Products and Technology: e-Gap Application Firewall

Enabling an application-centric approach

Product Benefits
Product FAQs
More Info & Related Docs

PHARMACEUTICALS: Teva Pharmaceuticals Case Study

WHITE PAPER: e-Gap® Application Firewall Appliance

How the e-Gap System Stopped Code Red (java viewlet)

How Data Flows Through the e-Gap System (java viewlet)
The e-Gap® Application Firewall enables organizations to rapidly deploy secure web-based access to sensitive core applications. The System may be used to protect e-business applications for customers or partners (such as eCRM, supply chain integration or e-billing). It protects against known and unknown threats by isolating application servers – via Air Gap technology – and tightly controlling application layer access to them. It also significantly reduces the urgency to patch production web servers. It unites all of the application-protection components into a single application-centric appliance, and features automatic learning of the application to generate and enforce application-level rule sets. Encryption, authorization, authentication, PKI, HTTP payload screening, automatic rule-set generation and a physical air gap all reside within an integrated software/hardware platform.

Modern e-business applications pose new application-level security issues that do not respond to the traditional method of securing each application server individually. The multiple security technologies typically needed to provide web access to essential business applications forces application developers to deal with security throughout the development cycle, increasing the complexity of deploying new applications, which can significantly slow implementation and roll-out. This method is proving to be unrealistic, unscalable, and results in almost daily application hack stories in the news like Code Red and Nimda.

The e-Gap Application Firewall offloads security considerations from the applications, freeing the applications to deal with application functionality, rather than with security. The application security elements that the e-Gap System offloads from application servers include:

Application Filtering
Authentication
SSL Encryption/Decryption
Network Isolation
Application Filtering
e-Gap Application Firewall protects against known and unknown threats to web and application servers by allowing only valid and legitimate session queries to pass through to the back end. All application-layer data is inspected, including URLs and parameters, matching them to defined lengths and types. The e-Gap System reduces the urgency for applying vendor patches since its logic is based on allowing only legitimate URLs to access the application server, rather than trying to screen out every possible type of illegitimate URL. Any traffic that does not conform to the pre-determined allowed traffic is automatically rejected and logged as a security violation. e-Gap protects against IIS vulnerabilities (like Code Red, Nimda) and even unknown future exploits. The administrator can now patch systems in an orderly, controlled manner, in a regularly scheduled update, rather than in a panic on the day the patch is released, potentially harming production systems.

Authentication
The e-Gap Application Firewall can overlay authentication onto an existing application, without touching the application or application server. There is no need to re-develop the application to work with authentication, or to install any plug-ins on the production server. Authentication is carried out at the perimeter (as opposed to on the application server), so unauthenticated users’ traffic never reaches the internal network or the application server. Also, the application can be personalized based on the user’s identity credential. Supported authentication methods include: RSA SecurID, Vasco Digipass, RADIUS, TACACS+, LDAP, Active Directory, Client Certificates (PKI).

SSL Decryption/Encryption/Acceleration
The de facto standard for securing data transmission on the Web is SSL encryption – a hefty burden when it must be applied to application servers. In large environments with multiple application servers, there are costly and difficult-to-manage implications of scale when the necessary SSL hardware, as well as certificate management, are considered. In addition, legacy applications must be redeveloped to handle SSL. The e-Gap Appliance centralizes SSL decryption and encryption, overlaying SSL encryption on regular web applications with zero re-development. It eliminates clear-text data transfer from DMZ to back office. Certificate and key management are offloaded from the application to the e-Gap System eliminating this CPU-intensive activity from the application server. Load and complexity issues for application servers are reduced, with the added benefit of centralizing certificate and key management, as well as encryption policy enforcement. The e-Gap System can be implemented with an optional SSL Hardware Accelerator to increase performance.

Network Isolation
Once an organization has taken the step to centralize its application security into a single Appliance, the question remains: how to protect the Appliance itself? The Appliance is handling all the security essentials to protect the back end networks. If hackers were able to compromise or bypass these safeguards, they could gain free passage to the corporate crown jewels. The protection comes in the form of network isolation, provided by patent-pending Air Gap technology.

The e-Gap Appliance is comprised of three elements, two Single Board Computers (SBCs) and an air gap switch. The air gap switch is designed simply to protect the e-Gap Appliance, so that it can do the important application security work that it was intended to do. All of the e-Gap’s authentication, SSL encryption/decryption/acceleration, and application filtering occur on the internal SBC, protected from hackers by the physical, hardware-based air gap. As opposed to software-only solutions, this combined software/hardware e-Gap Application Firewall System ensures that intruders cannot bypass the security mechanisms that are in place.

The patent-pending air gap switch keeps sensitive systems and data physically disconnected from untrusted networks and users, and transfers application-level data in real time. It is a high-speed, solid-state analog switch that connects a 512K memory bank to one SBC at a time via a SCSI interface. The air gap switch contains no Operating System, no TCP/IP address, no programmable units, all of which protects the appliance from being compromised. It hides internal addresses, preventing hackers’ mapping of internal network and any tunneling threat. It protects confidential information such as private keys and configuration data by placing them behind the “air gap.”

Click here to see how data flows through the e-Gap System

Hardware Platforms
Integrated 4U Appliance: Air Gap Switch and 2 Single Board Computers (with e-Gap SW license) in one 4U Appliance
Separate Units: Air Gap Switch (2U/1U form factor) together with the e-Gap SW license (customer provides 2 servers)
High Availability: available in both configurations
System Specifications
Hardware Throughput: 100 Mbps (linearly scalable for high availability)
Power Source: 110V/220V
Bus: Ultra-wide SCSI-3
Environment: 0-50C/32-122F; Relative humidity 10-90%
Platforms: WinNT;Win2000
Supported Authentication: RADIUS; RSA SecurID; LDAP; TACACS+; Client Certificates (PKI, X.509); Active Directory; user defined
© 2005 Whale Communications Ltd. All rights reserved | Terms of Use | Privacy Policy