WEB application security solutions
Linkage between firewall and webpage tamper proofing system
The first chapter, demand analysis
1.1. faces the status quo
With the popularity of Internet applications, access to information is increasingly dependent on the Internet, thereby further promoting the Internet applications and website construction. However, with the large-scale construction of the website, the security of the website is rapidly serious. This is from the National Day 60th anniversary, the Ministry of public security inspection report can be seen.
In order to protect website security and Internet information is correct and credible, the Ministry of Public Security issued the "Regulations" technical measures to protect the security of Internet as early as December 1, 2005, the Ministry of public security eighty-second orders, and from March 1, 2006 onwards. The provisions in the ninth paragraph of the third clearly pointed out: "the establishment of portals, news websites, e-commerce sites, to prevent websites, web pages have been tampered with, can be automatically restored after tampering."
CNCERT/CC officials said, the network attackers targeted, tampering with the government website is mainly to vent their anger, and the use of phishing and pharming of phishing to financial institutions, online trading site is mainly for the theft of personal information of the user interests. In order to achieve better attack results, network hackers are constantly updating their technical means, Trojan horse program has become one of the most important means, and the most widely used. Even more frightening is that, because of the Trojan horse, the virus behind the huge economic benefits, spawned the process of industrialization of the virus, manufacturing, communication, trading one-stop, seriously threatening the national and individual property safety.。
In short, China's network and information security situation is very serious, and it is urgent to strengthen security construction.
1.2. solving ideas
At present, the website security construction is mainly composed of firewall, intrusion detection system composed of two layers. The emergence of such a severe site security problems, fully illustrates the system for tampering with the site attacks to prevent the limitations of the following from the technical aspects:
1. from the design perspective, firewall, intrusion detection and other security products need to rely on specific rules to identify the threats, due to the formation or upgrade the rules behind the inevitable attack means to change this to a certain extent for the website attack provides the time gap analysis, from most websites / current events web page tampering case, mainly with the time difference of the. Therefore, a product or system based on a feature library for security can not ensure the security of the content of the website.
2. from the protection of the method, the web tamper proofing product focus is "after the event recovery", can prevent tampering harm expansion. But it can not prevent the attack; and he only attacks on Web tampering behavior to have an effect, but in fact most types of attacks are not tampered with ", such as the DDoS attack, CC attack, overflow attacks, cookie theft, password interception, data theft and so on; there are many possible tampering attacks, but most of the time is not tampered with", such as SQL injection, even if the "directory traversal; recovery", "anti tampering products are the working principle, increased service loads, vulnerability detection mechanism, bypassing the continuous tampered security problems. The application of firewall in the application layer can understand and analyze the HTTP session, therefore can effectively prevent all kinds of application layer attacks, where in the solution we advocate the use of "safe deployment mode with the forthcoming" at the same time if the application of firewall and web page tamper resistant products with the same brand can achieve application firewall, web anti tampering and server linkage. To achieve the purpose of pre defense unified management, and provide the security of the entire IT facility.
3. from the view of technique analysis, firewall, intrusion detection and other security products is mainly aimed at the link layer, the network layer information of threat identification, however, to see a large number of cases in recent years from tampering with the site, the information content contained in the attack process in the link layer, the network layer is legitimate, in fact the main problems appeared at the application level, so the effect of preventing the traditional security protection system of this kind of attack is not ideal.
The second chapter introduces the product
The current website security construction is mainly composed of firewall, intrusion detection system composed of two layers. However, according to authoritative statistics, 75% of information security attacks come from the level of web applications.
According to the demand of the market, currently on the market various security vendors to develop the evalsuation and reinforcement of a series of products and services website security web content security, web content security field has formed the most technical leadership family of products - Web application firewall and web anti tamper system.。
2.1. WEB Application Firewall
Web application firewall, for the financial, government, enterprise, electronic commerce and all involved the application of Web industry, and protect your WEB server from malicious attacks, optimize business resources, guarantee the availability and reliability of Web application. Web application firewall in the application layer of HTTP (S) - deep detection: real-time defense for security threats from Internet, avoid the intruder using application layer vulnerabilities or destruction of illegal access to site data, it can effectively resist all kinds of attacks by hackers, such as SQL injection attacks, command injection attacks, cross site scripting attacks, cross site forgery, buffer overflow, malicious encoding, application layer DOS/DDOS attacks; at the same time, in response to the WEB server side error information, malicious content and substandard content real-time filtering, avoid sensitive information leakage, ensure the reliability of the website information. Web application firewall also provides network access and real-time monitoring of traffic, help users intuitively understand the working state of the site. With the help of SSL acceleration function, it can significantly improve the access speed and concurrency of the website.
2.2. webpage tamper proofing
The webpage tamper proofing system solves the security flaws existing in the traditional two tier protection system, and adopts the design thought of "disaster tolerance as the main part and prevention as the secondary", and solves the security problem of the website content from the application level.
1. the main protection function of the system does not depend on the feature library, and the "strong authentication" mechanism is adopted to ensure the correctness of the content. Therefore, the system is not affected by the negative impact of changes in the web attacks, is a fully embodied "in the same security software design idea of the status quo".
2. the system is also completely different from the firewall, intrusion detection and other products in its technical implementation, and its main concern is the legality of application layer information. The system takes embedded filtering technology as the core, and combines with real-time blocking, event triggering and other preventive protection technologies, so as to form a multi-level defense system in depth for the website files.
Tamper proof products generally consists of three independent subsystems, which are monitoring agent (MA), Monitor Agent Synchronization Agent synchronization agent (SA) and Management Center Management Center (MC).
·The monitoring agent MA is deployed on the website server, which is responsible for real-time monitoring and protecting the website files, finding tampering, attempting or tampering operations, sending the recovery requests in real time and submitting the alarm information in a timely manner.
·Synchronous proxy SA - deployed in synchronous servers, responsible for real-time monitoring of backup file changes, and monitoring proxy submission recovery requests, and executing file synchronization to the web server as requested. Note: synchronous servers usually refer to CMS servers or FTP servers.
Management center MC - deployed to the management server logic, as the interface between the user and the system, will be responsible for the operation instructions to the monitoring agent and the synchronization agent; at the same time, responsible for all kinds of alarm information from real-time receiving agent and notify the user.
Third chapter solution
Most of the current government's foreign service portal, as well as major financial energy and other important livelihood unit website as a foreign service window, the image display unit and real-time environmental monitoring of the latest information; in order to ensure the security of the website content, website WEB application security policy to the early and middle of the WEB access request to carry out a full range of account, to build three-dimensional defense system, defense and blocking things in advance.。
In general, the portal website security concerns for web applications can be summarized as follows:
·User access requests can be classified and screened to distinguish malicious access requests and to block them effectively according to certain rules;
·To prevent tampering, website information, real-time monitoring sites and instant recovery site content correctly, make sure the site is safe and reliable and stable operation, any malicious tampering will be real-time reservation, and can inform the management personnel timely initiative;
·To realize the combination of dynamic and static protection and protection of web application security equipment, unified control, unified deployment, realize mutual linkage and web application security equipment;
For the needs of users and solutions, combined with the current web content of security products, technical features and services, can provide users with a perfect solution.
3.1. schema architecture
Web application security platform is shown above application security products to build the customer based on the platform, through the application of firewall system, web tamper resistant system for portal application to build a "pre blocking + in defense defense in depth system.
3.2. main function
3.2.1. prior interruption
As a pre filtering and blocking system for website security, it must first have a complete and timely rule base and convenient management function, which can be divided into the following four aspects:
·Attack detection block
Preventing hackers from obtaining, modifying, or attacking data from a database associated with a web site by injecting SQL statements. Regular expressions are used to describe rules so as to improve the scalability and maintainability of the rules. To prevent hackers through scripting vulnerabilities in injection site of implantation, and then attack the visitor XSS attack script etc..。
·Rule definition expansion
Users can customize some rules to prevent the submission and display of illegal information according to the characteristics of the website. At the same time, the system automatically updates the common filtering rules remotely, thus providing defensive capabilities against the latest discovery / release of Web vulnerabilities.
·Alarms and audits
Real time alarm capability, aiming at the attack and intrusion operation of the website, the system provides real-time alarm processing, and submits the relevant details to the website administrator in the form of alarm. Detailed log information can be used not only for the investigation and implementation of the responsibility for attack, but also for managers to fully understand the website security and system operation status.
w · user management
In order to improve the safety of website management, system provides multi users management mechanism, permissions for different users (resource configuration) can be controlled according to the actual demand.
3.2.2. defensive game
To the stage of defense web content security matters, we must first have the perfect protection mechanism, the protection of objects including static / dynamic pages, database, pictures, documents and other documents, and also have some assistant functions, with various management work for the convenience of users. According to the characteristics of the system, the function can be divided into the following five aspects:
w ·monitoring and recovery
In view of the security mechanism of web file security, the real-time monitoring of the change of the website file can effectively reduce the probability of tampering, and once the tampering occurs, the file recovery can be carried out automatically and in real time. In addition, content filtering is applied to all Internet access to ensure the correctness and authority of the publication.。
·Synchronization and backup
Seamless integration with various site publishing methods (such as FTP, CMS, etc.) to ensure the website contents are updated and maintained automatically and in real time. At the same time, the ability to provide web backup to ensure initialization in the implementation of the system can be carried out without the aid of third party software.。
·Alarms and audits
Real time alarm capability, aiming at various tampering, attempted or tampering operations of the website, the system provides real-time alarm processing, and submits the relevant details to the website administrator in the form of alarm. Detailed log information can be used not only for the investigation and implementation of tampering with responsibility, but also for managers to fully understand the site security and system operations to provide the necessary information.
·Prevent SQL injection
Preventing hackers from obtaining, modifying, or attacking data from a database associated with a web site by injecting SQL statements. Regular expressions are used to describe rules so as to improve the scalability and maintainability of the rules.。
·User management
In order to improve the safety of website management, system provides multi users management mechanism, permissions for different users (resource configuration) can be controlled according to the actual demand.
3.3. deployment plan
According to the security requirements of the portal, the deployment of the portal security solution based on the application firewall in the application security product family and the webpage tamper proofing is as follows:
1, the web server front-end application firewall deployment system (hardware) 1, dynamic attack protection of the WEB business, according to certain rules to filter the access request, the request for the aggressive implementation of blocking, effective against hacker attacks, robustness and security of the web site has more;
2, select the page tamper proof system [1], monitoring agents in web servers are deployed web anti tamper system, responsible for real-time monitoring to protect the site files, found or tampering attempts to tamper with the real-time send resume request and submit timely warning information;
In addition, the new add 1 servers, deploy web pages tamper proofing system, two subsystems backup service and unified monitoring platform. The content of the website server backup on the Web server, and synchronization server as the future website updated for real-time monitoring of the backup file changes, and the monitoring agents submit the request for restoration, and according to the synchronous request execution to the web server file. Unified supervision as a platform between the user and the system interface, will be responsible for the operation instructions to the monitoring agent and the synchronization agent; at the same time, responsible for all kinds of alarm information from real-time receiving agent and notify the user, the more important is through the unified supervision platform deployment application security protection strategy, joint implementation of application firewall and web anti tamper system the.
3.4. program features
3.4.1. depth defense, overall linkage, three-dimensional control
According to the different characteristics of hacker attacks, the deployment of firewall, for the application of Web site system tamper proof system, and application of firewall and web anti tamper system can provide a unified monitoring and management platform of safe and reliable same manufacturers, it can realize the linkage application firewall and web anti tamper system, while providing "Advance +." one of the two defense in depth system. At present, the mainstream security vendors support the application of firewall and web tamper proofing system, while the firewall and IPS devices such as heterogeneous, to achieve three-dimensional control effect.
3.4.2. environment, pervasive, comprehensive support
With the further application of the website, the expansion of business, security, stability and other aspects based on the consideration of Kunming municipal environmental monitoring center portal application based on the existing Linux environment, the new system may migrate to the Unix platform. In this case, the environmental compatibility of products is particularly important, the product family needs is the most comprehensive support environment and the compatibility of the most perfect products, the current mainstream application security vendors such as light, in a day, keep high safety and stability, there is also an example of the user.
·Support all mainstream operating systems, including windows, Linux, UNIX, etc.;
·Support all mainstream databases, including Oracle, Sqlserver, Sybase, mysql, etc.
3.4.3. high security and availability
The entire application security protection system's data and its own security are guaranteed.。
·Security of information transmission
As a basic network operating environment, the system provides secure transmission of information from the following two aspects:
·Integrity: integrity protection prevents unauthorized and imperceptible tampering with messages, and ensures that messages arrive in the correct order without increasing or decreasing.
·Confidentiality: to ensure that messages are not bugged during transmission.
·The security of the system itself
The system provides the daemon capability at the process level to guarantee the failure recovery and security of the core business process.
