Save Zhao Ming-WEB Website Security Solution

Status quo analysis:

Zhao Ming: website O & M Manager

Two questions are raised in the video:

1. Use security protection solutions to prevent attacks.

2. When an attack occurs, the system can promptly trigger an alarm, block the attack, and record the hacker behavior characteristics.

The current website topology is as follows:

Through the video, Zhi Zhaoming's website was attacked by hackers and changed.

In the current website topology, there is only one Server Load balancer, which may be replaced by the firewall function of the Server Load balancer.

The website architecture is a two-layer structure, with front-end WEB and background DB.

Solution:

1. install security devices

Set up an IPS device, WAF firewall, and a dedicated log server on the front end of the network. The topology is as follows:

Note:

① IPS is an intrusion protection system. IPS fully implements firewall functions and has all the features of IDS. Connect to the network in tandem, which is better than bypassing IDS, and can effectively block intrusion connections.

IPS Functions

For different network environments and security requirements, different rules and response methods are developed based on objects such as security zone, IP address group, segment), Rule group, set), time, and action.

Actively defends against known and unknown attacks and blocks various hacker attacks in real time, such as buffer overflow, SQL injection, brute-force prediction, denial-of-service, scanning and detection, unauthorized access, worms, Trojan backdoors, and spyware. It also provides active defense against botnets, extensive and precise application protection helps users avoid security losses.

Supports secure Zone), supports routing, transparent, and hybrid modes, supports five secure Zone modes: transparent Layer2), routing Layer3), monitoring), Direct), Management Mgt ), it can be quickly deployed in various network environments. The Fail-open mechanism and dual-machine Hot Standby HA mechanism are also supported to avoid single point of failure.

Rich response methods, including active response to dropped packets and dropped connection sessions) passive response and firewall linkage, TCP Killer, mail sending, console display, log database records, printer output, run user-defined commands, write XML files, snmp trap ), users can customize to meet various needs.

IPS configuration recommendations:

Disable all non-open ports;

Only allow active access from the Internet to the WEB;

Prohibit active access from the WEB to the Internet, and open some connections as needed, such as patch upgrade and virus upgrade. It mainly prevents reverse connections between viruses and trojans on WEB servers.

Configure the blocking rule.

Make logs.

Launch a test.

② WAF is the WEB application firewall, which is mainly used for WEB application layer protection.

WAF features

WAF provides a security O & M Control Method Based on Two-way analysis of HTTP/HTTPS traffic to provide real-time protection for WEB applications. Compared with traditional Firewall/IPS devices, the most significant technical difference of WAF is as follows:

1. An essential understanding of HTTP: It can completely parse HTTP, including the packet header, parameters, and loads. Supports various HTTP encodings, such as chunked encoding), strict HTTP protocol verification, HTML restrictions, various character set encoding, and response filtering.

2. Provision of application-layer rules: WEB applications are usually customized, and traditional rules for known vulnerabilities are often insufficient. WAF provides dedicated application-layer rules and is capable of detecting deformation attacks, such as detecting mixed attacks in SSL encrypted traffic.

3. Provides a forward security model White List Model): only valid input is allowed, providing an external input verification mechanism for WEB applications, making it more secure and reliable.

4. Provide a session protection mechanism: the biggest drawback of HTTP is the lack of a reliable session management mechanism. WAF effectively supplements this to prevent session-based attacks, such as cookie tampering and session hijacking attacks.

WAF configuration recommendations:

Provide minimum permissions as needed;

Configure the blocking rule.

Make logs.

Launch a test.

To improve WAF performance, we recommend that you disable other ancillary functions.

③ Log server. Directly connect IPS and WAF to log the two devices for post-event analysis. A dotted line connects to a vswitch to facilitate management, but there are security risks. If it is not necessary, it is not recommended to connect.

④ IPS and WAF are connected in a single serial mode, and spof exists. You can consider the dual-Host Mode to improve availability.

2. WEB server software security

① Operating system patches, application system patches, middleware system patches, Database System patches, and anti-virus system updates.

② WEB server, source code security evaluation.

Today's WEB security focuses on the application layer, that is, code security. Although we have installed security devices IPS and WAF, these security devices are used for security defense, for normal access or being considered normal by these security devices, the security device is allowed. If this code has a problem, it will also cause a major problem.

Suggestion 1: The front and back-end WEB code is completely stripped.

Suggestion 2: if conditions are met, find a professional security vendor to evaluate the code security.

③ DB server security settings, sensitive operations, logs, etc.

Bkjia.com exclusive Article. For more information, see the source and author !]

1. Zhao Ming's website security rectification plan
2. Use ModSecurity to protect Web Service Security (save Zhao Ming)