Web security (on) Web architecture analysis

First, web security is not only needed by the Internet

Web services refers to the use of B/s architecture, through the HTTP protocol to provide services to the general name, this structure is also known as the Web architecture, along with the development of Web2.0, the data and service processing separation, service and data distribution and other changes, its interactive performance is greatly enhanced, there are some people called b/s/d three The internet can be quickly popular thanks to the simplicity of web deployments, the easy development of web pages, the rapid development of a larger army than any previous computer language enthusiasts, the popularization of the application of prosperity. Java EE and. Net of the same, for the web has cleared the differences between the manufacturers and standards; As expected, SOA selected Web2.0 as one of the basic tools for its implementation (the most widely used), Web architecture from the Internet into the enterprise internal network, the development of new business systems, More and more system architects choose the Web architecture, which is inseparable from the wide range of people who are familiar with it. The fact once again proves the classic theory that simplicity is the easiest to pop.

Simple and safe as if there is always some "contradictions", the browser can see the page directly HTML code, the early Web service design does not have too much security considerations, human nature is good, technicians always believe that people are good! But with the widespread use of Web2.0, Web services are no longer just information release, game equipment transactions, daily life online shopping, government administrative approval, enterprise resource management ... The temptation of information value, people's greed began to appear, not all people have the Web designer's "Datong" thinking, security issues have become prominent.

2008 Network Security event statistics are the most: SQL injection and "web hanging Horse (Trojan)". Since this is the basic tool for "zombie" networks to develop new "members", the economic and political "value" of botnets is needless to say. SQL injection and "web hanging Horse" is mainly for Web services, traditional security products (utm/ips) are somewhat powerless.

The Internet is a paradise for personal thought, and also a world class virtual "another" society, since everyone is virtual, with masks, to become the real interest in real society, but also need some transformation to be able to cash, but SOA brings the Web architecture into the enterprise intranet, where the network world is "real", Benefits can be cashed directly, and web security becomes a matter of urgency.

Second, the Web architecture principle

To protect Web services, first understand the web system architecture, the following figure is a general structure of Web services, applicable to Web sites on the Internet, as well as Web application architectures on the intranet:

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

The user uses a common web browser to connect to the Web server via the Access network (the Web site's access is the Internet). The user makes a request, the server is connected according to the URL of the request, find the corresponding webpage file, send to the user, the "official language" of the two dialogues is HTTP. The Web page file is described in text, html/xml format, in the user's browser has an interpreter, the text description of the page to restore the picture, audio and video of the visual page.

Usually, the page that the user wants to visit exists under a fixed directory of the Web server, some. html or. xml file, the user through the page "" "HYPERLINK" (in fact, URL address) can "jump" between the site page, this is the static page. Later, people feel that this way can only give users a one-way display of information, information can be released, but let users do some such as identity authentication, voting and other things are more troublesome, resulting in the concept of Dynamic Web pages; The so-called dynamic is the use of Flash, PHP, ASP, Java and other technologies in the Web page to embed some of the "applet", the user browser in the interpretation of the page, see these small programs to start running it. The applet is flexible enough to show a piece of animation (such as Flash), you can also generate a file on your PC, or receive a piece of information you enter, so that you can customize the page according to your "ideas", so that each time you come, you see the unique style you designed, "the VIP's Feeling "Everyone likes, not to mention the virtual world of cyberspace, you do not know the people you are so" admiration ", service so considerate ...

The use of "applet" allows the Web service model to have a "two-way communication" capability, Web service patterns can also be like traditional software for a variety of transactions, such as editing files, interest calculation, submission form, and so on, the application of Web architecture is greatly expanded, Web2.0 can become an SOA architecture, one of the implementation technology, this "Small program" is the work must not be.

These "applet" can be embedded in the page, it can also be stored separately in the directory of the Web server in the form of a file, such as. asp,. PHP, JSP files, and so on, and can be specified at development time to run on the client or server side, and the user can no longer see the source code of these small programs, The security of the service is also greatly improved. Such a functional small program more and more, forming a common toolkit, separate management, web business development, direct use can be, this is the middleware server, it is actually a Web server processing capacity expansion.

Static Web pages and "applet" are all designed in advance, generally do not change, but a lot of content on the site needs to be updated regularly, such as news, blog posts, interactive games, such changes in the data in the static process is clearly not suitable, the traditional approach is to separate data and procedures, the use of professional database. Web developers add a database server behind the Web server, and these frequently changing data are stored in the database and can be updated at any time. When the user requests the page, "applet" according to the user requirements of the page, involving dynamic data, the use of SQL database language, from the database to read the latest data, generate a "complete" page, and finally to the user, such as the stock market curve, is a continuous refresh of the small program control.

In addition to the application of data needs to change, some of the user's state information, attribute information also needs to be temporary records (because each user is different), and the Web server is not to record this information, just reply to your request, "People go tea on the cold." Later web technology to "friendly" interaction, need to "remember" the user's access information, set up a number of "new" communication mechanisms:

Cookies: Some user's parameters, such as account name, password and other information stored in the client's hard disk temporary files, users visit this site again, the parameters are also sent to the server, the server will know that you are the last time the "guy"

Session: The user's some parameter information exists in the server's memory, or written in the server's hard disk file, the user is not visible, so that users with different computer access when the VIP treatment is the same, the Web server can always remember your "appearance", under normal circumstances, Cookies and sessions can be used in combination

Cookies in the client, the general use of encrypted storage can be; session on the server side, information centralized, be tampered with the problem will be very serious, so generally put in memory management, as far as possible not stored on the hard disk.

To this, we know that there are two kinds of service data on the Web server to ensure "clean", you need to focus on protection. One is the paging file (. html,. xml, and so on), which includes dynamic Program Files (. php,. asp,. jsp, and so on), typically in a specific directory on a Web server, or on a middleware server, and in a background database such as Oracle, SQL Server, and so on. The data stored in the Dynamic Web page generation needs, but also business management data, business data.

There is one more question that should be mentioned, is the browser to the user's computer security problems, because the web can be local processes, hard disk operations, you can put Trojans, viruses on your computer, the Web architecture using "hourglass" technology to provide security, is to limit the page "applet" local read and Write permissions, But the limit must not be allowed to "work", so most of the time when writing a hint, let yourself choose, we often see a process in the installation program into your computer, but most people can not tell whether it should, or not, cause a lot of things can not do (a lot of downloads and games will only look at), or "bold" Accept that the door is open and resigned. Here the main analysis of server-side security, the security of the client to consider.

Analysis of security points in Web architecture

From the Web architecture can be seen, the Web server is a must through the door, into the door, there are many servers need to protect, such as middleware servers, database servers. We do not consider the attacks of the network insiders, only to consider the attack from the access network (or the Internet), the intruder invaded the following several channels:

1, Server System vulnerabilities: Web server, after all, a general-purpose server, whether it is windows, or Linux/unix, are not few with the system itself vulnerabilities, through these vulnerabilities intrusion, you can get the server's advanced permissions, Of course, the Web services running on the server are free to control. In addition to OS vulnerabilities, as well as the vulnerabilities of Web services software, IIS or Tomcat also need to keep patching.

2. Web Service Application Vulnerabilities: If the system-level software vulnerabilities are too many people, then the number of Web application software vulnerabilities more, because the Web service development is simple, the development of the team is uneven, not all are "professional" master, programming is not standardized, security awareness is not strong, Because of the tight development time and the simplification of testing, application vulnerabilities can also allow intruders to come and go. The most common type of SQL injection is because of the vulnerabilities that are generated in most application programming processes.

3, the password brute force crack: the loophole may attract the attack to be easy to understand, but after all needs the superb technical level, the crack password is very effective, moreover is simple. Generally speaking, account information is easy to obtain, the rest is to guess the password, because the use of complex passwords is a troublesome and "nasty" thing, set easy to remember the password, is the majority of users of the choice. Most Web services rely on the "account + password" way to manage user accounts, once cracked passwords, especially remote managers password, the extent of the damage is difficult to imagine, and its attack is more difficult than the way through the vulnerability is much simpler, and not easily detected. In the well-known network economy case, the password invasion accounted for nearly half of the proportion.

When intruders enter the web system, the purpose of action behavior is very clear:

Paralysis of the website: disruption of the website is interrupted by service. Using a DDoS attack can paralyze a Web site, but there is no damage to the Web service, and a network intrusion can delete files, stop the process, and make the Web server completely unrecoverable. In general, this approach is to ask for money or malicious competition blackmail, it may be to show his technical prowess, take your site was attacked as a promotional tool for him.

Tamper with the Web page: Modify the site's page display, is relatively easy, but also the public easily know the attack effect, for attackers, there is no "benefit" benefits, mainly to show off their own, of course, for the government and other sites, image problem is very serious.

Hanging Trojan: This intrusion on the site does not produce direct damage, but to visit the site's users to attack, the biggest "affordable" is the collection of zombie network "Broiler", a well-known web site of the speed of the transmission Trojan is explosive. Hanging Trojan is easy to be found by webmaster, XSS (Cross station attack) is a new tendency.

Tampering with the data: This is the most dangerous attacker, tampering with the website database, or the dynamic page of the control program, there is no change on the surface, it is not easy to find, is the most common economic interests of the invasion. The harm of data tampering is difficult to estimate, for example: the shopping website may revise your account amount or the transaction record, the government approves the website may revise the administrative approval result, the enterprise ERP may revise the sale order or the bargain price ...

It is said that the use of cryptographic protocols to prevent intrusion, such as HTTPS protocol, is inaccurate. First, Web services are intended for the general public and cannot be used entirely in encryption. In the Enterprise internal Web services can be used, or even the black and white list, but everyone is "internal personnel", the encryption method is a shared knowledge; second, encryption can prevent others "eavesdropping", but can not prevent impersonation; Moreover, "intermediary hijacking" You can also eavesdrop on encrypted communications.

This article is from the "Jack Zhai" blog, please be sure to keep this source http://zhaisj.blog.51cto.com/219066/157431