Int. J. of Advanced Networking and Applications 314 Volume: 01, Issue: 05, Pages: 314-317 (2010) Performance Analysis of Internal vs. External Security Mechanism in Web Applications Supriya Gupta Dept. of Computer Sc. & IT, University of Jammu, Jammu-180 006, India Email: mangotwin22@gmail.com Dr. Lalitsen Sharma Dept. of Computer Sc. & IT, University of Jammu, Jammu-180 006, India Email: lalitsen@yahoo.com ------------------------------------------------------------------------ ABSTRACT-------------------------------------------------------------------- Most of the applications now -a-days are developed web based. The applications of public access are highly exposed to security threats. The increasing number of web based attacks which result in loss of data and unauthorized access to application has drawn the attention of organizations toward web application security. The most commonly employed defense mechanism is to use solutions that rely on security service tools like firewalls, intrusion detection and prevention systems etc. Most of the commonly used tools such as SNORT are based upon the payload inspection that detects an attack by searching for the occurrence of known signature patterns in the packet. But using these devices for protecting web applications against common input based attacks is an inefficient process. It consumes a significant amount of time, memory and CPU cycles for each packet while scanning through a list of rules. Implementing security features within applications’ logic is an effective alternative. In this paper we analyz ed the performance of two experimental web applications, one with security implemented within the code and the other checked by external security system called SNORT using a web application testing tool (WAPT 3.0). Our experiment showed that the application with secure code showed better performance statistics in terms of response time. The paper also discusses various issues regarding the use of security devices as protection against application layer attacks. Keywords - webapplications, security, intrusion detection and prevention, snort ------------------------------------------------------------------------------------------------------------------------------------------------------------ Date of Submission: Jan 04, 2010 Accepted: March 03, 2010 ------------------------------------------------------------------------------------------------------------------------------------------------------------ 1. INTRODUCTION The ubiquity and popularity of World Wide Web has attracted the developers to develop the applications web based. In a competition to develop online services for general public, w eb applications have often been deployed with minimal attention to security risks, as a result most applications are surprisingly vulnerable to attacks [1]. According to a recent report 1 , SQL injection, cross-site scripting, and buffer overflow were the most prevalent of the application layer attacks encountered in 2008. These attacks are mostly the result of weak input validation and can be checked by using secure coding practices . Secure coding is about implementing security functions like input validation, sanitization, and exception handling etc. within applications’ logic so that the application becomes resilient to malicious attacks. This is here in called Internal Security. However, in most organizations, it is difficult to ensure that all application developers are adequately trained in secure coding practices and keep updated on new vulnerabilities. The solutions used often rely on external security products, which include application firewalls [2], intrusion detection and prevention systems etc. that improve security by blocking application hacking techniques. Securing 1 Web Application Security Trends Report, Q3-Q4 2008 C enzic, Inc. at http:// www.cenzic.com/downloads/Cenzic_AppSecTrends_Q3-Q4-2008.pdf applications using these devices is here in called External Security. Most commonly used devices are the deep packet inspection systems such as SNORT that look within the application payload of a packet or traffic stream and make decisions based on the content of that data. Snort 2 is an open source network intrusion detection and prevention system (IDS/IPS) developed by Sourcefire. It captures the data packets traveling on the network media (cables, wireless) and matches them to a database of known attack signatures. Depending upon whether a packet is matched with a signature, an alert is generated and the packet is logged to a file or database. The signatures of vulnerabilities and malicious activities are represented as a set of rules in a standard industry format used by security professionals worldwide. Besides string based matching for the identification of malicious signatures SNORT utilizes PCRE (Perl Compatible Regular Expression) engine for regular expression based matching in a packet payload [3]. Using PCRE any generic or concise signatures that cover a particular application can be written to detect certain types of SQL injection and cross-site scripting attacks as they occur. It can run on the web server itself or on another computer within that same network and with the right rule-set very few attacks stay undetected. But these devices take up a considerable amount of time, memory and CPU cycles. The packets are first grabbed off the wire, 2 http://www.snort.org.