Article Source: CCID
Technical World: What is application security? Application security is a security guarantee for network applications, including: credit card number, confidential information, user file and other information. So what is the difficulty of protecting these applications from malicious attacks? We seem that the weakest links of these applications are attackers that are received by port 80 (primarily used for http) and port 443 (for SSL) on the network firewall. So how does the firewall discovery and seal these attacks? The eight application security technology is summarized below, and the full text is as follows:
Deep packet processing
Depth packet processing is sometimes referred to as depth packet detection or semantic detection, which is associated with multiple packets into a data stream, while looking for an abnormal behavior, maintain the entire data stream. Depth packet processing requires high speed analysis, detection and reassembling application traffic to avoid delays to the application. Next, each of the techniques represents different levels of depth packet processing.
TCP / IP termination
Application layer attacks involves a variety of packets and often involves a variety of requests, that is, different data streams. The traffic analysis system must be able to detect the packets and requests during the entire session of the user and the application, to find an attack behavior. At least, this needs to be able to terminate the transport layer protocol, and simultaneously look for malicious modes throughout the data.
SSL termination
Today, almost all security applications use HTTPS to ensure confidentiality of communication. However, the SSL data stream uses end-to-end encryption, so it is opaque to passive detectors such as intrusion detection system (IDs) products. In order to prevent malicious flow, the application firewall must terminate SSL, decoding the data stream to check the flow of the clear format. This is the minimum requirement for protecting the application traffic. If your security policy does not allow sensitive information to be transferred over network without encryption, you need to re-encrypt a solution before traffic is sent to the web server.
URL filter
Once the application flows in a clear format, the URL section of the HTTP request must be detected, find signs of malicious attacks, such as suspicious unified code encoding. The URL filtration is characterized by feature, simply looking for the characteristics of the matching periodically updated, filter out the URL associated with known attacks such as red code and Nima, which is far less than enough. This requires a solution not only to check RUL, but also check the rest of the request. In fact, if the application response is considered, it can greatly improve the accuracy of the detection attack. Although URL filtration is an important operation, it can block the usual script juvenile type of attack, but it is weak to resist most of the application layer vulnerability.
Request analysis
Comprehensive request analysis technology is effective than single single use URL filtration, prevents cross-site scripting vulnerabilities and other vulnerabilities of the web server layer. A comprehensive request analysis makes the URL filtering more step: ensures that the request meets the requirements, complies with the standard HTTP specification, ensuring that a single request portion is within the reasonable size limit. This technology is very effective for preventing buffer overflow attacks. However, request analysis is still a stateless technology. It can only detect the current request. As we know, remember that the previous behavior can get a very meaningful analysis while gaining deeper protection.
User session tracking
More advanced next technology is user session tracking. This is the most basic part of the application flow state detection technology: track the user session, associating the behavior of a single user. This feature is usually implemented using a session information block by URL Rewriting. Just track the request of a single user, you can implement an extremely stringent check on the information block. This will effectively defense the vulnerability of session-hijacking and cookie-poisoning types. Effective session tracking not only tracks the information block created by the application firewall, but also performs digital signatures for the application generated information blocks to protect these information blocks are not tampered with. This requires tracking the response of each request and extracts the information block information from it. Response mode match
Response mode matches provide more comprehensive protection: it not only checks the request to the web server, but also check the response of the web server. It prevents the website from being damaged by the website, or more specifically, preventing the destroyed website from being browsing. Matching the mode in response is equivalent to filtering the URL on the request side. The response mode matching is divided into three levels. The anti-destruction work is performed by the application firewall, which is digitally signed on the static content on the site. If there is a change after discovering that the content leaves the web server, the firewall will replace the destroyed page with the original content. As for dealing with sensitive information leakage, the application firewall will monitor the response, find the mode that may indicate the server problem, such as a long string Java anomalor. If this type of mode is found, the firewall will remove them from the response, or simply block response.
The "Stop and Go'word" solution will find a predefined universal mode that must or may not appear in response to the application generated. For example, you can ask each page provided by the application to have a copyright statement.
Behavior modeling
Behavioral modeling is sometimes referred to as a positive security model or "White List) security, it is the only protection mechanism that can defend the most difficult application vulnerability - zero-time vulnerability. Zero Time Vulnerability refers to an attack that is not written or "still don't know". The only mechanism to deal with such attacks is only a behavior that is known to be good behavior, and other behaviors are prohibited. This technology requires modeling of application behavior, which in turn requires a comprehensive analysis of each response to each request for the application, and the purpose is to identify behavioral elements on the page, such as form fields, buttons, and hypertext links. This level of analysis can discover the vulnerability of malicious form fields and hidden form field manipulation, while implementing extremely stringent monitoring of URLs that allow users to access. Behavioral modeling is the only technique that can effectively deal with all 16 application vulnerabilities. Behavioral modeling is a good concept, but its efficacy is often limited by its strict stringency. Some situations, such as a large number of JavaScript or application deliberate deviation behavior, can cause behavioral modeling to make mistakes, thus causing false positives, refuseing to properly access applications. Behavioral modeling needs to be used, as needed to have a certain degree of human intervention to improve the accuracy of the security model. Automatic prediction of behavior is also automatically generated or applied, strictly said that it is not traffic detection technology, but a meta-inspection technology, it can analyze traffic, establish behavioral model, and generate through various association technology A set of rules applied to behavior models to increase accuracy. The advantage of behavioral modeling is to automatically configure after short-term learning applications. Protecting port 80 is one of the most important and most important challenges facing security personnel. Fortunately, there have been an innovative solution for this problem, and it is constantly improving. If you integrate an application firewall capable of blocking a 16-class application vulnerability in a hierarchical security infrastructure, you can solve the problem of applying security.
