Web security product analysis-Web Firewall Products

The position of Web security in enterprise network security is becoming more and more important. If many Web-based attacks are not prevented, the consequences are very serious. Therefore, it is imperative for enterprises to configure Web firewalls. The so-called Web firewall, such as DDOS protection, SQL injection, XML injection, and XSS. Because it is an intrusion at the application layer rather than the network layer, it should be called Web IPS from the technical point of view, rather than Web firewall. This is called Web firewall because it is a popular term in the industry. The focus is on Anti-SQL injection, which is also known as the SQL firewall.

Web firewall is deployed in front of Web servers. Serial access not only requires high hardware performance, but also does not affect Web services. Therefore, HA and Bypass functions are required, it also needs to coordinate with common products before Web servers such as server Load balancer and Web Cache.

The main technologies of Web firewall are used to detect intrusions, especially Web Service intrusions. The technologies of different manufacturers vary greatly and cannot be measured by the size of the factory feature database, the main thing is to look at the test results. From the technical characteristics of the manufacturer, there are the following methods:

Proxy service:

Proxy is a security gateway. Session-based two-way proxy interrupts the direct connection between users and servers. It is applicable to various encryption protocols and is also the most common technology in Web Cache applications. The proxy method prevents direct access by intruders, can suppress DDOS attacks, and can also suppress unexpected "special" behaviors. Netcontinuum (barracuda) WAF stands for this technology. Bytes

Feature Recognition:

Identifying intruders is a prerequisite for protecting them. The characteristic is the attacker's "fingerprint", such as the Shellcode when the buffer overflow occurs, the common "true expression (1 = 1)" in SQL injection )"... There is no "standard" for application information, but every software and behavior has its own special attributes. This method is used to identify viruses and worms. The trouble is that each attack has its own characteristics, the number is relatively large, and it is easy to be like when there are more, so there is a high possibility of false positives. Although the features of malicious code are increasing exponentially, the security industry has to eliminate this technology, but there is no particularly good way to identify the application layer. Bytes

Algorithm recognition:

Feature Recognition has disadvantages and people are looking for new methods. The attack types are classified and the features of the same category are modeled, which is no longer a comparison of individual features. algorithm recognition is similar to pattern recognition, but highly dependent on attack methods, for example, SQL injection, DDOS, and XSS all develop corresponding recognition algorithms. Algorithm recognition refers to semantic understanding, rather than "appearance" recognition. Bytes

Pattern Matching:

It is an "old" Technology in IDS. It can generalize attack behavior into a certain pattern, and identify intrusion behavior after matching. Of course, the definition of pattern is profound, all manufacturers are concealed as "patents ". The Protocol mode is simple. It is defined according to the standard protocol procedure. The behavior mode is more complex,

The biggest challenge of Web firewall is recognition rate, which is not an easy indicator to measure, because intruders who miss the Internet are not all arrogant, such as Trojans on webpages, it is hard for you to perceive the one that cannot be counted without knowing it. For known attack methods, you can talk about recognition rates. For unknown attack methods, you have to wait for them to "jump" to know.