I. Three technologies
1. Plug-in polling technology
Plug-in polling technology uses a web page to detectProgram, Read the web page to be monitored in polling mode, compare with the real web page, to judge the integrity of the web page content, alarm and restore the tampered web page.
2. Core Embedded Technology
The core embedded technology is to embed the tamper detection module in the web server software. It performs integrity checks when every webpage leaves, blocks real-time access to the tampered webpage, and sends alerts and recovers.
3. event triggering technology
The event trigger technology uses the file system interface of the operating system to check the validity of webpage files when they are modified, and generates alarms and recovers illegal operations.
Ii. Image Description
If we regard Web servers as a building with strong security requirements, each directory is a room in the building, and every file is an item in the room, the above three anti-tampering technologies can be described as follows:
1. Plug-in polling technology
The building was equipped with a security guard who kept conducting inspections in every room and reported suspicious items. The obvious weakness of this method is that when there are many rooms and items in the building, he will be too busy. After all, it takes a long time to patrol the building, this provides a great opportunity for the existence and outflow of suspicious items.
2. Core Embedded Technology
The building is equipped with a security engineer at the exit. He checks every outgoing item and finds a suspicious item to stop it from flowing out. The obvious weakness of this method is that, due to the check procedures, items may be delayed when they flow out; the advantage is that, as each item is checked when it flows out, there is no opportunity for suspicious items.
3. event triggering technology
The building is equipped with a security engineer at the entrance. He checks every entry item and generates an alarm if any suspicious item is found. The obvious advantage of this method is that the prevention cost is very low, but the disadvantage is that the structure of the building is usually very complicated, and there are many illegal channels for entry of items besides the main entrance, there are also new opportunities to be found at any time. In addition, once illegal items are mixed into the building, there is no chance to carry out security checks.
Iii. Technical Evaluation
1. Comparison between iguard event triggering technology and Core Embedded Technology and tamper-Proofing Technology of other webpages:
Plug-in Round Robin event triggering technology core embedded technology
It may not be possible to access the tampered web page
Low server load
None in bandwidth usage
Detection Time: minute-level, second-level, real-time
It is impossible to bypass the detection mechanism.
Continuous tampering prevention cannot
Protect all web pages
Dynamic web scripts are not supported
Applicable to All limited operating systems
Detection during upload cannot be restricted
Cannot be protected during disconnection
2. Access the tampered web page
Plug-in polling technology: it cannot prevent the public from accessing the tampered web page. It can only be found and restored after being tampered with. Therefore, the public may access the tampered web page.
Core Embedded Technology: keeps the last mark of Web Page outflow, so it can completely prevent the tampered web page from being accessed by the public.
Event trigger technology: security assurance is built on the assumption that "Web pages cannot be secretly tampered with", so no inspection is performed on outbound webpage traffic, in some cases (see the following figure), the public may access the tampered web page.
3. Web server load
Plug-in Round Robin technology: as Web server files are constantly scanned from the outside, a considerable load is generated on the Web server, and the scanning frequency (that is, the security level) is always in conflict with the load.
Core Embedded Technology: The tamper detection module is embedded in the web server software. After the web server software reads the webpage files, the tamper detection module compares the watermarks, so it takes a certain amount of CPU computing time. However, this computation is carried out in the memory. Compared with the web server software reading webpage files from the hard disk, the extra load is very small.
Event trigger technology: because security checks are performed only when normal web pages are published, the impact on web page access is almost zero, and the server load occupied by additional operations is basically zero.
4. bandwidth usage
Plug-in Round Robin technology: the Web page is detected independently from the outside, so the access network bandwidth is required.
Core Embedded Technology and event trigger technology: the detection is performed on the server and does not occupy network bandwidth.
5. Bypass Detection Mechanism
Plug-in polling technology: It is performed by external hosts and cannot bypass detection.
Core Embedded Technology: this technology is integrated into web server software to inspect every webpage for tampering. It is impossible to have a webpage bypass detection mechanism.
Event triggering technology: it does not ensure that all file modifications are captured (such as writing a disk, writing a kernel driver, and exploiting operating system vulnerabilities ), it is very easy for professional hackers to bypass, and once successful, it does not have any means to detect and recover. Its technical features determine that it is similar to an anti-virus tool (black anti-Black) rather than a system dedicated to website protection.
6. Continuous tampering attacks
Hackers who intend to conduct malicious attacks can use the scanning interval of other technologies for continuous tampering attacks, that is, they can immediately tamper with the webpage after it is restored.
Plug-in polling technology: Because the re-tampering process can be performed automatically and continuously by using programs, and only for one important webpage (such as the homepage, therefore, even if the scan interval is set to a smaller value (for example, 1 minute), the tampered web page cannot be blocked from being accessed by the public.
Core Embedded Technology: integrity check is performed every time a webpage is output, and sending is blocked if there is any change. Therefore, no matter how fast and frequent continuous attacks, the public cannot see the tampered web pages.
Event trigger technology: it has no control over web server software. It finds that there is no way to coordinate web server work after tampering, and it is powerless for large-scale or well-planned attacks.
7. Dynamic web scripts
Currently, more and more websites use dynamic technologies (such as ASP, JSP, and PHP) to output webpages. Dynamic Web Pages consist of web scripts and content: web scripts exist on the web server in the form of files; web content is taken from the database.
Plug-in polling technology: The detected dynamic web page is the result of a mix of web scripts and content, and the web page content is constantly changing based on access conditions, plug-in polling technology cannot distinguish web scripts and content, so it cannot protect dynamic web pages against tampering.
Core Embedded Technology and event trigger technology: dynamic web scripts can be obtained directly from the Web server without the impact of changed content. Therefore, dynamic web scripts can be protected like static Web pages.
8. Protection During disconnection
Core Embedded Technology: Even if hackers interrupt the connection between the Web server and the backup web server, they can also prevent the outflow of tampered web pages to maximize the effect.
Event trigger technology: If a hacker breaks the connection between the Web server and the backup web server, the tampered web page cannot be recovered immediately. At the same time, a large number of people may have accessed the web page, cause serious consequences.