Defensive Regimes

By definition, a web site that is successful in attracting traffic offers content that is attractive and thus, of some value to the targeted user. If the site is freely accessible to the public at large, there are usually no problems.

However, if site access is restricted, there will always be those who try to gain access to the protected materials without proper authorization. A prime example is paid subscription sites. While value and cost can both be denominated in currency, there are always those who will want the value without the cost. What this really says is that the more successful a membership site is, the greater the attraction to those who want the content without paying. This is the domain of hotlinkers, password hackers and password traders.

Password hackers will use automated systems that try multiple combinations of usernames and passwords in search of a valid pair that will give them access. Password traders simply share accounts amongst a wide group.

To date efforts have been concentrated primarily on repelling the efforts of password hackers. A common response is to deactivate the account permanently and immediately. Another response is to deny access from entire portions of the global network once it is discovered that unauthorised access attempts have originated from that portion. This often leads to inadvertent denial of service to the legitimate user, who will usually need to be dealt with by customer service.

Security practitioners have argued that the next step is to consider defense as a process. A defensive regime, if you will. When viewed as a process, the appropriate defensive mechanisms and responses are most properly business decisions as differentiated from purely technical decisions. The needs of the business as a whole supercede any single technical parameter.

The business policies of the site determine the appropriate response to both correct and incorrect usage of user accounts in the context of the impact to the business. The policies also extend to such related matters as usability features that may be imposed by any particular tool. For example, it may be decided that certain tools are not suitable for a particular site because they are too intrusive. The guiding principle is simply that security policies and mechanisms should be selected to protect and enhance the value of the business both in the near term and beyond.

By embracing the concept of defense as a process, the site opens itself to not only how it is to be defended but also to how the defensive regime can enhance the success of the site.

The feature set of the isapi authentication filter based system described below goes well beyond current offerings. Its design has been guided by the best features of offerings on both private and public networks. A number of features have not yet been available on web servers, but have been well tested and understood concepts on private corporate networks.

The completeness of the feature set and the scalability of the architecture creates an opportunity for site owners to implement defensive regimes that fully support their business goals.


Isapi Authentication Filter
WanderWare Product Summary
table of contents
full printable document





password protection ...
... industrial strength
distributed password protection
iis basic authentication
iis digest authentication

copyright(c) 2003
all rights reserved

design -