Defiance TMS is a multiple component platform, targeted to the distributed enterprise, that provides both intrusion detection and prevention capabilities specifically for Web applications. The platform supports both a "positive" and "negative" threat identification model; in the positive mode, the platform utilizes behavioral analysis techniques in an attempt to block all but specifically defined acceptable behaviors; while the negative security model seeks to block known application-layer attacks, including the top ten as published by OWASP (cross-site scripting, buffer overflows, etc.). The vulnerabilities filter (for the "negative" identification model) is updated as new threats are published by CVE, ICAT, and the vendor's own internal research. These updates can be run automatically via a Defiance update service (no server restart required) or can be downloaded part of the vendor's regular service pack maintenance.

The platform consists of four components: Defiance Monitor, Defiance Gateway, Defiance Management Server, and Defiance Security Console.

The Defiance Monitor, which can also be purchased and implemented as a stand alone tool, is a passive, out-of-band, intrusion detection tool that is deployed on a Linux server; either as an additional software application or as a dedicated server. The Defiance Monitor is able to analyze application-layer traffic--such as actual HTTP requests--in an unobtrusive fashion and report results to the security console.

The Defiance Gateway can also be installed as software or a "soft appliance" (Linux, Windows, Solaris). Unlike the monitor, the gateway is installed inline, either as a dedicated server or on the application server itself, and can therefore initiate intrusion prevention tactics as necessary. (In this respect, the Defiance Gateway resembles the vendor's existing InterDo product; though InterDo is more appropriate for the protection of a single application and/or at a single location.) The Gateways also report to, and are controlled by, the Security Console; and additionally support event publishing via ODBC, SNMP traps, syslogs, and text files.

The Management Server acts as the centralized repository of Web application security data and logs; while the administrator interface to the overall platform is provided bv the Security Console. The security console provides multiple graphical views, including the Admin View (physical Monitor/Gateway configuration, user privileges); the Security Policies View, which allows for the control of security rules, filters, and "Intelligent Escalation" triggers (more below); the Dashboard View (at a glance security posture and status reporting) and the Forensics View, with access to historical information.

A key feature of the platform is its support for "Intelligent Escalation" triggers. Gateways and Monitors can be initially implemented in passive modes; and when attacks are identified, can be automatically setup to switch into an active mode. This automated repsonse can be controlled centrally for all Gateways or Monitors in the system; if a single Monitor detects an attack, all Gateways and Monitors in the Enterprise can be escalated as a result.

The platform ships with default, out-of-the-box security policies for protection from major threats, such as SQL injection, cross-site scripting, application buffer overflow attacks, SOAP and Web services manipulation, etc.

Defiance Monitor is shipping now; the full Defiance TMS platform is currently in beta and is expected to be available later in Q1, 2005. Pricing for Defiance TMS starts at $52,980; the Monitor can be purchased separately starting at $11,500.

Contact Kavado for further information.