SkypeShield has launched a new application firewall solution for securing guest and anonymous requests when entering corporate networks.

The need for the new solution arose because, as part of the Skype for Business (Lync) topology, requests are sent anonymously to the front server in the corporate network without being authenticated or inspected. Once allowed, these requests, which might contain malicious code, can pass through DMZ firewalls with no control.

Application Firewall

The application firewall has the following security layers:

  • Request rewrite – session termination in the DMZ and rewrite of the request that is sent to the domain
  • Protocol level sanitization – inspecting the traffic to validate the structure of the traffic as expected by the protocol
  • Application level inspection – validating that the data content matches what is expected by the server
  • Device pre-authentication – performing device validation before allowing any request to enter the domain

“Common attacks take advantage of network protocol vulnerabilities to execute operations that are not approved by design. Some of these techniques generate or modify valid requests with data that look valid, but maliciously alter the server’s behavior. An example of a common concern handled by the firewall is blocking non-valid meeting ID in the DMZ,” said Guy Eldan, CEO of AGAT Software, which developed SkypeShield.

“SkypeShield’s new Application Firewall offers the best available solution for such security vulnerabilities by intercepting all anonymous Skype for Business traffic in the DMZ and validating them before allowing them to enter the domain network,” added Eldan.

In order to ensure that no malicious code is injected into a request, the solution passes each request through multiple security inspections and validation channels, including session termination and rewrite, protocol sanitation, data validating and device pre-authentication. By doing so, the risk of most protocol and application level attacks is eliminated, as the original request is not allowed to enter the domain.

The application firewall performs session termination of the request and creates a new request with the same parameters built as expected by the server schema. This concept blocks, by design, any extra code injected into the original request.

SkypeShield’s application firewall protects the internal servers by performing a wide set of sanitized filtering operations detecting malicious requests and blocking them from passing to the DMZ.