Eight practical techniques for firewall application security

What is Application security? Application security is the security of network applications, these applications include: credit card number, confidential information, user files and other information. So what is the difficulty in protecting these applications from malicious attacks? , the weakest link in our view is the attack on port 80 (primarily HTTP) and port 443 (for SSL) on the network firewall. So how does a firewall detect and block these attacks? The following summary of eight application security technologies is provided below:

Depth packet processing

Deep packet processing is sometimes referred to as depth packet detection or semantic detection, which is the association of multiple packets into a data stream, while looking for attack anomaly behavior while maintaining the state of the entire data flow. Deep packet processing requires a very high speed analysis, detection and reassembly of the application flow to avoid delay in application. Each of the following techniques represents the different levels of depth packet processing.

TCP/IP termination

Application-layer attacks involve multiple packets and often involve multiple requests, that is, different streams of data. To be effective, a traffic analysis system must be able to detect packets and requests during the entire session in which the user interacts with the application in order to find the attack behavior. At the very least, this requires the ability to terminate the Transport Layer protocol and look for malicious patterns throughout the data stream rather than just in a single packet.

SSL termination

Today, almost all security applications use HTTPS to ensure the confidentiality of communications. However, SSL data streams use End-to-end encryption, which is opaque to passive probes such as intrusion detection system (IDS) products. To prevent malicious traffic, the application firewall must terminate SSL and decode the data stream in order to check the traffic in the clear text format. This is the minimum requirement to protect the application traffic. If your security policy does not allow sensitive information to be transmitted over the network unencrypted, you will need to re encrypt the solution before traffic is sent to the Web server.

URL filtering

Once the application traffic is in clear text format, the URL portion of the HTTP request must be detected to look for signs of malicious attack, such as a suspected unified code encoding (Unicode encoding). Using a feature-based approach to URL filtering is far from enough to find matching features that are regularly updated, filtering out URLs that are related to known attacks such as red code and Nimda. This requires a scheme to not only check the Rul, but also check the rest of the request. In fact, if the application response is taken into account, the accuracy of detection attacks can be greatly improved. Although URL filtering is an important operation that prevents the usual script teenager type of attack, it is powerless to withstand most application layer vulnerabilities.