One, Web security is not just only need the Internet
Web services is the use of B / S architecture, the services provided through the Http protocol referred to, this structure is also known as Web framework, with the development of Web2.0, there has been separation of data processing and services, such as changes in services and data distributedIts performance is also greatly enhanced interaction, it was called the B / S / D three-tier structure.Popular thanks to the Internet can quickly deployed on the Web is simple, easy on the development, Web page developers quickly than any previous army of computer language enthusiasts, with the spread of applications and prosperity.J2EE and. NET's the same thing, clearing the way for the Web pop between manufacturers and standards; Moments, SOA Web2.0 selected as one of the basic tools to achieve (the most widely used), Web architecture into the enterprise from the Internetinternal network, the development of new business systems, more and more systems architect selected Web architecture, and people familiar with it so widely are inseparable.Once again proved the fact that the classical theory: the most simple and easy fashion.
Simple and security if there is always the "contradiction", the browser can see page Html code, the early Web service design is not too much security, human nature is good, technical staff always believe people are good! However, with thethe widespread use of Web2.0, Web services is no longer just information release, the game equipment transactions, online shopping in daily life, the administrative examination and approval, the value of enterprise information resource management ... the temptation of greed began to show, not allWeb designers who have "common ground" idea, safety concerns were highlighted.
2008 is the most network security event statistics: SQL Injection and "page linked to horse (horse)."Because this is the "zombie" network to develop new "members" of the basic tools, and the botnet economy and politics, "values" do not have to say.SQL Injection and "page linked to the race" is mainly devoted to Web services, and traditional security product (UTM / IPS) are bloated.
Thought to show the Internet is a personal paradise, a world-class, the virtual "other" society, since we are all virtual, with a mask, to become a reality in the true interests of society, but also need some conversion before they can be honoredHowever, the Web architecture SOA into the enterprise network, where the online world is "real" interests can be honored, Web security issues become urgent.
Second, Web architecture principles
To protect Web services, should first understand the Web architecture, Web services under the plan is a general structure for the website on the Internet, also apply to online Web applications within the enterprise architecture:
Users to use common Web browser, through the access network (the access site is the Internet) to connect to the Web server.User makes a request, the server's URL address, upon request, access, find the corresponding page document, sent to the user, a dialogue between the "official language" Http.Page document is a text description, HTML / Xml format, users have a browser interpreter, the resumption of these texts describe as illustrated pages, audio visual page with video.
Typically, users want to access existing Web server pages are a fixed directory, are some. Html, or. Xml file, user page "hyperlinks" (in fact the URL address) between pages in the site"jump", which is for static pages.Later, people feel this way only one way to present information to the user, the information can be released, but let the user do something like identity certification, vote on things like too much trouble, leading to the concept of dynamic web pages; the so-calledDynamic is the use of flash, Php, asp, Java and other technologies embedded in a web page to run some of the "small program" in the interpretation of the user's browser when the page to see these small programs to start running it.Use a small program is flexible and can display an animation (eg Flash), your PC can also generate a file, or receive a message you enter, so can your "idea" to customize the page handle, so that every time you came, you saw the last designed the unique style, "VIP feeling" that everyone likes, not to mention the virtual online world, you do not know you were alsoso "respected", the service was so thoughtful ...
"Applet" is used for Web services model with the "two-way" capability, Web services model can be as traditional as a variety of transaction processing software, such as editing documents, interest calculation, such as submission forms, Web-based application surfacegreatly expanded, Web2.0 can be one of SOA architecture implementation technology, the "small program" is withheld.
These "small programs" can be embedded in the page, the file can also be stored in the form of a separate Web server directory, such as. Asp,. Php, jsp files, and can be specified in the development of the client is running, orrunning on the server side; users can no longer see the source code of these small programs, services, security has greatly improved.This small program functionality more and more popular kit form, separate management, Web business development, the direct use can be, this is the middleware server, which is actually a Web server capacity expansion.
Static Web pages and "applets" are pre-designed, generally do not often change, but a lot of content on the site requires frequent updates, such as news, blog articles, interactive games, these changes on the static program data clearlynot suitable, the traditional approach is to separate the data and procedures, the use of specialized databases.Web developers in the Web server behind the addition of a database server, the constantly changing data stored in the database, you can always update.When a user requests a page, the "small program" pages according to user requirements, involving the local dynamic data, using SQL database language, read the latest from the data, to generate "complete" page, and finally to the user, such as the stock marketmarket curve is constantly refreshed by a small process control.
In addition to application data needs to be changed, the user of some state information, property information can also be temporarily recorded (because each user is different), while the Web server did not record the information, just reply to your request, "person, one to gotea to cool it. "Later, Web technology in order to "friendly" interaction, need to "remember" the user's access information, create some "new" communication mechanism:?
◆ Cookie: some user parameters such as account names, passwords and other information stored in the temporary file the client's hard drive, users visit the site again, the parameters are also sent to the server with the server to know that you are the last "guy "it?
◆ Session: some of the parameters the user information exists in the server's memory, hard disk or write files on the server, the user is not visible, so users with different computer to access the VIP treatment for the same time the, Web servers always rememberyour "look", under normal circumstances, Cookie can be used in conjunction with the Session
Cookie on the client, the general storage of encryption can be a; Session on the server side, information is centralized, the problem has been tampered with will be very serious, it is generally placed in memory management, and try not to be stored in the hard disk.
This, we have clear, Web server, there are two types of services with the data to ensure "clean", one page file (. Html,. Xml, etc.), here including dynamic program files (. Php,. Asp,. Jsp, etc.), there is generally a specific directory in the Web server, or intermediate between the server; the second is the background of the database, such as Oracle, SQL Server, etc., in which the data storage required when the dynamic page generation, but also business management data, operating data.
There is also a problem should mention, is to bring the browser to the user computer security issues, because the process of Web to the local hard disk operation can be Trojan horses, viruses onto your computer up, Web architecture, using the "hourglass"technology to provide security, is to limit the page "small program" local read and write permissions, but after all, can not restrict them "work", so in most cases is given in the write hints to make your own choices, we often seea process in the installation program into your computer, but most people can not tell whether it should be, or withheld, causing a lot of things do not (and many can only watch and game downloads), or "bold" to accept the door open, resigned.Here the main analysis of the security server, the client's safety re-consideration.
Third, Web security architecture point analysis
Can be seen from the Web architecture, Web server must go through the door into the door, there are many servers need to be protected, such as middleware servers, database servers and so on.Our staff here does not consider attacks inside the network, consider only from the access network (or Internet) to attack, the intruder invasion of the channel are the following:
1, the server system vulnerabilities: Web server, after all, a general-purpose server, whether Windows, or Linux / Unix, are essential flaw with the system itself, through the invasion of these vulnerabilities can be obtained advanced permission to the server, of course, the serverWeb service is running on free control.In addition to OS vulnerabilities, as well as Web services, software vulnerabilities, IIS Ye Hao, Tomcat Ye Hao, also need to constantly patch.
2, Web service application vulnerabilities: If the system-level software vulnerabilities are too many people are concerned, then the number of Web application vulnerabilities more on, because a simple Web service development, the development of the team varies, not allis a "professional" master, programming is not standardized, safety awareness is not strong, because the development time constraints and simplify the testing, application vulnerability also allows an intruder to come and go.The most common SQL injection, because most of the application programming flaws generated in the process.
3, password brute force: vulnerability may provoke attacks easy to understand, but that need superb skills, to crack the password is very effective and simple.General account information easily available, the rest is guess the password, and the use of complex passwords is an inconvenience but "hate" thing, set the password easy to remember, the vast majority of the user's choice.Most Web services are relying on "account + password" to manage user accounts, once the crack the code, especially in the remote admin password, imagine the damage and their attacks more difficult way than through the loopholes to be simpler, but not easilyfound.In the famous case of the network economy, the invasion by the password the proportion accounted for nearly half.
Intruder into the Web system, its movement behavior is very clear purpose:?
◆ Make a site paralysis: paralysis site is to allow service interruptions.DDOS attacks can make use of the website crashed, but there is no damage to the internal Web service, and network intrusion, you can delete files, stop the process, so Web servers can not be restored completely.In general, this approach is demanded money threatening or malicious competition, it may be displaying his highly skilled, to take your site to be attacked as a propaganda tool for him.
◆ tampering page: modify site page display, is relatively easy, and it is easy to know the attack effect the public for the attackers, there is no "benefit" the benefits, mainly to show off, of course, for the government and other websites, image problemis very serious.?
◆ hanging Trojan: This site does not produce invasive direct damage, but to attack the user to access the site, linked to the Trojan's greatest "benefit" is a collection of zombie networks "chicken", a well-known Web site's home page transmission speed of the Trojanis explosive.Linked to the Trojan site administrators easily found, XSS (cross-site attack) is a new trend.?
◆ tampering with the data: This is the most dangerous attacker, tampering with the website database, or a dynamic page control program, nothing changes on the surface, not easy to find, is the most common economic interests of the invasion.Data tampering is incalculable harm, such as: shopping site can change the amount of your account or transaction records, government approval site can modify the results of administrative examination and approval, the enterprise ERP sales orders can be modified or transaction price ... Some people say that prevent intrusion by encryption protocols,such as the https protocol, this statement is not accurate.First, Web services for the general public and can not fully use encryption in Web services within an enterprise can be used, but we are all "insiders", is the total known encryption method; Secondly, the encryption can prevent someone "eavesdropping"But the intruder can impersonate the regular users and they can invade; Moreover, the" middleman hijacking "can also eavesdrop encrypted communications.
Fourth, Web security product analysis
Around Web services security, the product can be varied, the basic access network is the gateway entrance to UTM, which function and anti-DDOS IPS Web server system-level function is a direct intrusion protection, but UTM security gateway is the common border,Non-"professional" Web Intrusion Prevention, generally as entry-level security protection, do not go into detail here.Here mainly for Web services development of security products, there are about several aspects of the following products:
1, page tamper-resistant products:
Protection is difficult to unknown attacks, but optimistic about my own "family property" is relatively easy.Therefore, it was the first thought is tamper-resistant technology page for the sake of "purity", at least not cause great harm to society.Web tampered products in the Web early, After the storm, the manufacturers of technology is increasingly unified.Web tamper the fundamental principles of: is the Web server page file (directory file) to monitor, found that change in time recovery.So the product actually is a "patch" tool, can not prevent an attacker's tampering, to come to a passive attitude, hand guards, to reduce losses is the goal, is a typical passive tamper-resistant protection technology.
Web deployment of tamper-resistant products: establishment of a separate management server (Web server, a small number can be omitted), and then installed on each Web server, an Agent program, responsible for the server's "Web document care", the management server is the management of theseAgent care strategy.
We first analyze the "page file care" technology changes:
a) first-generation technology, the Web server home directory make a backup of the file, using a timed loop process, the backup files and service files used to compare one by one, not the same coverage to go with the backup.Site updates are released, then also update the home directory with the backup.This method is the case of a large site, a huge number of web pages, scan it again for too long, and is diverted to the Web server performance.
b) second-generation technology, using the Hash algorithm, on the home directory for each file to do Hash, produce the document's "fingerprint", regular circulation of documents used in the process of computing services directly to the Hash fingerprint, and fingerprint matching, fingerprint generalsmaller, more convenient; fingerprint with irreversible characteristics, not afraid of imitation.
c) The third generation technology, since the website pages too much, three visits to the following pages, the general use of exponential decline, of course, no one visit will not be tampered with, repeat the scan in these pages is value for money.A change of ideas: Read the document should be no danger, danger is rewriting the file operation.If only be changed when the file check-ups can significantly reduce the occupation of the server resources; Specifically: the process of opening a guard on the Web server's home directory file deletion operations to monitor, found this, determine whether there islegal status, whether authorized maintenance operations, or blocking its implementation file is not overwritten, it played the purpose of tamper-resistant pages.This technique is also known as event-triggered anti-tampering.
This technique requires testing on the server operating system familiarity, but also a master hacker, your care is a user-level process, the hacker can get advanced permission to bypass your "news hook" to become a display monitor.
d) fourth-generation technology, since it is higher than anyone else the process privilege, so that the operating system do this job, should be the most suitable, hackers and then cattle can not cross the operating system's own "work."Therefore, in the Windows system directory file system level to provide care to modify the process (system call), tamper-resistant products directly called on it, or use the operating system's own file security features to lock the main catalog file (Windows onimportant documents of their systems have taken a similar tamper protection against virus intrusion), only allows web publishing system (web upgrade later) can modify the file, and other system processes do not allow deletion.
This method should be said that more thorough, but we can see that, after anti-tampering technology will become the operating system "patent", and security manufacturers really want to see.Fortunately, Linux is currently not supported.
Tamper-resistant system can be used for web pages Web servers, middleware servers can also be used for the purpose in protecting the integrity of a web document.
Tamper protection of the static Web pages have a good effect, but there is no way for the dynamic pages, because pages are generated when users access the content associated with the database.SQL injection is to use a lot of this loophole, you can continue the invasion Web server.
So far, many pages are tamper-resistant products provide an IPS software module to be used to prevent SQL injection for Web services, XML injection attacks.Such as domestic manufacturers WebGuard, iGuard, InforGuard and other products.
2, Web firewall products:
To prevent tampering is a passive web page, can block the intrusion is the active type, the front said the IPS / UTM security products is a common gateway, but also the hardware-specific Web security gateway and domestic such as: GreenUnion Web firewall, Qiming WIPS (web IPS), a foreign imperva 的 WAF (Web Application Firewall) and so on.
Web firewall, intrusion mainly on Web-specific ways to strengthen protection, such as DDOS protection, SQL Injection, XML injection, XSS, etc..Because it is not the network layer, application layer intrusion, from a technical point of view should be referred to as Web IPS, rather than the Web firewall.The reason here is called the Web firewall, because we better understand the industry call it popular.As the focus is to prevent SQL injection, it was also known as SQL firewall.
Web firewall products deployed in front of Web servers, serial access, not only in hardware for high performance, and can not affect the Web services, so HA function, Bypass functions are necessary, but also with load balancing, Web Cache, etc.Web server before the coordinated deployment of common products.
Web firewall key technologies of intrusion detection capability, especially for Web services, intrusion detection techniques vary widely different manufacturers, manufacturers can not measure the size of signatures, the main thing is to see the test results, technical features come from the factorythat there are several ways the following:?
◆ Agent Services: Agents in itself is a security gateway, session-based two-way agents, interrupt the user a direct connection with the server for a variety of encryption protocol, which is the Web-Cache technology most commonly used applications.Way to prevent the intruder agent directly into, for DDOS attack can inhibit, for non-anticipated "special" behavior has also been suppressed.Netcontinuum (Barracuda) the company's WAF is representative of this technology.?
◆ Feature Recognition: identify the intruder is protective of his premise.Feature is the attacker's "fingerprint", such as buffer overflow when Shellcode, SQL injection in the common "true expression (1 = 1)" ... the application of information there is no "standard", but every software has its own unique behaviorproperties, identification of viruses and worms on the use of this method, the trouble is that each attack their own characteristics, the number of relatively large, much too easy to resemble the great possibility of false positives.Although the characteristics of malicious code to grow exponentially, security, vowed to phase out the technology sector, but not the application layer identification of particularly good way.?
◆ recognition algorithm: feature recognition and disadvantages, people in the search for new ways.Classify the type of attack, the same modeling features of the class, not a single feature of the comparison, a similar pattern recognition algorithm to recognize some, but highly dependent on the attack, such as SQL injection, DDOS, XSS and so developedcorresponding recognition algorithm.Algorithm is to identify the semantic understanding, rather than "look," identification.?
◆ pattern matching: is the IDS in the "old" technology, to be summarized into a certain mode of attack, after the match to determine intrusion, of course, the definition of model has a deep knowledge, the manufacturers are hidden as "patent."Protocol mode is one simple, standard protocol is based on a point of order to define the model; behavior to complex,
Web Firewall biggest challenge is the recognition rate, this is not an easily measured indicator as slipping through the net into the intruder, not all of havoc, such as a web page linked to the horse, you come in is hard to detect that one, do not know of courseuncounted.For known attacks, the recognition rate can be discussed; attack of the unknown, you have to wait his "jump" out to know.
"Self learning" feature of development:
Imperva WAF products company in the provision of intrusion prevention, while also providing other security technology is the application of Web pages automatic learning function, the same can not be due to different sites, so the site features its own page, there is no way to advance the definition ofSo imperva using equipment automatically pre-learning, and to summarize the features of this website page.Specific approach is this:
Through a period of user access, WAF record of the common web page access patterns, such as a web page has several input, input what type of content, what is usually the length of the ... study has been completed, the definition of a web pagenormal mode, when a user break the future of this model, such as general account should not have special characters in the input, and when the need for XML into "<" sort of language tags, WAF will be based on pre-defined way of warning youor blocked; Again password length is generally not more than 20, add the code in the SQL injection will be a very long time, also broke through the web access patterns.
Web self-learning technology, from Web services to start their own business-specific perspective, does not meet my routine is unusual, and it is an intrusion detection technology than a simple Web firewall, not only to the intruder, "under the arrest warrant,"and build into its own internal "rules" which a two-way control, obviously better than the one-way.
Citrix's acquisition of Teros, the launch of the application of two-way traffic through the firewall to learn user behavior patterns Web services, establishment of a number of user behavior model, but the match on a certain behavior you are to act according to the model to measure yourbehavior approach, the "deviant" in an attempt to give an immediate block.This adaptive learning engine and Imperva's Web self-learning is somewhat similar, but features a focus on learning web page, a user access to learn the law.
From a security perspective, the network self-learning technology industry, used in conjunction with intrusion prevention, is the ideal choice.
The future of Web firewall solution:
There is a saying: Because the Web server load balancing device before, Web acceleration devices are indispensable, but also the only way for the export of Web server farms, so the Web firewall functions may be combined with these devices.Some of this development and the individual as the gateway UTM FW, IPS, AV, VPN and other equipment, like evolutionary development, UTM is a collection of these gateway products.
But I have a different view: UTM network deployed in outer join exports, exports are generally the Internet, and its role in network security isolation, where bandwidth is expensive, so users with large bandwidth is limited, while the Web server and the network group isthe main switches, and provides processing power is applied, the required parameters is often the number of concurrent users and the number of online users, servers are generally Gigabit interfaces, you can now switch to the exchange capacity of dozens of TB into do a large flow of multi-link security products, but also the detection of application layer, the hardware product pressure is enormous, and can achieve the "linear" flow of certain expensive products, so this Web firewall idea is to be mergedopen to question.
3, Web database audit products:
Effective recovery is a very important security concept.Protection of dynamic pages we mentioned difficulty is generated by the database field, so changes to the database to become critical, Web database auditing product is aimed at all operations on the data recorded, when the discovery problem, these operations can be traced back.Analogy, your equipment in the game by others to the "planning to go", and after a week, you found, but a week, the game goes on, your equipment there are many new developments, changes wrought rational and irrationaltogether.At this point, determine if the managers know that "someone" tampering, you can put his action to "reverse" operation, your game can continue, unaffected; if, through consultation, need to revert to a pre-tamperinga state, obtain tampering in the database before the most recent backup data, then use the database audit record has been "operating" to tamper with the state before, the game can continue.The technology of real-time synchronization with the database backup technology is similar.
Of course, operation of the database is large, all records takes a lot of data space, so, Web services, database operation was important to conduct a detailed audit, the audit is intended to restore the operating state.Common Web audit data:?
◆ Your Account: changes related to permissions?
◆ Operation Operation: involving "financial and material" change?
◆ maintenance operations: those involving "special rights" movement of people
Web database audit products are generally deployed using the bypass does not affect the efficiency of the database.If traffic is not much in the business case, the software can be used Agent ways, but rely entirely on the database itself does not recommend the log function, because, after the destruction of the invaders must have "wiped off the mark" steps, marks in general is the system itselflog, a separate audit mechanisms to protect the integrity of the log.
4, Web Trojan check tools:
Web site security not only to maintain their own security, through the web site user's computer against intrusion is also very difficult.Trojan Web easy to hang, or use of XSS attacks, are there tools page for all the security checks it? Here to use a "crawler" technology.
"Crawler" search engine technology was first "invented", the search site release of N small "reptile" in the recycling sites around the world, scanning, collecting new information on the site, the establishment of a database search for the people of the world, so everyonefrom Google, Baidu and other search portal to search for any stuff you want.As the "spiders" from an external web site, so you can simulate the actual effect of the user to open the site, so the "crawlers" will soon be used to test its performance site "user experience" tools, such as the speed of opening pages, the waiting time for user interactionand so on.As a user experience tool, "crawlers" will soon also became popular within the enterprise network, focusing on user experience, is the IT field in 2008 began the development of the most popular ideas.
The so-called "crawlers" is such a number of processes, according to certain rules (horizontal first search, vertical first search), all pages on the site to open again, (you know a lot of website hits skyrocket because of it, there is numerousa worm is at work ...), in a matter of concern on the page to check.As the user's identity is the "Browse" page, so there is no difference between static and dynamic pages.Web Trojan checker is based on the principle of development, unlike the search crawler is check the page, focus on viewing the page is being linked to the Trojan, or XSS use.Because of the link destination URL within the site should be traceable, so check XSS is very effective.("Reptile" Some of the files as web pages tamper check process it, but one is in the internal Web server, and the other is the external web server)
Web Trojan checker checks generally used as a security service, you can deploy a separate server, periodically check the site and found the problem in a timely manner to the police.The tool currently on the market of products of small, generally do not sell, online software can be similar to some of the free trial, with the Web service applications within the enterprise increases, the tool should be the same as the popular anti-virus checking tools.
Fifth, new ideas --- Host Web Gateway
Web services are developed from the Internet technology, the Internet is a "grassroots" culture of the synthesizer.On the Internet, sharing intelligence is the pursuit of simple and practical is the method.
Very common phenomenon, Web services, using the processing power of cluster technology, cloud computing, the use of inexpensive PC servers are integrated, as opposed to "huge" supercomputer.P2P technology, CDN Web services technologies are lowering the center of pressure Internet users, and can support large user, real-time streaming media business, "Internet Web technology."But for Web services security issues pose a problem --- the network structure.In order to provide processing power, a large number of server "network" as to take in the core switch, there is no focal point before the server, web firewall deployment became a problem.
Grass-roots cultural characteristics of the system to avoid excessive dependence is a point (we are all important).Web service model is different from the traditional focus on banks, the server is PCServer group consisting of, the group joined with the left, had no effect on the group's services, but the dynamic changes in service capacity only, so the server group in the handling of each servercapacity is relatively not so valuable, a server is down only exception to the individual customer service that some "temporary impact," Agent installed in the server's "fear", Web service managers should not.
Order with the "group" or "cloud" and the new network structure to adapt Web, Web service application layer protection, can be combined with tamper-resistant pages (especially the OS provides the underlying file changes monitoring), we give it a new--- Host Name Web Gateway (Host Web Gateway).
Host Web gateway deployment and tamper-resistant products, the Agent in the form of embedded Web server, Web services do not need to care about the network structure, while also avoiding the use of encryption in the Web services protocol, a gateway security devicesdisadvantages of application-layer attacks do nothing.
The main function of the host Web Gateway:?
◆ Web application intrusion prevention (SQL injection, XSS, etc.)?
◆ page file tamper? W ◆ eb page automatic learning feature?
◆ Web user access to self-learning function
As for system-level intrusion prevention and DDOS protection, on the UTM / IPS in the settlement, Web services network architecture to more flexible.Host Web gateway with software in the form, not the serial device performance requirements, will greatly decrease the cost of deployment.