Have you made up your mind to make the application safe? After all, information such as financial transactions, credit card numbers, confidential information, and user profiles is too important for the business. But these applications are too big and complex, and most of all, these applications are exposed in front of the attacks that are being marched through port 80 (primarily for HTTP) and port 443 (for SSL) on the network firewall. This is where the firewall comes in handy, the eight techniques used in the application of firewall discovery and blocking applications are as follows: Depth packet processing depth packet processing is sometimes referred to as depth packet detection or semantic detection, which is to correlate multiple packets into a data stream, while looking for attack anomaly behavior Maintains the state of the entire data flow. Deep packet processing requires a very high speed analysis, detection and reassembly of the application flow to avoid delay in application. Each of the following techniques represents the different levels of depth packet processing. TCP/IP terminates application-layer attacks involving multiple packets and often involves multiple requests, that is, different streams of data. To be effective, a traffic analysis system must be able to detect packets and requests during the entire session in which the user interacts with the application in order to find the attack behavior. At the very least, this requires the ability to terminate the Transport Layer protocol and look for malicious patterns throughout the data stream rather than just in a single packet. SSL termination today, almost all security applications use HTTPS to ensure the confidentiality of communications. However, SSL data streams use End-to-end encryption, which is opaque to passive probes such as intrusion detection system (IDS) products. To prevent malicious traffic, the application firewall must terminate SSL and decode the data stream in order to check the traffic in the clear text format. This is the minimum requirement to protect the application traffic. If your security policy does not allow sensitive information to be transmitted over the network unencrypted, you will need to re encrypt the solution before traffic is sent to the Web server. URL filtering Once the application traffic is in clear text format, you must detect the URL portion of the HTTP request, looking for signs of malicious attacks, such as the suspected Unified Code encoding (Unicode encoding). Using a feature-based approach to URL filtering is far from enough to find matching features that are regularly updated, filtering out URLs that are related to known attacks such as red code and Nimda. This requires a scheme to not only check the Rul, but also check the rest of the request. In fact, if the application response is taken into account, the accuracy of detection attacks can be greatly improved. Although URL filtering is an important operation that prevents the usual script teenager type of attack, it is powerless to withstand most application layer vulnerabilities. Request Analysis
Comprehensive request analysis techniques are more effective than URL filtering alone, preventing Cross-site scripting (Cross-site scripting) vulnerabilities and other vulnerabilities at the Web server level. Comprehensive request profiling makes URL filtering a step closer: ensuring that requests meet requirements, adheres to standard HTTP specifications, and ensures that individual requests are within reasonable size limits. This technique is very effective in preventing buffer overflow attacks. However, request analysis is still a stateless technique. It can only detect the current request. Remember, as we know, that previous actions have been able to achieve meaningful analysis while gaining deeper protection. User session Tracking
The next more advanced technology is user session tracking. This is the most basic part of the application of flow state detection techniques: Tracking user sessions and associating individual user behavior. This feature is usually implemented by using a URL rewrite (URL rewriting) to use session information blocks. As long as a single user's request is tracked, the information block can be rigorously inspected. This can effectively defend against the type of session hijacking (session-hijacking) and information block poisoning (cookie-poisoning) vulnerabilities. Effective session tracking not only keeps track of the information blocks that are created by the application firewall, but also digitally signs the blocks of information that are generated to protect the blocks of information from being tampered with. This requires the ability to track the response of each request and extract information block information from it. Response pattern Matching response pattern matching provides more comprehensive protection for applications: it checks not only the requests submitted to the Web server, but also the responses generated by the Web server. It is extremely effective at preventing sites from being damaged or, more specifically, preventing sites that have been corrupted from being browsed. Matching the pattern within the response is equivalent to filtering the URL on the request side. The response pattern match is divided into three levels. Anti-damage work is performed by the application firewall, which digitally signs static content on the site. If you find that the content has changed since it left the Web server, the firewall replaces the corrupted page with its original content. As for dealing with sensitive information leaks, the application firewall monitors the response and looks for patterns that might indicate a problem with the server, such as a long list of Java exception characters. If these patterns are found, the firewall will remove them from the response or simply block the response. A scenario with a "stop" word (' Stop and go ' word) looks for a predefined generic pattern that must appear or not appear in the response generated by the application. For example, you can require a copyright notice for every page that the application provides. Behavioral modeling behavior Modeling, sometimes called a positive security model or white list security, is the only protection against the most intractable application vulnerabilities-0 time vulnerabilities. A 0 time vulnerability is an attack that is not written to a document or "not yet known." The only mechanism for dealing with such attacks is to allow behavior that is known to be good, and all other acts are prohibited. This technique requires modeling the application behavior, which in turn requires a comprehensive analysis of each response to each request submitted to the application, in order to identify the behavior elements on the page, such as form fields, buttons, and hypertext links. This level of analysis can detect vulnerabilities in malicious form fields and hidden form field manipulation types, while imposing extremely stringent monitoring of URLs that allow users to access them. Behavioral modeling is the only technology that can effectively deal with all 16 of application vulnerabilities. Behavioral modeling is a very good concept, but its effectiveness is often limited by its own strict nature. Some situations, such as the use of JavaScript in large quantities, or the use of intentional deviations from behavioral models, can leadBehavioral modeling makes mistakes, which leads to false positives and denies reasonable user access to applications. Behavioral modeling requires a certain degree of human intervention to improve the accuracy of the security model. Behavioral automatic prediction is also called automatic rule generation or application learning, not strictly flow detection technology, but a meta detection (meta-inspection) technology, which can analyze traffic, build behavioral models, and generate a set of rules to be applied to behavioral models with the help of various correlation techniques to improve accuracy. The advantage of behavioral modeling is that it can be configured automatically after a short time learning application. Protecting port 80 is one of the most significant and important challenges that security personnel face. Fortunately, innovative solutions to the problem have emerged and are being perfected. If you integrate an application firewall that can block 16 of application vulnerabilities within a tiered security infrastructure, you can address the challenge of applying security.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.