【 Weak current College 】 Web application firewall the depth perception

Web application firewall (WAF) aims to protect Web applications from common attacks (such as cross site scripting and SQL injection attacks, etc.). Traditional firewalls are protected network perimeter, and WAF is deployed in a Web client and Web server. Experts said that the Web application firewall for the greatest benefit is that help analyze application layer flow for any breach of the security policy of the security issues.
　　
Although some traditional firewall can provide some degree of protection, but from the aim and scope, like WAF. For example, the WAF you can detect whether the application to its provisions in the running, and able to help you write more specific security policies to prevent the same thing happening again.
　　
WAF and intrusion prevention system (IPS) vary, Gartner analyst GregYoung said, "this is a very different technologies, it is not based on signatures, but from the Act, it can help reduce your own inadvertently may manufacture of vulnerability,"
　　
Foreign markets with a WEB application firewall feature of the product name that have different dozens, not to mention is the product of forms and describes. It is difficult to define because the name includes the things too much. Lower network layer (Web application firewall is placed in the seventh floor) is covered by many devices, each of these devices have their unique features, such as routers, switches, firewalls, intrusion detection systems, intrusion prevention system and so on. However, in the HTTP world, all of these features are integrated in one device: Web application firewall.
　　
Because Web application firewall is multifaceted, with different knowledge, backgrounds are often concerned about its different features. For example, a network intrusion detection backgrounds tend to think of it as is to run in HTTP layer IDs device; with the firewall itself backgrounds more and see it as a firewall function modules. There is also a kind of understanding comes from "depth detection firewall" this terminology. They think that deep inspection firewall is a Web application firewall and functional equivalent of a device. However, despite the two devices are some similarities, but the difference is very big. Deep inspection firewall usually work in the network of the third level and higher level, and the Web application firewall the seventh layer handles HTTP service and it is a great way to support it.
　　
Enhanced input validation
　　
The frequent Web security issues, some of its Web design model of misunderstanding, others come from the program that the browser is authentic. Many Web programmers use JavaScript in the browser for input validation. While the browser is only a simple tool for the user control, so an attacker can easily bypass input validation, a malicious code input directly to the Web application server.
　　
There is a solution to these problems the right way is in the service-side input validation. If this method cannot be implemented by the client and application server to increase agent, the agent to perform Web pages embedded in JavaScript, for input validation.
　　
Negative security model VS positive security model
　　
Used to set firewall rules, you may encounter such a suggestion: allow known safe flow, deny all other access. This is a very good positive security model. On the contrary, the negative security model is the default allow all access, only to reject some of the known dangerous traffic patterns.
　　
Each security model are there different issues:
　　
Negative security model: what is dangerous?
　　
Positive security model: what is safe?
　　
Negative security model of the more commonly used. Identify a dangerous mode and configure their systems against it. This simple and interesting, but not very secure. It relies on people's awareness of the risk, if the problem persists, it is not being aware of (this is usually the case), youwill leave for an attacker to take advantage of the machine.
　　
Positive security model (also known as the white list model) looks a better formulation of policy, is well suited to configure firewall policy. In the field of Web application security, positive security model is usually summarized pairwise application every script enumeration. On the enumeration of every script that needs to establish an appropriate list, the table content is as follows:
　　
* Allow request form (for example, GET/POST or POST)
　　
* Allow Content-Type
　　
* Allow Content-Length
　　
* Allow parameters
　　
* Specify parameters and optional parameters
　　
* The parameter type (for example, text or integer) * additional parameter limits
　　
The above list is only an example, the actual positive security model typically include more elements. It tries to complete the programmer from the outside would have from within: to submit information to the Web application to verify every bits. If you are willing to spend time, use a positive security model is a better choice. One of the difficulties of this model lies in the application mode as the application's development. Whenever you add a new script in the application or change the old script, you need to update mode. However, it applies to protect those who are stable, no one the maintenance of the old application.
　　
Automatic development strategy can solve the above problem:
　　
* Some WAF can monitor traffic, and in accordance with these traffic data automatically configure policies, some products can carry out such work in real time.
　　
* Through whitelist, you can identify the specific IP addresses are trusted, and then, based on the observation of traffic, configure the WAF, update security policies.
　　
* If you pass a comprehensive test of attenuation (simulation of correct behavior) to create an application, and monitoring the WAF in State, then the WAF you canautomatically generate policy.
　　
Visible, no mode is perfectly satisfactory. Negative security model applied to deal with known issues, and the positive security model is applied to the stability of the Web application. Ideally, in real life, will use a combination of both, learn from each other.

Timely patch
　　
Positive security model theoretically better because the browser and WEB applications for communication protocols through HTML specification had a very good definition. Now Web development language can deal with multiple parameters in a HTTP request. Because these parameters in the Web application firewall are visible and therefore WEB application firewall can analyze these parameters determine the existence of allow the request. ，
　　
When an application vulnerability is found in most cases we will try to patch it in code. Affected by many factors (such as the size of the application, whether developers, legal issues, and so on), the patch process may take several minutes, or until an infinite time. The time is the attacker to launch an attack.
　　
If developers in a very short time fix vulnerabilities in your code, then you need not worry. But if the patches this vulnerability could take several days or even weeks to repair? Web application firewall is the ideal tool for: just give a security expert, good WAF and sufficient vulnerability information, he can in under an hour off this loophole shielding. Of course, this kind of shielding off vulnerability approach is not very perfect, and you have not installed the corresponding patch is a security threat, but we have no choice, no protective measures are better than no protection measures better.
　　
Timely patch of principle can be better applied to XML-based application, because communication protocols are normative.
　　
Based on the rules of protection and protection based on exception
　　
Now the majority of products on the market is based on the rulesof the WAF. The principle is that each session will have to undergo a series of tests, each test consists of a multiple detection rules, if the test failed, the request will be considered illegal and rejected.
　　
Rule-based WAFs is very easy to build and can effectively protect against known security problems. When we want to make custom defense strategy using it will be more convenient. But since they must first confirm that the characteristics of each threat, to the rules by a powerful database support. Producers maintain that database WAF, and to provide automatic update tool.
　　
This method cannot effectively protect their Web applications exploitation or zero-day vulnerability (an attacker use the vulnerability is not public), the threat of anomaly-based WAF more effective.
　　
The basic concept of abnormal protection is to establish a protective layer, protective layer to the application under test legitimate data statistical model, this model is based on identifying the actual communication is the data. In theory, but build is successful, this anomaly-based system should be able to detect any anomalies. With it, we no longer need a rules database and zero-day attacks will no longer be a problem. But a system based on exception protection are difficult to build, so it is not common. Because users do not understand how it works do not believe it, so it is not as a rule-based application the varied WAF.
　　
State management
　　
The stateless nature of HTTP for Web application security has many negative effects. Sessions can only be implemented on the application tier, but for many applications this added functionality can only meet the business needs to consider the safety factors. Web application firewall the focus session protection, it's features include:
　　
Force login page. In most sites, you can choose from any of you know the URL to access the site, this usually facilitates the attacker to defense increased difficulties. WAF can judge whether the user is the first visit and you will be redirected to the default login page and log events.
　　
Respectively detect each user session. If you are able to distinguish between different sessions, and this has brought the unlimited potential. For example, we can monitor the landing request send frequency and users go to page. By detecting the user's entire operation behaviors we can more easily identify attacks.
　　
On the violent attack of recognition and response. The usual Web application network is not detecting a brute force attack. The State management mode, WAF can detect abnormal events (such as login failed), and in the limit values for processing. At this point it can increase the number of authentication requests, this slight change users feel, but enough to deal with auto attack script. If an authentication script needs 50 milliseconds, that it can emit approximately 20 times per second. If you increase a little delay, for example, a second delay, that request is reduced to less than once per second. At the same time, the issue of further detection of warning, this will constitute a good defense.
　　
Implementation of session timeout. Beyond the default time session will fail and the user will be required to recertify.Users in the long time request will be automatically logged out.
　　
Session hijacking of detection and defense. In many cases, session hijacking will change the IP address and request data (http request header will be different). Status monitoring tool can detect these exceptions and to prevent the occurrence of illegal applications. In this case should terminate sessions, the requirements of the user authentication and logging a warning log information.
　　
Only in the previous request response. Some of the WAF is very strict, and only allows the user to access a previous request to return a link in the page. This seems an interesting features but it is difficult to be implemented. One problem is that it does not allow the user to use multiple browser Windows, another problem is that it makes use of JavaScript to automatically establish a connection failure of application.
　　
Other protection technology
　　
Other security WAF enhancements to solve WEB programmers too trusting input data. For example:
　　
Hidden form fields. Sometimes, the internal application data through a hidden form variable, but they are not really hidden. Programmers usually use a hidden form variable ways to save the execution status, send data to the user, to ensure that these data return has not been modified. This is a complicated process, WAF often use password signature technology.
　　
Cookies. And hidden form similar is that cookies are often used to pass the user's personal data for the application, some cookies may contain sensitive data. WAFs usually add the entire content encryption, or will the cookies mechanism of virtualization. With this setting, the end user can only see the cookies tokens (like the session token), thus ensuring cookies in safely storing WAF
　　
Anti intrusion circumvention technologies. Network-based IDS against WEB attacks are attacks against circumvention technologies. Rewriting HTTP input request data (attack data) way too many and various rewrite request IDS can evade detection. In this regard if you have a complete understanding of HTTP is significantly improved. For example, the WAF you can see the whole of each HTTP request, you can avoid all the types of HTTP requests to the partitioning of the attack. Because a good understanding of the HTTP protocol, so the ability to dynamically request and static request separately, there is no need to spend a lot of time protection is not an attack of static data. This way you can have enough WAF capable to deal with a variety of attack evasion technique, which is completed by NIDSs is time-consuming.
　　
Response monitoring and disclosure of information protection. Information leak prevention is to monitor HTTP output data of a name. From the principle, it and request monitor is the same, aims to monitor suspicious of output, and prevent suspicious http output data to the user. Most likely the application mode is monitoring your credit card number and social security number. In addition, this technology is another application is found signs of a successful intrusion. As experienced attacker always give information coding to prevent monitoring, preventing such determined and skilled attacker gets information is very difficult. However, the attacker does not have full control over the server but only try to Web application security vulnerabilities, this technology can play a protective effect.