Loading...
Content: all pages

 

Some deeper insights into the Cyberwall technology

Web applications contain a fundamental, to date not causally solved security problem

Web applications are vulnerable in many ways. They require complex security measures during development and operation on multiple levels. This is because web applications contain a fundamental, to date not causally solved security problem: Almost all of them are based on unencrypted HTML5 code and use AJAX elements, which are executed on the client browser and from there communicate with numerous REST-endpoints.
 
That implies: (1) Majors parts of the source code of a web application is sent to the client browser in an unprotected state. (2) A quick analysis of the application using tools built into every modern browser allows to identify the application servers, which then can be tested for vulnerabilities directly and with automated tools. Therefore, HTML5 and JavaScript open up very large numbers of ways to attack modern web applications.

Major risk factors for Web Applications

Targeted, professional attacks

Professional attackers with wide know-how and massive resources pose a major risk today. Such attackers are often financed by foreign governments, organized data brokers or competitors. Their possibilities are thus far-reaching. They buy and collect specific information about the systems and users of their targets. Based on that, tailor-made tools and approaches are design for the respective attack. Common Web Application Firewalls, isolation through sand-boxing or malware detection constitute no insuperable hurdle for them. Tailor-made attacks often use vulnerabilities unknown to the respective security architecture and therefore remain undetected.

Outdated, legacy web applications

Especially in larger organisations, great numbers of web applications are in service. Customers, employees, suppliers and other third parties are provided with access to web portals via the browser and thus to critical data. Third party software as well as own applications often contain significant vulnerabilities, originating from the front end. In particular, older and less frequented applications are often targeted because they can in many cases be compromised by simple, automated means. This is a common first step for attackers, enabling them to infiltrate further parts of the  application or the organizational network subsequently.

Faulty server configuration

HTML5 and AJAX provides a much greater scope for attackers than before. In modern web applications, often numerous resources are addressed dynamically by the user interface with JavaScript. The addressed resources are visible to every end-user and can be identified and attacked directly without much effort. If individual servers are not configured correctly (e.g. insufficient authentication or missing patches) attackers will find and exploit these vulnerabilities with automated tools. Illegal access to individual servers in turn opens new ways to move further.

Websites can‘t be protected easily, because there is a virtually infinite number of ways to attack them

Alt

PROBLEM 1

Modern Web Applications consist of many attackable resources

PROBLEM 2

There are very many ways to attack each resource or server

PROBLEM 3

Attackers can easily analyze website code and other page resources

Modern web applications consist of a variety of different HTML5 elements. JavaScript, dynamic data loading (AJAX) and complex web architectures with external parties involved open many different potential attack vectors against web applications, involved servers and databases. Generally, there are 3 main problems in modern web application architecture:

Cyberwall solves the fundamental problem of website security, users interact with a virtual stream of an application

Alt

The Cyberwall approach represents
a completely new class of web security

With Cyberwall, websites can't be attacked directly - end-users can only interact with an HTML5 stream.
The Cyberwall between web application and end-user renders the entire website in a dedicated browsing engine. JavaScript code, REST endpoints, back-end and application servers remain completely invisible to the end-user in this setup.

 

Cyberwall, the innovative solution for application virtualization, consists of two main elements: (1) a browsing engine and (2) a virtual HTML5-client implemented with JavaScript. The protection provided by Cyberwall evolves from the fact, that the actual code of the web application is not executed at the end-user browser. Instead of a complete website only a virtual HTML5-client of the Cyberwall is executed. The virtual client processes an HTML5-stream, which the end-user browser receives, and displays the web application securely to the end-user - including all dynamic elements and functionalities. Due to this architecture, the user browser can’t interact directly with the web application any longer.

 

In contrast to a potentially malicious user browser, the virtual Cyberwall client’s communication capabilities are highly restricted. It can process mouse movements and keyboard entries only and doesn’t allow inspection of HTML5 code and or direct communication with the application. The browsing engine executes these user actions on behalf of the user and is the sole element which is allowed to communicate with the application server.
 
Consequently, the web application becomes «untouchable» for virtually all web-based attacks. The Cyberwall approach represents a completely new class of web security. Unlike other approaches, Cyberwall doesn’t depend on White-/ Blacklisting or the identification of known attack patterns. Cyberwall simply prevents potential hackers from analysing and interacting with critical web applications.

New protection for web applications through Application Streaming

Cyberwall separates user and web application through application streaming

User and potential attackers likewise can only interact with a stream of the website (right-hand side). The result is highly secure protection for web applications (left) against known and unknown attack vectors.
Alt

Logic separation of execution and displaying

The Cyberwall architecture separates the execution of HTML5 code and the displaying of the protected web application. The complete web application is executed in a secure environment - the Cyberwall browsing engine - including all dynamic elements (JavaScript). For displaying, the pre-rendered code is then streamed in real-time to the Cyberwall-HTML5-client - which is executed at the user browser. The virtual Cyberwall client is the only HTML5 code which is sent to the user browser and executed.

High-performance Application Streaming

The major security advantages of a completely remote execution architecture are significant (isolation by design). However, until now such solutions were not possible without declines in performance and usability. Thanks to a new, proprietary streaming protocol, for the first time, client-side code can be executed remotely, i.e. logically isolated from the user browser, without any noticeable reduction of performance and usability. Our innovative protocol is not based on image or video streaming. It allows for simple and fast application streaming. Pre-rendered code, which is only relevant for displaying, is streamed to the end-user to be displayed securely within the Cyberwall client. All content is delivered by a secured appliance, the Cyberwall server. The user can't see the actual web application and its source code. Thus, there is no way for attackers to analyse the source code or the servers addressed by the web application for vulnerabilities.

Further resources

 

See downloads

Schedule demo

 

Get in touch

Cyberwall selected security features

IT operations minimally impacted

Cyberwall produces no False Positives, thus no analysis thereof is required. Also, Cyberwall supports even complex applications without adjustments to the application itself. Therefore, the protected applications can as well be changed over time without the need of adjustments to Cyberwall. Cyberwall works fully transparent to users, and mainly silent for system administrators.

Immediate protection without patching

Want to secure applications as soon as possible? Lacking the resources to fix critical vulnerabilities in productive applications? Or does the provider of legacy software simply not support your needs fast enough? Cyberwall can help. It simply puts most vulnerabilities out of the reach of potential attackers - and silently supports even complex and or older applications.

Fast deployment for faster time to value

Cyberwall can be deployed fast, whether it is on premise, via our SaaS offering or as hybrid model. You chose the speed. The roll-out can be undertaken step-by-step, ramping up traffic secured via the cyberwall gateway over time. Additional web applications used throughout your network can be added to the Cyberwall-protection over time and seemlessly. Depending on the requirements, we are supported by local partners to deliver larger deployments.

 

Full SSL encryption integrated

Encrypts all communication between users and all applications behind Cyberwall without any changes to the protected applications. Also, if numerous third party data source which not all support SSL are integrated in an application - Cyberwall will SSL-encrypt the communication between user browsers and all integrated third parties and end-points.

VPN tunneling can be replaced

If certain user groups need to connect to web applications securely, Cyberwall can replace VPN tunneling. Whether users have to connect from home offices, other external locations, or from internal to isolated networks - Cyberwall can be the intermediare ensuring a secured connection without the need to install, configure and maintain software on the connecting client devices. 

Full end-to-end traffic encryption

Cyberwall supports local encryption of data before it is stored in online services such as SaaS offerings, e.g. a web-based sales tool. Form-fields inputs such as credentials, e.g. name and contact details of customers can be encrypted before they leave the users' devices. Within the databases of the online service provider, they are not decrypted. When the user retrieves data, it will be decrypted at the user device. Cyberwall can support this feature with limited adjustments for a wide variety of SaaS services.

Data Leackage Prevention (DLP)

Cyberwall identifiies sensitive data directly right before passing it on to the enduser devices for display, i.e. Cyberwall can block the display of sensitive data. Also, forbidden export of data, (e.g. xls, csv, pdf) will controlled by Cyberwall. Role based adjustments are possible.

Support of all common browsers, mobile & desktop

The technology supports all common, modern web browsers (e.g. Chrome 24+ , Firefox 28+, IE 10+, Safari 6+) on desktops as well as mobile user devices. Cyberwall supports even complex, dynamic web applications and will be fully transparent to users - unless they are trying to analyse the applications source code.

No adjustment of WAF rules required

Cyberwall provides protection which doesn't depend on rules. Thus the adjustment of complex security rules, as needed by widely used security solutions is not necessary. Even if you are operating WAF-like services, Cyberwall can complement these making constant updating of security-rules less critical. Cyberwall greatly reduces the complexity of security contexts.

Significant cost benefits and minimal upfront investment

In comparison to complex detection engines, loaded with rules, requiring constant maintenance to be reasonably secure, Cyberwall is a leightweight solution. It takes out the complexity of threat landscapes, saving security teams valuable time and resources.

  1. Implementing Cyberwall can be done fast and without much effort in most cases and setups.
  2. Handling during operations requires hardly any human attention over extended periods.
  3. There are no specific appliances and related upfront investments required.

Cyberwall can easily be implemented and activated for lab testing and demo environments of a specific application. It is not necessary to set up complex rules, systems or adjustments to the application. Development and security teams, as well as business management can test Cyberwall and convince themselves of the correct, perfectly normal functionality of the respective application behind Cyberwall - before transition to productivity. The step from testing environments to productivity is simple as well: mere DNS configurations are necessary to route live traffic via Cyberwall.

Seamless transition from test to production environments
Reduced consumed bandwidth & traffic compression

Depending on web application and content, Cyberwall reduces the consumed bandwith by about 40%. Also, Cyberwall delivers web applications as single source to the enduser. This can result in an acceleration of the web app.

Backdoor-free, made in Switzerland/Germany

Protected by the mighty peaks of the Swiss Alps as well as the traditionally rather strong privacy regulations of Switzerland, we developed Cyberwall with love and passion for high security, personal freedom and privacy. We keep our software strictly backdoor-free and strive to select only backdoor-free third party products and services throughout all operations of our firm.

Data handling and hosting in compliance with EU regulations

All data handled at your own datacenters or in high-quality datacenters of our Swiss/German hosting partners (as required). All data handeled in accordance with European laws regulating data storage and handling.