Web security (under) Active Security product technology analysis

1, Web Firewall products:

Prevents Web page tampering and audit recovery from being passive, can block intrusion behavior is the active type, the IPS/UTM and other products mentioned above is a security universal gateway, there are special for the Web hardware security gateway, domestic such as: Green League Web Firewall, qiming wips (Web IPS), Abroad, there are Imperva WAF (Web application Firewall) and so on.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

Web firewall, mainly for the web-specific intrusion mode of strengthening protection, such as DDoS protection, SQL injection, XML injection, XSS and so on. Because it is an intrusion from the application tier rather than the network layer, it should be called Web IPS, not a web firewall, from a technical standpoint. This is called the Web firewall, because we are better understanding, the industry's popular name just. Because the focus is on preventing SQL injection, there are also people called SQL firewalls.

Web firewall products deployed in front of the Web server, serial access, not only in the hardware performance requirements, and can not affect WEB services, so HA functions, bypass functions are necessary, but also with load balancing, Web cache and other common products before the Web server coordinated deployment.

The main technology of the Web firewall intrusion detection capabilities, especially for Web services intrusion detection, different manufacturers technical differences are very large, can not be measured by the size of the manufacturer's characteristic library, the main or look at the test results, from the technical characteristics of the manufacturers, there are the following several ways:

Agent Service: The proxy method itself is a kind of security gateway, the two-way agent based on the conversation, interrupts the direct connection between the user and the server, and applies to all kinds of encryption protocols, which is the most commonly used technology in the Web cache application. The proxy method prevents the intruder from entering directly, can restrain the DDoS attack, and suppresses the unexpected "special" behavior. The WAF of Netcontinuum (Barracuda) is the representative of this technology.

Feature recognition: Identifying intruders is a prerequisite for protecting him. The feature is the "fingerprint" of an attacker, such as the "True expression (1=1)" Common in Shellcode,sql injection in the event of a buffer overflow ... Application information is not "standard", but each software, behavior has its own unique attributes, viruses and worms to identify the use of this way, the trouble is that each attack has its own characteristics, the number of large, many are also easy to resemble, false positives are also a big possibility. Although the current pattern of malicious code is growing exponentially, the security community claims to eliminate the technology, but the current application layer recognition is not a particularly good way.

Algorithm recognition: Feature recognition has its drawbacks, and people are looking for new ways. The classification of attack types, the characteristics of the same class, is no longer a single feature comparison, the algorithm recognition some similar pattern recognition, but the attack mode dependence is very strong, such as SQL injection, DDOS, XSS and so on have developed the corresponding recognition algorithm. Algorithm recognition is semantic understanding rather than "looks" recognition.

Pattern matching: Is the IDs "ancient" technology, the attack behavior into a certain pattern, after matching can determine the invasion behavior, of course, the definition of the model has a deep knowledge, the manufacturers are hidden for the "patent." Protocol mode is simple, it is to define the pattern according to the standard protocol; the behavior pattern is more complicated,

The biggest challenge of the Web Firewall is the recognition rate, which is not an easy measure, because the intruder is not all the publicity, such as a horse to the web, you can hardly detect the coming in is that one, do not know of course can not count. For known attack methods, we can talk about the recognition rate; for the unknown attack way, you have to wait for his own "jump" out before you know.

The development of the "self-learning" function:

Imperva Company's WAF products in the provision of intrusion prevention, but also provides another security protection technology, is the Web application Web page automatic learning function, because different sites can not be the same, so the characteristics of the site's own page does not have the means to define in advance, Therefore, the Imperva adopts the automatic pre learning method of the equipment, which summarizes the characteristics of the page of this website. The specific approach is this:

Through a period of user access, WAF recorded the access mode of common Web pages, such as a Web page has several input points, what type of content is entered, what is the usual length of the case? After learning, define a Web page normal use mode, when there are users to break through this mode, such as the general account input should not have special characters, and XML injection needs to have "<" language tags, WAF will be based on your predefined way of warning or blocking , such as password length is generally not more than 20 bits, in the SQL injection code will be very long, also break through the Web Access mode.

Web self-learning technology, starting from the business-specific perspective of Web services, do not conform to my routine is abnormal, but also an intrusion detection technology, than a simple web firewall, not only to the intruder under the "wanted", but also to establish into their own internal "rules", this dual-directional control, obviously better than one-way.

After Citrix acquired the Teros, the company the introduction of the application of the firewall through the analysis of two-way traffic to learn Web services user behavior patterns, set up a number of user behavior models, but the match you are a certain behavior, according to the mode of behavior to measure your behavior, there are "deviant" attempt to give immediate interruption. This adaptive learning engine is similar to Imperva's Web page self-learning, but one focus is on learning the characteristics of the Web page and learning the rules of user access.

From the security point of view, the Web page self-learning technology combined with intrusion prevention is an ideal choice.

Use of the "Black and White list" feature:

A "blacklist" is an explicit visitor who needs to be blocked, typically an external visitor with a bad record, or a person with a reputation for being a wolf; "Whitelist" is an audience that requires unconditional trust. This technology is used in Internet audit products. Later, because the attacker can use proxy server, IP address constantly changing, zombie network "Broiler" may also be the actual user, the use of blocking IP is also increasingly not the way. But intranet Web services are different, because the internal business of the user is "predictable", office computer IP can also be fixed, so the white list technology in the Web protection began to use a lot of, if connected with the identity authentication system, but also to the user's network card MAC address binding, anti-deception, The ability to impersonate is stronger.

A lot of Web firewall contains the function of black and white list, the use effect of this function relies on the dynamic update of the user to maintain the security policy, need to carry the personnel "more diligent", especially the blacklist maintenance needs to dynamically track the situation of the network visitor, so the real can use the method not many.

The future way of Web firewall:

There is a saying: Because the Web server load balancing devices, web acceleration devices are indispensable, but also the export of Web server farm, so the functionality of the Web firewall may be merged with these devices. This trend is somewhat like the gateway UTM with the individual FW, IPS, AV, VPN and other devices evolved, UTM is the integrated products of these gateways.

But I have a different view: UTM deployed in the network of external connections, usually the Internet export, its network security isolation, where the bandwidth is expensive, so the user with large bandwidth is very limited, and the Web server cluster is connected with the network main switch, provides the application processing ability, The required parameters are often the number of concurrent users and the number of online users, the server is generally gigabit interface, the current switch can achieve dozens of TB exchange capacity, in the large flow link to do multi-functional integrated security products, but also the application layer of testing, the product of the hardware pressure is huge, to achieve "wire speed" Flow of products must be expensive, so the web firewall of this combination of ideas is open to discussion.

2, the Web Trojan Check tool:

Web security is not only to maintain the safety of the site itself, through the Web site to invade the harm of the user's computer is also very tricky. Web pages are easy to hang on a Trojan horse, or be exploited by XSS attacks, is there any tool for security checks on all Web pages? It uses "reptilian" technology.

"Reptile" technology is the first search engine "invention", search the site released n a small "reptile", in the world's Web site on the circular scan, collect new information on the site, set up for the world to find the database, so that we can from Google, Baidu and other search portals found you want any stuff. As "reptiles" from outside the site, can simulate the user to open the actual effect of the site, so "crawler" is quickly used to test their own performance of the "User experience" tool, such as the speed of Web pages open, user interaction waiting time. As a user experience tool, the "crawler" soon began to become popular on the intranet, focusing on users ' feelings, the most popular development concept in the IT field in the 08.

The so-called "reptile" is such a process, according to certain rules (horizontal first search, vertical first search), the site to scan all the pages, (you know a lot of websites, the reason for the soaring click rate, there are countless small reptiles in the work ...), in the Web page of concern about things to check. Because it is the user's identity to "Browse" the Web page, so there is no static and dynamic page differences. Web Trojan Check tool is based on this principle developed, unlike the search crawler is, in the Web page check, focus on whether the Web page is hung trojan, or XSS use. Because the URL link to the site should be traceable, so the XSS check is very effective. ("crawler" Some like Web page tamper-proof file check process Yes, but one is inside the Web server, the other is outside the Web server)

Web Trojan Check tool is generally used as a security service check, you can also deploy a separate server, regular inspection of the website, found problems in time to alarm. The tool is currently on the market in a small number of products, generally is not sales, there are some free similar software can be tried, as Web services in the enterprise application increased, the tool may be as popular as anti-virus check tool.

This article is from the "Jack Zhai" blog, please be sure to keep this source http://zhaisj.blog.51cto.com/219066/157732