As essential as they are, all the firewalls featured this month operate mostly at the network level.

HTTP requests, typically carried unfiltered by most firewalls, can still be used to manipulate known server vulnerabilities, tamper with cookie information, manipulate URLs and so on. It's these application-level issues that InterDo, from Israel-based KaVaDo, addresses.

The software that makes up InterDo is installed and run on a Windows NT 4.0 or 2000 server, with the main components running as background services. For optimum protection, the host system should be a dedicated server, although InterDo can reside on the same system as a protected web server, if required.

It can also be bought pre-installed on an Intel-based server appliance (from £14,300 ex. VAT) ready to plug straight into the local area network and begin working.

One of InterDo's key features is its ability to protect almost any HTTP 1.0 or 1.1 based application running on any platform. HTTPS support is also provided.

However, protection isn't automatic and a fair amount of configuration is needed, which can vary from a couple of hours for a single application on one server to several days for more complex distributed applications. Fortunately, the process isn't difficult and help with deployment will normally be included in the price.

Configuration is done via a custom Java-based console. The first step is to define one or more tunnels linking the internet with the web server/s on the protected network, done by specifying the IP addresses and ports to monitor and connect to.

Next, applications are defined by providing the paths to their web server directories with any not specified covered by a catch-all default security policy.

The final task is to decide on the types of checks to be made by associating so-called security pipes. Several are provided, starting with the AllowList pipe, which limits the directories that users are allowed to access.

Cookie pipes stop cookie information being used inappropriately, while the database pipe checks to make sure HTTP requests don't contain harmful SQL commands.

Other pre-defined pipes prevent URLs being manipulated and HTTP parameters being misused. Another blocks access to specific web server and application vulnerabilities. Like most, it can be customised to deal with new threats as they arise.

Some experimentation is required to get the right configuration, but there's no need for any code changes. The impact on performance will depend on the applications and hardware involved, but KaVaDo claims that the software can support 500 to 1,000 concurrent users using a single InterDo server.

Scaling beyond that is possible by deploying multiple servers, managed from a single console.

As with most security products, InterDo isn't a complete solution; a firewall is still essential, along with antivirus and intrusion detection tools. However, it provides a level of application protection not possible using those tools alone.

Price: From £10,700 (ex. VAT) for a single tunnel.

Minimum requirements:

Hardware 700MHz Pentium III; 128Mb of Ram. (InterDo appliance is a dual-processor Pentium III rackmount server).
Software Windows NT 4.0/2000 (latest service packs should be applied).
Compatibility: Platform-independent. Works with all major web servers and browsers. Supports HTTP and HTTPS protocols.

Contact: KaVaDo 020 7604 4466
www.kavado.com