Web firewall is mainly to strengthen the protection of Web-specific intrusion methods, such as DDOS protection, SQL injection, XML injection, XSS and so on. Because it is an application layer rather than an intrusion at the network layer, it should be called a Web IPS from a technical perspective, not a Web firewall. The reason why it is called the Web firewall is that everyone understands it better and the popular name in the industry. Since the focus is on anti-SQL injection, it is also known as SQL Firewall.
Preventing web pages from being tampered with is passive. It is proactive to block intrusion. The IPS/UTM products mentioned above are safe and universal gateways, and there are also hardware security gateways specifically for the Web. Domestic such as: Green League Web firewall, Kaiping’s WIPS (web IPS), foreign countries have imperva’s Web Application Firewall (WAF) technology.
Web firewall is mainly to strengthen the protection of Web-specific intrusion methods, such as DDOS protection, SQL injection, XML injection, XSS and so on. Because it is an application layer rather than an intrusion at the network layer, it should be called a Web IPS from a technical perspective, not a Web firewall. The reason why it is called the Web firewall is because everyone understands it better and the popular name in the industry. Since the focus is on anti-SQL injection, it is also known as SQL Firewall.
Web firewall products are deployed in front of the Web server. Serial access not only requires high hardware performance but also does not affect Web services. Therefore, HA functions and Bypass functions are required, but also with load balancing, Web Cache, etc. Common product coordination deployments before web servers.
The main technology of Web firewall detects the intrusion, especially the detection of Web service intrusion. The technology of different manufacturers is very different. It can’t be measured by the size of the manufacturer’s signature database. The main thing is to look at the test results. Say, there are several ways:
Proxy service: The proxy method itself is a security gateway. The session-based two-way proxy interrupts the direct connection between the user and the server and is applicable to various encryption protocols. This is also the most commonly used technology in the Web Cache application. The proxy method prevents direct access by intruders, can suppress DDOS attacks, and suppress unanticipated “special” behavior. The WAF of Netcontinuum is a representative of this technology.
◆ Feature Recognition: Identifying the intruder is a prerequisite for protecting him. The feature is the “fingerprint” of the attacker, such as the shellcode when the buffer overflows, the “true expression (1=1)” common in SQL injection… the application information has no “standard”, but each software and behavior has its own unique Attributes, viruses and worms are identified in this way. The trouble is that each type of attack has its own characteristics. The number is large, and it is easy to be similar. The possibility of false positives is also high. Although the characteristics of malicious code are exponentially increasing at present, the security community claims to eliminate this technology, but there is currently no particularly good way to identify the application layer.
◆ Algorithm identification: Feature recognition has shortcomings, and people are looking for new ways. The attack types are classified, and the features of the same class are modeled. It is no longer a comparison of individual features. The algorithm identification is similar to pattern recognition, but it has a strong dependence on attack methods, such as SQL injection, DDOS, XSS, etc. Corresponding recognition algorithm. Algorithmic recognition is based on semantic understanding rather than “longitudinal” recognition.
◆ Pattern matching: It is the “old” technology in IDS. It combines the attack behavior into a certain pattern. After matching, it can be determined that it is an intrusion behavior. Of course, the definition of the model has deep knowledge, and all manufacturers are secret “patent”. The protocol mode is simple, and the mode is defined according to the rules of the standard protocol; the behavior mode is more complicated.
The biggest challenge of the Web firewall is the recognition rate. This is not an easy-to-measure indicator. Because the intruders who leaked into the network are not all arrogant. For example, if you hang a webpage, you can hardly notice which one is coming in. I don’t know. Unable to count. For known attack methods, you can talk about the recognition rate; for the unknown attack method, you have to wait until he “jumps” to know.
The development of the “self-learning” function:
Imperva’s WAF products provide intrusion prevention and provide another security protection technology. It is an automatic learning function for web application web pages. Since different websites cannot be the same, the characteristics of the website’s own pages cannot be defined in advance. Therefore, imperva uses the device automatic pre-learning method to summarize the characteristics of the page of this website. The specific approach is this:
Through a period of user access, WAF records the access patterns of commonly used web pages, such as a few input points in a web page, what type of content is input, and what is the length of the usual situation… After learning, define a web page. Normal usage mode, users have broken through this mode after the current, such as the general account input should not have special characters, and XML injection needs to have a language tag such as “<“, WAF will be based on your pre-defined way to alert or Blocking; if the password length is generally no more than 20, adding code in SQL injection will be very long, also breaking the pattern of web access.
Web self-learning technology, starting from the specific point of view of the Web service itself, is not an exception to my routine, and is also a kind of intrusion detection technology. Compared with the simple Web firewall, it not only gives the intruder a “command,” And to establish the internal “rules” into the home, this two-way control is obviously better than one-way.
After Citrox acquired Teros, the application firewall introduced the user behavior pattern of Web services by analyzing two-way traffic, and established several user behavior models. Once you match a certain behavior, you will measure your behavior according to the behavior of the model. Behavioral practices, there are “deviant” attempts to block immediately. This adaptive learning engine is somewhat similar to Imperva’s web self-learning, but one focuses on learning web page features and the other is learning the rules of user access.
From a security perspective, the combination of self-learning technology and intrusion prevention is an ideal choice.
The future of Web firewall:
There is a saying: Because the load balancing device and Web acceleration device in front of the Web server are indispensable, and the export of the Web server group is the only way, the function of the Web firewall may merge with these devices. This kind of development trend is similar to the evolution of gateway UTM and separate FW, IPS, AV, VPN and other devices. UTM is a collection of these gateways.
But I have a different view: UTM is deployed on the external connection outlet of the network, generally the Internet exit, its network security isolation, the bandwidth here is expensive, so the users with large bandwidth are very limited, and the Web server group is the network. The main switch is connected to provide application processing capability. The required parameters are usually the number of concurrent users and the number of online users. The server is generally a Gigabit interface. The current switch can achieve dozens of TB switching capabilities. The multi-function security products on the large traffic link are also the application layer detection. The hardware pressure on the products is huge. The products that can achieve the “linear” traffic are expensive, so the merger idea of the Web firewall is to be treated. Business.