【School】 firewall security weak eight practical skills.

<br> <BR> What is the use of security? .Safe use of network security is guaranteed, the use, including: credit card numbers, confidential information, user profiles and other information. .So what is to defend against these malicious attacks with the difficulties it? .In our view the use of the weakest link is the network port on the firewall 80 (primarily used for HTTP) and port 443 (for SSL) when under attack. .So the implementation of the firewall how to find these attacks and blocking it? .Eight are summarized below using safety skills, reads as follows: <BR> deep packet processing <BR> deep packet processing is sometimes referred to as deep packet inspection or semantic detection, it is the number of data packets associated with a data stream .among the abnormal behavior in the search for attacks, while maintaining the state of the entire data stream. .Deep packet processing requirements at very high speed analysis, testing and re-assembled using the flow to avoid delay to use to bring. .A representative of each of the following skills, deep packet processing at different levels. .<BR> TCP / IP termination <BR> layer attacks using multiple data packets involved, and often involve multiple requests, the different data streams. .Traffic analysis system to be effective, it must maintain the interaction between the user and the use of the whole session, to detect data packets and requests to look for attacks. .At least, that need to be able to terminate the transport layer, and the entire data stream rather than just individual packets to find malicious patterns. .<BR> SSL termination <BR> Today, almost all are using HTTPS to ensure the safe use of the confidentiality of communications. .However, SSL encrypted data streams using end to end, and therefore passive detectors such as intrusion detection systems (IDS) product is opaque. .In order to block malicious traffic, use a firewall to terminate SSL, the implementation of decoding the data stream to check the flow of plain text. .This is the defense of using the minimum flow requirements. .If your security policy does not allow sensitive information unencrypted over the network, under the premise, you will need to send traffic to Web servers in the re-run before the encryption processing program. .Once the use of URL filtering <BR> flow was plain text, you have to test some HTTP URL request to find signs of malicious attacks, such as the Uniform Code of suspicious code (unicodeencoding). .URL filtering features based on the program, only to find matching features regularly updated to filter out known attacks such as Code Red and Nimda-related URL, it is not enough. .This required a solution can not only check the RUL, also check the rest of the request. .In fact, if the use of response into account, can greatly improve the accuracy of detecting attacks. .While URL filtering is a major operation, can prevent the usual script juvenile type of attack, but unable to resist most of the loopholes in the use of layers. .<BR> Request a thorough analysis of the request <BR> analytical skills more than just the effective use of URL filtering, Web server tier can prevent cross-site scripting (cross-sitescripting) vulnerability and other vulnerabilities. .A thorough analysis of the URL filtering requests a step further: to ensure that the request meets the requirements, to comply with the standard HTTP specifications, while ensuring a reasonable part of an individual's request within the size limits. .This skill is very effective to prevent buffer overflow attacks. .However, the request is still a non-state analysis skills. .It can only detect the current request. .As we know, remember that the behavior can be a very meaningful analysis, while access to deeper security. .<BR> User session tracking <BR> more advanced skills that the next user session tracking. .This is the flow of state detection using the most basic part of the skills: tracking user sessions, to associate the behavior of individual users. .This feature is usually by means of URL rewriting (URLrewriting) to block the use of session information to be realized. .As long as tracking individual user's request to block the implementation of information can be extremely strict inspection. .This would effectively prevent session hijacking (session-hijacking), and information block poisoning (cookie-poisoning) the type of vulnerability. .Session tracking is not only an effective firewall set up to track pieces of information, but also block the use of information generated by the implementation of digital signature, in order to defend these pieces of information are not being tampered with. .Requires the ability to track response to each request, and extract information block information. .Response pattern matching for the use of pattern matching <BR> response provides a more thorough defense: it not only checks the request submitted to the Web server, also check the Web server generates a response. .It can be very effective in preventing damage to the site, or, more precisely, to prevent damage to the site has been read. .The implementation of the response matches the pattern inside end of the URL in the request is equivalent to the implementation of filtering. .Three-level response to pattern matching. .Anti-corruption work performed by the firewall, it's static content on the site perform a digital signature. .If you find content to leave the Web server after the changes, the firewall will be replaced with the original content has been damaged pages. .As for dealing with sensitive information, the use of firewalls will monitor the response may indicate that the server is looking for models in question, such as a long list of Java exception character. .If you find this type of model, firewalls, which will be removed from the response to them, or simply blocking response. .<BR> A "stop and go" word ('stopandgo'word) the program will look to appear or not appear in the use of pre-generated interpretation of the response inside the generic model. .For example, can require the use of each page must provide a copyright statement. .<BR> <BR> Behavior modeling behavior modeling is sometimes called positive security model or the "White List" (whitelist) security, it is the only defensive use of loopholes in the most difficult - zero-day vulnerability security mechanism. .Zero-day vulnerability is not written documents or "do not know," the attack. .The only mechanism to deal with such attacks is the only known act of good behavior, and other acts prohibited. .This skill requires the implementation of the use of behavior modeling, which in turn requires a thorough analysis of reports submitted to the use of each response to each request, the purpose is to identify the behavior of elements on the page, such as form fields, buttons and hypertext links. .This level of analysis can be found malicious hidden form fields and form field manipulation of the type of vulnerability, while allowing users to access the URL for the implementation of very strict monitoring. .Behavioral Modeling is the only effective against all 16 species using loopholes skills. .Behavior modeling is a good concept, but its efficacy is often limited by their own strict nature. .Some cases, such as extensive use of JavaScript or use a deliberate deviation from the behavior model can lead to behavior modeling mistakes, giving rise to false positives, user access to use reasonable refused. .Behavior modeling to be useful, to a certain degree of human intervention required to improve the accuracy of the security model. .Automatically predict behavior or use of known criteria for automatic generation of learning, strictly speaking, not the flow measuring skills, but an element test (meta-inspection) skills, it can analyze traffic, the establishment of behavioral models, and generated by means of a variety of related skills .behavioral model using a set of criteria in order to improve accuracy. .The advantages of behavioral modeling after a short time to learn to use automatic configuration. .Security personnel to defend the port 80 is most significant is facing major challenges. .Fortunately, there is now an innovative program to address this question, and continues to complete. .If the layered security infrastructure, which integrates the ability to use loopholes in blocking the use of 16 categories of firewall, you can handle this problem with security. .<BR>.