Is the Microsoft® UrlScan utility adequate?

No, UrlScan only filters URL's known to exploit vulnerabilities in un-patched IIS servers.

Administrators can add various "rules" to enhance UrlScan's default settings, but because it uses a signature-recognition model, it can only (by definition) protect against known attacks.

By contrast, webApp.secure prevents both known and unknown attacks from compromising your Web server, making it a truly proactive rather than reactive measure.

What about IIS-specific 3rd-party products?

Because these products use ISAPI (Internet Server Application Programming Interface), they are too tightly coupled to IIS to be fully effective.

The numerous security bulletins and patches from Microsoft for ISAPI itself demonstrate the risky nature of this approach.

webApp.secure is not a "hook" into the Web server. Rather, it is an independent process which provides a level of isolation not possible with any solution implemented as an extension of the Web server.

Is it implemented as an appliance?

It can be.

webApp.secure is typically implemented as a software-based solution, but an appliance option is available. Please contact us for details.

Where does it fit in the overall architecture?

webApp.secure is positioned behind the Internet-facing perimeter defenses (firewalls, intrusion detection systems, etc.) and in front of the Web environment (IIS, Apache, WebSphere®, etc.).

Does it have to run on the Web server?

No, webApp.secure operates as a reverse-proxy and can therefore run on the same machine as the Web server, but also gives the flexibility to run on a separate machine.

What are some deployment options?

webApp.secure can be deployed as software directly onto the Web server, on a dedicated server (vanilla x86 hardware), or as an appliance - either single-purpose or as part of a unified threat management platform (contact us for details).

What are "Intended Use Guidelines"?

Intended Use Guidelines™ refer to the "rules" extracted from content (HTML, JavaScript, Flash) as it leaves the Web environment. Within the context of a positive protection model, Intended Use Guidelines represent a "white list".

Is a "re-training" process required when the website is updated?

No, the Intended Use Guidelines are updated in real-time based on the content of the site. Changes to are automatically recognized.

Does the Standard Edition meet PCI 6 requirements?

No, webApp.secure SE does not include some of the key protection capabilities outlined in the PCI 6.6 guidelines.

For PCI 6 compliance, please see webApp.secure Professional Edition.

Do I need to train or certify my staff?

No, webApp.secure was designed from the ground up to be as easy to use as it is effective. Unique functionality of webApp.secure makes it very intelligent and automatic, which dramatically reduces implementation and on-going administration costs/efforts.