Introduction to Web Firewall technology

Prevent the Web page is tampered with is passive, can block intrusion behavior is active type, the IPS/UTM and other products mentioned above is a security universal gateway, there are special for the Web hardware security gateway, domestic such as: Green League Web Firewall, qiming wips (Web IPS), Abroad, there are Imperva WAF (Web application Firewall) and so on.

Web firewall, mainly for the web-specific intrusion mode of strengthening protection, such as DDoS protection, SQL injection, XML injection, XSS and so on. Because it is an intrusion from the application tier rather than the network layer, it should be called Web IPS, not a web firewall, from a technical standpoint. This is called the Web firewall, because we are better understanding, the industry's popular name just. Because the focus is on preventing SQL injection, there are also people called SQL firewalls.

Web firewall products deployed in front of the Web server, serial access, not only in the hardware performance requirements, and can not affect WEB services, so HA functions, bypass functions are necessary, but also with load balancing, Web cache and other common products before the Web server coordinated deployment.

The main technology of Web firewall intrusion detection capabilities, especially for Web services intrusion detection, different manufacturers technical differences are very large, can not be measured by the size of the manufacturer's characteristics, the main or look at the test results, from the manufacturer's technical characteristics, there are several ways:?

Agent Service: The proxy method itself is a kind of security gateway, the two-way agent based on the conversation, interrupts the direct connection between the user and the server, and applies to all kinds of encryption protocols, which is the most commonly used technology in the Web cache application. The proxy method prevents the intruder from entering directly, can restrain the DDoS attack, and suppresses the unexpected "special" behavior. The WAF of Netcontinuum (Barracuda) is the representative of this technology.

Feature recognition: Identifying intruders is a prerequisite for protecting him. The feature is the "fingerprint" of an attacker, such as the "True expression (1=1)" Common in Shellcode,sql injection in the event of a buffer overflow ... Application information is not "standard", but each software, behavior has its own unique attributes, viruses and worms to identify the use of this way, the trouble is that each attack has its own characteristics, the number of large, many are also easy to resemble, false positives are also a big possibility. Although the current pattern of malicious code is growing exponentially, the security community claims to eliminate the technology, but the current application layer recognition is not a particularly good way.

Algorithm recognition: Feature recognition has its drawbacks, and people are looking for new ways. The classification of attack types, the characteristics of the same class, is no longer a single feature comparison, the algorithm recognition some similar pattern recognition, but the attack mode dependence is very strong, such as SQL injection, DDOS, XSS and so on have developed the corresponding recognition algorithm. Algorithm recognition is semantic understanding rather than "looks" recognition.

Pattern matching: Is the IDs "ancient" technology, the attack behavior into a certain pattern, after matching can determine the invasion behavior, of course, the definition of the model has a deep knowledge, the manufacturers are hidden for the "patent." Protocol mode is simple, it is to define the pattern according to the standard protocol; the behavior pattern is more complicated,

The biggest challenge of the Web Firewall is the recognition rate, which is not an easy measure, because the intruder is not all the publicity, such as a horse to the web, you can hardly detect the coming in is that one, do not know of course can not count. For known attack methods, we can talk about the recognition rate; for the unknown attack way, you have to wait for his own "jump" out before you know.

The development of the "self-learning" function:

Imperva Company's WAF products in the provision of intrusion prevention, but also provides another security protection technology, is the Web application Web page automatic learning function, because different sites can not be the same, so the characteristics of the site's own page does not have the means to define in advance, Therefore, the Imperva adopts the automatic pre learning method of the equipment, which summarizes the characteristics of the page of this website. The specific approach is this:

Through a period of user access, WAF recorded the access mode of common Web pages, such as a Web page has several input points, what type of content is entered, what is the usual length of the case? After learning, define a Web page normal use mode, when there are users to break through this mode, such as the general account input should not have special characters, and XML injection needs to have "<" language tags, WAF will be based on your predefined way of warning or blocking; Again such as password length is generally not more than 20 bits, in the SQL injection code will be very long, also break through the Web Access mode.

Web self-learning technology, starting from the business-specific perspective of Web services, do not conform to my routine is abnormal, but also an intrusion detection technology, than a simple web firewall, not only to the intruder "under arrest", but also to establish into their own internal "rules", this kind of two-way control, obviously better than one-way.

After Citrix acquired the Teros, the company the introduction of the application of the firewall through the analysis of two-way traffic to learn Web services user behavior patterns, set up a number of user behavior models, but the match you are a certain behavior, according to the mode of behavior to measure your behavior, there are "deviant" attempt to give immediate interruption. This adaptive learning engine is similar to Imperva's Web page self-learning, but one focus is on learning the characteristics of the Web page and learning the rules of user access.

From the security point of view, the network of self-learning technology and intrusion prevention in combination with the use of the ideal choice.

The future way of Web firewall:

There is a saying: Because the Web server load balancing devices, web acceleration devices are indispensable, but also the export of Web server farm, so the functionality of the Web firewall may be merged with these devices. This trend is somewhat like the gateway UTM with the individual FW, IPS, AV, VPN and other devices evolved, UTM is the collection of these gateways products.

But I have a different view: UTM deployed in the network of external connections, usually the Internet export, its network security isolation, where the bandwidth is expensive, so the user with large bandwidth is very limited, and the Web server cluster is connected with the network main switch, provides the application processing ability, The required parameters are often the number of concurrent users and the number of online users, the server is generally gigabit interface, the current switch can achieve dozens of TB exchange capacity, in the large flow chain to do multi-functional security products, but also the application layer of testing, the product hardware pressure is huge, to achieve "linear" Flow of products must be expensive, so the web firewall of this combination of ideas is open to discussion.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/