL VPNs that are restricted to simply protecting their own appliance from attacks. Instead, it also shields the application servers behind the gateway appliance from attacks.

The Whale Intelligent Application Gateway subjects incoming requests to stringent security checks before relaying any data to application servers on the internal network. Application-level control includes thoroughly inspecting URLs, methods, and parameters, and any other incoming data. The inspection rules can be based on the positive logic of the application, indicating a controlled set of legitimate URLs, method, and parameter combinations to which the requests are expected to conform. This prevents application-level attacks based on malformed URLs. Whale's Intelligent Application Gateway also supports "negative logic" rules that utilize signature identification to block known attacks from reaching internal servers.

Whale offers pre-defined positive-logic application filtering rule-sets for various business applications, including: Microsoft Exchange Outlook Web Access, IBM Domino Web Access, SharePoint and Citrix nFuse, amongst others and provides a tools framework and development templates that automate the process of generating positive-logic rule sets for any web-based application, further leveraging the platform's customization capabilities.

Another significant business benefit of the application-filtering capabilities is reducing the cost from diverting resources to immediate internal server patching when a new vulnerability is announced. Without an Intelligent Application Gateway in place, failure to patch vulnerabilities on internal servers in a timely fashion could lead to disaster. However, with the Whale gateway in place patching becomes less urgent, since all user activity is filtered and the gateway prevents any unrecognized requests from reaching internal machines. Internal systems are already protected against malformed requests reaching them while hackers would not be able to exploit buffer overflow vulnerabilities or similar application-layer vulnerabilities

To learn more about the Whale Intelligent Application Gateway appliance and how its built-in Application Firewall capabilities can work in your IT environment, contact Whale at info@whale-com.com