Functional Design of Web application firewall software

Write an article to record your own design ideas.

 

[Basic Concepts]

I don't know why I wrote it in C #.Reverse ProxyThe expected value of the performance will be reached. If the concurrency is large, the website may be difficult. (I have some children's shoes to help explain)

So the firewall software I designed is built onSecure Operating System BasicsForWeb ApplicationsThe design does not have the function of filtering data streams,Analyze Data StreamsAnd then work with IIS, Apache, Windows Security Policy, Linux iptables for operation control.

 

[Control capability]

At present, the idea is mainly to conduct webBehavior Control

Analyze whether there are malicious keywords in the data stream accessing the web, and focus on protection against SQL injection, XSS, and CC attacks.

 

Analysis Rule Design:

1. the URL data stream accessed by the same IP address within 2 minutes. The parameters include [select, update, insert, And, Or, union, 0x, Hex, Char, from, alert, JavaScript, etc. (many more)] The number of keywords exceeds 10 times, can be considered as manual injection or XSS tester.

 

2. When the number of pages accessed by the same IP address exceeds 100 within 2 minutes, the IP address can be regarded as a scanner or CC attack.

 

Protective measures drag design:

1. IIS and XSS attackers can use the IP address access restriction function of IIS and Apache to shield attackers from accessing the web site. The IP address is blocked for 10 minutes. If attack packets are analyzed, the Update Time is kept until 10 minutes after the last attack access.

 

2. CC attackers can control the security policy and iptables to shield attackers from accessing the server. No service is provided to them.

The IP address blocking time is 20 minutes. The opening rules are the same as above.

 

Why does IIS and XSS block the access permission of the site, while CC block the access permission of the entire server? Because the server may have many web sites. different Sites are targeted at one IP address or different groups of people, because they all access the Internet through NAT. If an internet cafe shields access from all sites on the server, it is not worthwhile.

 

CC is a malicious attacker, so he is likely to find all the sites on the server for vulnerability analysis, and then CC attacks, so he can shield it directly. protects the normal operation of multiple sites on the Web server.

 

3. record information about the data source attacker and the URL of the attacked site to log for later viewing and discovering potential vulnerabilities.

 

4. send an email to the Administrator to notify the Administrator that the server is under attack.

 

Other features of the firewall: service control, direction control, and user control are reinforced by the system itself.