Well not quite :) However, if you have a 3GB classic ASP code base(I have seen this.) that you just cannot spend the cycles to update to secure code, here is a nice stop gap: A web application firewall. There are a lot of them out there. Most are ISAPI filters. You basically configure them to deny sql keywords in the URL among other things.
It is not without cost like web server overhead, admin work and response time. You also could lock things down too much and take down your site. It is not 100% especially if it is not correctly configured. However, it probably beats the alternatives if you cannot snap your fingers and fix your code.
My security buddies recommend this open source product: AQTRONIX WebKnight - Application Firewall for Web Servers.
AQTRONIX WebKnight is an application firewall for IIS and other web servers and is released under the GNU General Public License. More particularly it is an ISAPI filter that secures your web server by blocking certain requests. If an alert is triggered WebKnight will take over and protect the web server. It does this by scanning all requests and processing them based on filter rules, set by the administrator. These rules are not based on a database of attack signatures that require regular updates. Instead WebKnight uses security filters as buffer overflow, SQL injection, directory traversal, character encoding and other attacks. This way WebKnight can protect your server against all known and unknown attacks. Because WebKnight is an ISAPI filter it has the advantage of working closely with the web server, this way it can do more than other firewalls and intrusion detection systems, like scanning encrypted traffic.
I suggest you research for yourself though.
All that said, secure application design is the ultimate solution.
posted @ Tuesday, October 14, 2008 11:15 PM by DotNetKicks.com
posted @ Tuesday, October 28, 2008 5:28 PM by ycitchr
Name (required)
Email (required)
Website
Notify me of followup comments via e-mail