What is the application of security? Application security is the security of network applications, these applications include: credit card numbers, confidential information, user profiles and other information. So what is to protect these applications from malicious attacks, difficulty lie? In our view, the weakest link in these applications is the network port on the firewall 80 (primarily used for HTTP) and port 443 (for SSL) when the subject of attack. Then the firewall to discover how these attacks and blocking it? Summarized below eight application security technology, reads as follows:
Deep packet processing
Deep packet processing is sometimes referred to as deep packet inspection or a semantic test, it is the number of data packets into a data stream associated with them, looking for abnormal behavior attack while maintaining the state of the entire data stream. Deep packet processing requirements for high speed analysis, testing and re-assembly of application traffic in order to avoid delay to the application brought. The following technical representatives of each deep packet processing at different levels.
TCP / IP termination
Application layer attacks involving multiple data packets, and often involve multiple requests, the different data streams. Traffic analysis system to be effective, it must remain in the user interaction with the application during the session, to detect data packets and requests to find the attacks. At least, that need to be able to terminate transport protocols, and the entire data stream, not just in a single packet to find malicious patterns.
SSL Termination
Today, almost all security applications are using HTTPS to ensure the confidentiality of communications. However, SSL encrypted data streams using end to end, so the passive detectors such as intrusion detection systems (IDS) product is opaque. In order to prevent the malicious traffic, application firewall to terminate SSL, to decode the data stream to check the traffic in plain text. This is the minimum protection of application traffic demands. If your security policy does not allow sensitive information unencrypted over the network context, you need to send traffic to the Web server before the re-encryption solution.
URL Filtering
Once the application traffic was clear format, it must detect the URL part of HTTP request, look for signs of malicious attacks, such as suspicious of the Uniform Code encoding (unicode encoding). URL filtering features based on the program, only to find regularly updated feature matching, filtering out known attacks such as Code Red and Nimda-related URL, this is not enough. This requires a program can not only check the RUL, also check the rest of the request. In fact, if the application response into account, can greatly improve the accuracy of detecting attacks. While URL filtering is an important operation, can prevent the usual script of juvenile type of attack, but unable to resist most of the application layer vulnerabilities.
Request Analysis
Request for a comprehensive analysis of technology than just more effective use of URL filtering, Web server tier can prevent cross-site scripting (cross-site scripting) vulnerability and other vulnerabilities. Request to make a comprehensive analysis of URL filtering goes a step further: to ensure that the request meets the requirements, compliance with the standard HTTP specifications, while ensuring a reasonable part of the individual's request within the size limit. The technology to prevent buffer overflow attacks are very effective. However, the request analysis is still a non-state technology. It can only detect the current request. As we know, remember previous behavior can be very meaningful analysis, while for more in-depth protection.
User session tracking
More advanced technology is the next user session tracking. This is the application of the basic flow state detection technology components: tracking user sessions, to correlate the behavior of individual users. This feature is usually by means of URL rewriting (URL rewriting) to be achieved using the session information block. As long as tracking individual user's request, we are able to block the implementation of very stringent checks. This would effectively prevent session hijacking (session-hijacking), and information block poisoning (cookie-poisoning) the type of vulnerability. Effective not only to track application session tracking information blocks to create a firewall, but also generated information on the application of digital signature blocks, to protect the information block is not being tampered with. This needs to be able to track the response of each request, and extract information block information.
Response pattern matching
Response for the application of pattern matching provides a more comprehensive protection: it not only checks the request submitted to the Web server, also check the Web server generates a response. It can be very effective in preventing damage to sites or, more precisely, to prevent the damage site has been accessed. On the response of the model which is equivalent to in the request matches the end of the URL filter. Three-level response to pattern matching. Damage prevention work carried out by the application firewall, it's static content site, a digital signature. If you find content from Web server after the changes, the firewall will be replaced with the original content has been destroyed the page. As for dealing with disclosure of sensitive information, the application firewall monitors the response, the server may indicate a problem to find the pattern, for example, break a long list of Java exceptions. If we find such mode, the firewall will respond to them were removed from, or simply blocking response.
A "stop and go" word ('stop and go'word) the program will look to appear or not appear in the application of the response generated inside the predefined generic model. For example, applications may be required for each page should have a copyright notice.
Behavior modeling
Behavior modeling is sometimes called positive security model or the "White List" (white list) security, it is the only defense the most difficult application vulnerabilities - zero-day vulnerability protection. Zero-day vulnerability is not written documents or "do not know" attacks. The only mechanism to deal with such attacks is to allow only the behavior of known good behavior, and other acts prohibited. The technical requirements of the application of behavior modeling, which in turn requires a comprehensive analysis of applications submitted to each response to each request, the purpose is to identify the behavior of the page elements, such as form fields, buttons and hyperlinks. This level of analysis can be found in a malicious form fields and hidden form fields manipulation of the type of vulnerability, while allowing users to access the URL on the implementation of very strict monitoring. Behavioral Modeling is the only effective response to all the 16 kinds of loopholes in the technology application. Behavior modeling is a good concept, but its efficacy is often limited by their strict nature. For example, in some cases a large number of applications using avascript or intentionally deviate from the behavior model can lead to behavior modeling mistakes, giving rise to false positives, a reasonable user access to applications refused. Behavior modeling to be useful, it needs a certain degree of human intervention, to improve the accuracy of the security model. Automatically predict behavior called rule generation or application of learning, strictly speaking, not the traffic detection technology, but an element test (meta-inspection) technology, which can analyze the traffic, the establishment of behavioral models, and a variety of related technologies generated by means of behavioral model applied to a set of rules to improve accuracy. Behavior modeling has the advantage of short time after learning applications can automatically configure. Security personnel to protect port 80 is facing the most significant one of the most important challenges. Fortunately, now there innovative solutions to solve this problem, and continues to improve. If the layered security infrastructure, which incorporates 16 categories of applications can be blocking the application of firewall vulnerabilities, you can solve the application security problem.