Technology analysis of Web security (medium) passive class security products

I. Web Security product analysis

Around the security of Web services, products can be said to be a variety of, the most basic is access to access to the Gateway UTM, which IPs function and anti-DDoS function is a Web server system-level intrusion of direct protection, but UTM is a universal border security gateway, not "professional" web intrusion protection, Generally as a security entry level protection, here is not to elaborate. Here the main analysis of the security products designed for Web services, there are probably the following products:

1, Web page tamper-proof Products:

It is difficult to protect against unknown attacks, but it is relatively easy to keep an eye on my own "own". Therefore, people first thought is the Web page tamper-proofing technology, to maintain their "purity", at least to the community will not cause great harm. Web page has been tampered with products appear in the early days of the web, after the wind and rain, the manufacturers gradually unified technology. Web page Tamper-proof technology is the basic principle: the Web server on the page file (directory files) to monitor, found that there are changes in time to recover. So the product is actually a "repair" tool, can not prevent the attacker's tampering, to a passive, special guard, reduce loss is the goal, tamper-proof belongs to the typical passive protection technology.

Web page Tamper-proofing product deployment: Establish a separate Management Server (a small number of Web servers can be omitted), and then install an agent on each Web server, responsible for the server's "Web File Care", the Management Server is the management of these agent care policy.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

Let's analyze the changes in the "Paging File Care" technology:

A the first generation of technology, the Web server home directory to do a backup of the file, with a regular cycle process, the backup files and services used to compare the files, not the same with backup to cover. When Web site updates are published, both the home directory and the backup are updated. This approach in the case of large web sites, a large number of pages, scanning over time for too long, and Web server performance is also crowding out.

(b) Second generation technology, the use of the hash algorithm, the main directory of each file to do hash, generate the file "fingerprint", the regular cycle process directly calculate the service file hash fingerprint, and then fingerprint check, fingerprints generally relatively small, more convenient; the fingerprint has irreversible characteristics, not afraid of imitation.

c The third generation of technology, since the site on the page too much, level three of the following pages of access, the general use of the exponential decline, no one access course will not be tampered with, in these pages duplicate scan is not cost-effective. Change your mind: there should be no danger to reading files, and it is dangerous to overwrite files. Check only if the file is changed. Can greatly reduce the use of server resources; The practice is: to open a caretaker process, the Web server's main directory file deletion operation monitoring, found that this operation, to determine whether there is a legitimate identity, whether authorized maintenance operations, or block its execution, files are not rewritten , also played a Web page tamper-proof purposes. This technique is also known as event-triggered tamper-proofing.

This technology needs to test the familiarity of the server operating system, but the hacker is also a master, your care process is user-level, hackers can obtain advanced privileges, bypassing your "message hook", monitoring has become a device.

d) Fourth generation technology, since it is higher than the process, so that the operating system to do this job, should be the most appropriate, hackers and cattle can not cross the operating system itself "work." Therefore, in the Windows system, provide system-level directory file Modification care process (System call), tamper-proof products can be directly invoked, or use the operating system itself file security features, the main directory file to lock ( Windows has also taken a similar tamper-proof protection against its own system's important files to avoid viruses, allowing only Web publishing systems (Web page upgrades) to modify files and other system processes that do not allow deletion.

This method should be said more thoroughly, but can be seen that the defensive tamper with the technology will become the operating system of the "patent", the security manufacturers are really unwilling to see. Fortunately, Linux is still not supported.

Web page tamper-proof system can be used for Web server or middleware server, and its purpose is to protect the integrity of Web pages.

Tamper-proof web pages have a good effect on protecting static pages, but there is no way for dynamic pages, because the page is generated when the user accesses, and the content is related to the database. Many SQL injections exploit this vulnerability to continue to invade the Web server.

So far, a number of web tamper-proof products have provided an IPs software module to block SQL injection and XML injection attacks against Web services. such as domestic manufacturers of WebGuard, Iguard, Inforguard and other products.

2, the Web database audit products:

Effective recovery is a very important concept of safety assurance. We mentioned that the protection of Dynamic Web page is generated by the database site, so the modification of the database becomes very critical, the purpose of the Web database audit products is to record all the operations of the data, when the problem is found, these operations can be traced back. For example, your equipment in the game was "zoned out", after a week, you found, but a week, the game continues, your equipment has a lot of new dynamics, reasonable and unreasonable changes intertwined. At this point, if the manager knows that the determination is a "someone" tampering, you can take his action "reverse" operation, your game can continue, unaffected; if you need to revert to a state prior to tampering by negotiation, get the last backup data before tampering in the database, and then use the audit record of the database, always " Operation "to the state before the tampering, the game can continue." This technique is similar to the real-time synchronous backup technology of database.

The purpose of Web database auditing is different from the usual security audit products, the process of forensics and reproduction is second, and the traceable operation of the data is the first, some people understand that data recovery is the work of data backup and disaster-tolerant system, but it is only one aspect of the whole database should be like this, However, the recovery of data for individual users is the audit here to solve. The audit here is somewhat like the operation log of the database, but it needs to be associated with the operation of the account, the latter is the operator is the identity.

Of course, the operation of the data is very large, all records require a lot of data space, so the Web services in the important database operations to conduct a detailed audit, the purpose of the audit is to operate the state of recoverable. Common Web Audit Data:

Account actions: Changes involving permissions

Operational operations: involving "wealth and material" changes

Maintenance actions: Actions involving the "special permission" person

Web database audit products generally adopt bypass deployment, does not affect the operational efficiency of the database. If the traffic flow is not very large, agent software can be used, but do not recommend completely rely on the database itself log function, because, after the intruder destroyed must have "erase traces" of the steps, traces are generally the system itself log, the individual audit mechanism to ensure the integrity of the log.

This article is from the "Jack Zhai" blog, please be sure to keep this source http://zhaisj.blog.51cto.com/219066/157724