For high traffic Web sites, Proto Balance Advanced provides connection rate limiting per second and limits the total number of connections. Both are done on a per-client basis. It has a complete Web configuration interface. The IP address of each connecting Web browser is recorded along with its connection stats. It is scalable to millions of clients and handles 10,000 concurrent connections. It performs server backend load balancing with an on-the-fly capability to add and remove servers. Daily and weekly traffic graphs are shown.
Proto Balance SSL negotiates an SSL connection and forwards the plain HTTP connection to your Web server. Certificate management like request generation, vendor certificate installation, and key generation are all done from an easy-to-use Web interface. It load balances connections over multiple Web servers. It performs 1000 SSL transaction per second. Traffic management and on-the-fly redirection of traffic. On-the-fly adding and removal of servers. Traffic accounting and client-connection-rate limits. Denial of server protection. Layer 7 inspection and X-Forwarded-For support.
mod_auth_pubtkt is a simple Web single sign-on (SSO) solution for Apache. It validates authentication tickets provided by the client in a cookie using public-key cryptography (DSA or RSA). Thus, only the login server that generates the tickets needs to possess the private key, while Web servers can verify tickets given only the public key. The implementation of the login server is left to the user, but an example and a library in PHP are provided with the distribution.
Shibboleth is a standards-based middleware software package providing Web single-sign-on across or within organizational boundaries. It implements standards such as OASIS' SAML to provide a federated single-sign-on and attribute exchange framework. It also provides extended privacy functionality, allowing the browser user and their home site to control the attributes released to each application.
A 'honeypot' is designed to detect server-side attacks. In contrast, a 'honeyclient' is designed to detect client-side attacks. Specifically, a honeyclient is a dedicated host that drives specially instrumented applications to access remote servers to see if those servers are behaving in a malicious manner (by compromising the client). Honeyclients can proactively detect exploits against client applications without known signatures. This framework uses a client-server model with SOAP messaging as the primary communication method, and uses the free version of VMware Server as a means of virtualizing the client environment.
Firekeeper is an intrusion detection and prevention system for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser-based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content.
Cyan Secure Web Proxy Server is a carrier grade, high performance Internet filtering proxy server for Linux. It includes scalable (user/group/host) Web filter and virus scan utilities for blocking malicious applications at the gateway. It has an advanced URL database, authentication support (Active Directory, LDAP, NTLM), SSL Interception, easy deployment, and remote administration.
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts that can be used separately or in combination. The first part is a small patch against the PHP core that implements a few low-level protections against buffer overflows or format string vulnerabilities. The second part is a powerful PHP extension that implements all the other protections. Suhosin is binary compatible with plain PHP installations.