How to defend against Web security?

Bkjia.com Summary: why is your Web insecure?

During the Internet boom at the beginning of this century, there was a popular term: "eye-catching Economy". After a website is built, people's eyes will naturally be attracted, this is the Internet eye-catching economy. Today, eight years later, it seems that this sentence requires a note: the eyes of the hackers are all attracted.

Hackers will focus on the Web system for a simple reason. Let's first look at the ISO13335 Risk Model:

A system, including a Web system, faces three risks: threats, vulnerabilities, and values.

For Web systems, it is difficult for general Web coding personnel to properly filter illegal characters on all pages and ensure correct access permissions because they have not received professional security training, this causes various vulnerabilities in the Web system, such as SQL injection and XSS vulnerabilities.

As a service system that provides external services, Web systems are destined to face numerous user visits every day, and the threat of system vulnerabilities is always absent.

In addition to these reasons, the current Web system is vulnerable to attacks, and there is another important reason: value. As tishi Gong said in "historical records and column-stores", "the Xixi of the world is profitable; the bustling world is profitable", and the value of the website is carried, it is the root cause for many hackers to be happy with attacking websites. Apart from making profits directly from the website, a hacker who had been online in Jiangxi a few days ago has a new trick: attackers can attack the website of the Department of Health, the website of the personnel examination, and the website of the Department of Construction to obtain administrator privileges, and then sell fake certificates to make profits.

From the above risk management framework diagram, we can also find a very interesting thing: even if we can strictly test the code, we can eliminate all possible code defects at the application layer, all visitors can be strictly controlled to avoid any threat or reduce the system's asset value to zero, completely avoiding the risk. On the contrary, with the advancement of Web-based application systems, Web systems will carry more and more value, and Web business defense will be paid more and more attention.

Development of Web threats and defense

Let's look back at the development history of Web threats and recall the corresponding solutions.

Early Web services generally only play the role of information publishing. Common attacks are website page tampering, so their protection measures are relatively simple. The Web page tamper-proofing system is the representative product of Web defense in this period. The working principle is: Back up all published information and enable watchdog to monitor web files. Once modified, it is compared with the backup data and restored if it is different. This scheme ignores the attack type and is relatively simple to deploy, but the application scope is relatively small and can only be applied to static pages.

With the wide application of dynamic page technology, Web services have entered a new stage. the application scope of static file-based anti-tampering System for Web pages has been reduced, although the most common attack method by attackers is to replace webpages, it is difficult to simply use a webpage tamper-proofing system to protect them, at this stage, the most common Web defense measure is firewall + intrusion detection product, and sets the linkage between the two: Intrusion detection product discovers attacks against Web systems and notifies the firewall to block them. This solution is not affected by the Web system architecture, but users must purchase firewalls and intrusion detection products that can be used together.

In the era of Web, the interaction of Web systems is constantly enhanced, and there are methods like SQL injection and XSS that can achieve "instant" attacks. In this case, the firewall + intrusion detection linkage solution does not work, and the webpage tamper-proofing system cannot play a role because the Web System database is constantly updated. Web Service Security Defense requires an application-level solution that can cut off attacks in real time.

Web Security Products

To meet the application-level solution Requirements for "real-time" disconnection attacks, the security industry has put forward two solutions:

Idea 1: application firewall Based on the automatic learning function. This solution has something in common with the webpage tamper-proofing system: it does not care about a specific attack behavior and defends against the attack behavior from the behavior framework. Application firewall usually requires one to two weeks of Data learning. During this period, application firewall needs to provide "clean" data traffic. application firewall will record and analyze the "clean" data, create a normal data model. During the formal work of the product, All accesses not in the normal data model will be blocked as exceptions, without judging what attack behavior it actually belongs.

The advantages and disadvantages of this method are equally obvious. The advantage is that because the data of the "training" system is "clean" and all attack behaviors must be "not clean, the alarm accuracy is extremely high, and no exception can penetrate application firewall. However, this learning mechanism has the following Disadvantages: it is necessary to ensure that the data during "training" is "clean" and comprehensive, data that is not "clean" will result in product leakage during official work. If the training data is not comprehensive enough, the product will be falsely reported. In addition, if the business of the protected system changes, it is necessary to "train" again ".

Idea 2: IPS Based on intrusion defense technology. This method can be seen as being transformed from the firewall + intrusion detection linkage solution, which maintains the detection and analysis of intrusion behavior and adds real-time data control. The principle is roughly as follows:

It can be seen that, unlike theme 1, thinking 2 faces the threats and weaknesses in the system, which not only blocks attack attempts against Web services, you can also present vulnerabilities and vulnerabilities in Web services to users. However, considering that solution 2 uses the detection technology based on the expert system rather than the exception model, the alarm accuracy will vary depending on the product.

How to Improve Web Security

In the network security field, the term "solution" is often used. Few products can independently provide comprehensive protection for a system, and the same is true for Web Services, both application firewall and IPS can be used as part of the Web security solution. From the perspective of the typical PDR model, a complete security solution is provided, at least three parts should be included: detection, defense, and response.

Detection: establishes a security check mechanism for websites to ensure timely detection of intrusions. Through detection, the system can promptly understand website intrusion vulnerabilities and security conditions;

Defense: deploy website intrusion protection products based on the status of mainstream website threats and vulnerabilities to improve protection capabilities;

Respond, establish foreign aid support from professional support teams, and resolve timely response issues. After the website vulnerability is verified, it can ensure that the security code of the vulnerability is reviewed and repaired.

The website security 360 solution launched by Venus recently is a typical practice of the PDR model.

Aiming at the Passive Status of the current Web service system that only provides simple protection and responds with events, a 120 ° inspection is proposed based on the remote website security check service of anxing) and tianqing intrusion defense products achieve 120 ° of Defense) and M2S \ ADLAB's Emergency Response Service achieved 120 ° of response.

Unlike the previous Web Security Solutions, the 360 solution is not a simple "Attack Defense", but involves three aspects: Pre-detection, in-process defense, and post-event response, fully protects Web Services. The idea is worth learning from in terms of Web business security defense. Even if you do not buy 360 security services, you can also perform DIY on Web system security based on the following ideas:

Detect vulnerabilities in the Web system, including system vulnerabilities and business vulnerabilities, and check whether the current status of the Web system has been attacked or infected.

In the in-process defense phase, it focuses on the protection against several major threats to Web services, such as SQL injection and XSS, and provides security protection for the operating systems that carry Web Services.

In the post-event response phase, the system responds to the detection results: system vulnerabilities are fixed, webpage code is improved, and webpage Trojans and malicious code are cleared. Respond to the problems found in the defense phase: if an attack is not protected, the attacked website will be restored.

Related Articles]

• Topic: IPS defends against SQL Injection