Application Security: 5 levels of "from inside to outside"

In the past two years, network attacks have frequently occurred, and are basically attacks from the application layer. However, most network security technologies and solutions are insufficient in this regard. In this field, users need security protection from the inside out, and some devices with higher throughput and higher intelligent security level gradually come in handy.

Once upon a time, when users talked about security, they had to do with the traditional three things: Firewall, anti-virus, and intrusion detection. However, the information security environment faced by enterprises has been significantly different from the analysis of security incidents that have occurred frequently in the past two years. According to figures disclosed by IDC and Gartner at the beginning of this year, the greatest challenge affecting enterprise information security is the increasing number of threats from the application layer. After combining the global figures of the past 36 months, the two major analysis institutions have come to the same conclusion: 50%-Enterprises ~ 80% of information security problems occur within the enterprise, among them, application system vulnerabilities, email system leaks, Web and BBS problems, IM software vulnerabilities, frequent spyware and increasingly popular phishing incidents, it has gradually become a threat to enterprise information security.

These threats are different from the principles and mechanisms of IT infrastructure security in the past. Most of them originate from the Intranet and appear in application systems. These threats are sensitive to data. Therefore, some security experts call them: from the internal "application security" Crisis of enterprises. It is called a crisis because most network security technologies and solutions are insufficient in response. According to market feedback, more and more users are paying attention to their own "application security", and they do need security protection from the inside out. Fortunately, vendors represented by 8e6 technology, shenzhou.com, Sangfor, TippingPoint, and xiaonuo technology have studied the main challenges of application security, and achieved considerable technological achievements. As media, we also thank the vendors for sharing their many years of experience, so that more enterprise users can achieve "application security ".

Protection 1: Application System Leakage

When IT comes to application security, security vendors all believe that, from the perspective of IT infrastructure deployment alone, application security can be divided into two layers: one is the protection of application services, this includes protection of sensitive data of applications, and protection of application systems, that is, protection of the continuity of application systems. However, in any aspect, the security architecture cannot avoid the problems caused by vulnerabilities. The vulnerabilities here can include vulnerabilities in various operating systems, database software, middleware, and terminal applications. In fact, these security threats caused by vulnerabilities are often reflected in the application layer of enterprise users. Li Zhen, a security expert at TippingPoint, said that a large number of different Attack codes have emerged for different links and vulnerabilities. In Enterprise Networks, in addition to traditional intrusion prevention systems deployed at gateways, more and more enterprises choose to deploy IPS in front of Server clusters to meet application security requirements, in this way, all data streams accessing server applications are monitored. "A sound application security mechanism requires in-depth analysis of each packet in the traffic to access the server group, so as to implement corresponding application layer protocol resolution and handle protocol exceptions ", however, Li Zhen believes that this is only half of the tasks. "In fact, more and more threats occur on application interfaces. These interfaces correspond to many functions and corresponding parameters. To achieve comprehensive application security, the IPS system must be able to scan these function vulnerabilities with high sensitivity ."

It is reported that many of these functions with vulnerabilities will be called by normal applications. Therefore, the IPS system must determine whether the attack exists based on the user's subsequent parameters to form a feature matching. Therefore, to achieve application security, the corresponding intrusion defense system must be able to analyze the Protocol exceptions of Feature Matching and application stream. Like the famous RPC vulnerability, the security system must make a comprehensive judgment, after matching multiple precise conditions and determining the sent request, the application system can be protected accurately. Li Zhen believes that the vulnerability filter technology can better meet application security requirements. This technology can analyze the Protocol, so as to identify the functions used in the Protocol, and understand what the normal function parameters look like, for some super-long strings that contain threats, the filter will be used for judgment. Because this technology requires behavior analysis based on a series of calling functions, the traditional matching process cannot ensure the complete implementation of application security.

It should be noted that many protection systems can provide relevant technical support for some protocols that expose RFC standards. However, most of Microsoft's protocols or services are not open to public and require devices or systems to analyze the protocols. This process depends on the vendor's public volume. Therefore, fixing vulnerabilities in application security is not a simple process. For flexible protocols such as HTTP, multiple measures are required to ensure application security.

Protection 2: Prevent email leaks

Another major problem of application security is the mail system widely used by enterprises. In the past, firewalls or IPS mostly used to protect the email system from external viruses. However, the main challenge is that enterprises need to set up a complete email filter mechanism, make sure that the sent emails do not contain sensitive enterprise information. Interestingly, UTM vendors such as shenzhou.com and shenzhen.com also pay great attention to this. You should know that, according to the standard definition of mail security in UTM, its function is mainly anti-spam. Yan Shifeng, security product manager of shenzhou.com, said: "The security control of emails must be implemented in two aspects: the underlying access control and content analysis. Therefore, for the protection of sensitive data, enterprises need to consider it comprehensively."

In fact, the idea of Yan Shifeng is consistent with that of most security gateway products. First, use gateway-type security management devices, such as digital China DCSM, to control access to all Intranet users at the entrance. This access control can be used to bind multiple elements, such as the user name, password, IP address, MAC address, and switch port. In addition, in order to more accurately control the access to intranet personnel, client agents can be automatically distributed to the system of each employee of an enterprise. "The advantage of this is that every employee who wants to send messages via the enterprise mail system will monitor DCSM in every action, undoubtedly, this ensures the reliability of mail users from the source." Said Yan Shifeng.

Song hanbin, a security expert of 8e6 technology, also said that gateway devices can adopt the bypass mode, so they generally do not interfere with the original network topology, but use a monitoring method similar to Sniffer, you can obtain all the information sent from the Intranet to ensure that the mail user's behavior is controllable. Of course, the entry control of mail users is the first step to ensure mail security. Next, you need to monitor the content of the email. Digital China Network and 8e6 technology use DCSM and E-Police technologies to audit keywords and images of emails, and generate mail security reports. Ye Yibin, Technical Manager of Sangfor technology, said that after a large number of instance analyses, it was found that most enterprises' email leaks were caused by the mail sending client. Therefore, they have specially developed the delayed email audit technology to ensure the security of sending. "When the client sends an email, many of the online monitoring tools of the enterprise only see that the email has been sent. Even if it causes a leak, it cannot be recovered. With the delay audit technology, client emails are sent to the gateway first, which is determined by the network administrator. If the trial is approved or the trial is not completed by default, the client can be sent; otherwise, the client will be blocked ." Ye Yibin believes that auditing the content of emails can guarantee the technical integrity. What enterprises need to do is to ensure the implementation level.

The reporter saw at the Information Security exhibition held in Beijing in June that the security review of email has indeed become an important part of enterprise application security, enterprises use security gateways or security bridges to connect internal and external untrusted networks. Follow these steps when handling Emails: 1. Request: the user sends an email to the security gateway or the security bridge request to the external untrusted network; 2. Delayed cache: the security gateway or Network Bridge stores the email in a designated location accessible to the administrator in the internal trusted network and notifies the Administrator. Third, review and send: the management personnel review emails to be sent based on the notification. emails that pass the management personnel review are normally sent; otherwise, the emails will not be sent. Ye Yibin said that enterprises use this method to send emails to the Internet through the delay caching of the security gateway or the security bridge, and conduct manual review at the same time, ensuring that confidential information is not leaked through external emails.

Protection 3: DefenseWebPotential threat

Another noteworthy application security issue comes fromWebApplication popularity. Xiaonuo Technology Security Expert Jia Zhang Jianqing According to the doctor, many employees are surfing the Internet, downloading, and accessingBBSAndBlogOften, leaks, viruses, or malicious code. In fact, more and moreWebSite,WebEmail,BBS, Has constituted a major application problem that enterprises cannot avoid.

Ye Yibin said thatWebFor leaks, enterprises must have well-developed technologies to record users' online behavior. "When an employee opens a webpageUTMOr the gateway device must generate a record to identify the specific user and userIPWhich webpage is accessed. The system will search,BBSPosts and communications are recorded at the content level to achieve tracing ."Currently, such as Sangfor, shenzhou.com,8e6Technology has passedHTTPProtocol-based content analysis technology. Enterprises