Introduction

So far, we have focused on preventing attacks, exploits, and intrusions against a host by considering what an Intrusion Prevention System (IPS) can do when operating at different layers of the protocol stack. In this chapter, we return to Layer 5, the Application layer. We look at the benefits of understanding the application-level protocol, and of the IPS residing close to the application it is meant to protect. After all, the reason the network exists is so that disconnected hosts can interact; however, the applications acting as servers are primary targets of a blackhat. Can we use knowledge of a specific protocol an application uses to more effectively prevent network-based attacks?

Of particular interest in this chapter are Web servers. The Web is now ubiquitous, and every individual or organization that deploys a Web server opens up ports on the hosting computer for traffic from a user community. For customer-facing sites, that community could be the Internet as a whole. Furthermore, the days of static Hypertext Markup Language (HTML) are largely gone. Large Web sites are typically built using Web application software such as JSP/J2EE, ASP.NET, or PHP, and are hosted on Web application servers. There is a range of vulnerabilities that a Web application programmer can introduce that will allow an attacker to retrieve sensitive information, run programs on the server, or attack other users of the Web application. Furthermore, if the Web server or the Web application server contains bugs, worms may have the opportunity to infect...