What is WAF?
WAF is the abbreviation of "Web Application Firewall" in English, and Chinese means "Web Application Firewall", also known as "Website Application-level Intrusion Prevention System". WAF is a WEB overall security protection equipment that integrates WEB protection, webpage protection, load balancing, and application delivery.
WAF needs to be deployed in front of the Web server, serial access, not only requires high hardware performance, but also can not affect Web services, so HA function, Bypass function are necessary, but also with load balancing, Web Cache and other Web The deployment of common products in front of the server is coordinated.
WAF main technology
The main technology of WAF is the ability to detect intrusion, especially the ability to detect intrusion of Web services. Common implementation forms include agency services, feature recognition, algorithm recognition, and pattern matching.
Agency service
The proxy method itself is a kind of security gateway. The session-based two-way proxy interrupts the direct connection between the user and the server. It is applicable to various encryption protocols. This is also the most commonly used technology in Web Cache applications. The proxy method effectively prevents intruders from entering directly, suppresses DDOS attacks, and suppresses unexpected "special" behavior.
Feature recognition
Identifying intruders is a prerequisite for protecting it. The characteristic is the attacker's "fingerprint", such as Shellcode when the buffer overflows, and the common "true expression (1 = 1)" in SQL injection. There is no "standard" for application information, but each software and behavior has its own unique attributes. Viruses and worms are identified in this way. The trouble is that each attack has its own characteristics, and the number is relatively large. Like, the possibility of false positives is also great. Although the characteristics of malicious code are growing exponentially, and the security community claims to eliminate this technology, there is no particularly good way to identify the application layer.
Algorithm identification
Feature recognition has shortcomings, and people are looking for new ways. Categorize the types of attacks, patternize the same type of features, no longer a comparison of individual features, algorithm recognition is somewhat similar to pattern recognition, but highly dependent on attack methods, such as SQL injection, DDOS, XSS, etc The corresponding recognition algorithm. Algorithmic recognition is for semantic understanding, rather than "look" recognition.
Pattern matching
The "old" technology in IDS summarizes the attack behavior into a certain pattern, which can be determined as an intrusion behavior after matching. The protocol mode is simple. The mode is defined according to the procedures of the standard protocol, and the behavior mode is more complicated.
The biggest challenge
The biggest challenge of WAF is the recognition rate, which is not an easy-to-measure indicator, because not all intruders who leak into the web are not all hyped up. For example, if you hang a horse on the web page, it is difficult to detect which one is coming in. Of course, it is impossible to count the statistics . For known attack methods, you can talk about the recognition rate; for unknown attack methods, you have to wait until he "jumps" out.
WAF classification
WAF can be divided into hardware WAF, WAF protection software and cloud WAF.
Hardware WAF
Usually deployed serially in front of the web server to detect and block abnormal traffic. Proxy technology is used to proxy the external traffic and parse the request packet. The attack rules of the security rule base are matched. If the rules in the rule base are successfully matched, they are recognized as abnormal and blocked.
Software WAF
It is usually deployed on a server that needs to be protected, and requests are detected and blocked by listening to the port or by expanding the Web container.
Cloud WAF
Cloud WAF, also known as the cloud model of WEB application firewall, this model allows users to implement security protection for websites without installing software programs or deploying hardware devices in their own networks. Its main implementation method is to use DNS technology. Realize security protection by transferring the domain name resolution rights. The user's request is first sent to the cloud node for detection. If there is an abnormal request, it is intercepted; otherwise, the request is forwarded to the real server.
WAF effect
The role of WAF mainly includes WEB protection and prevention of WEB information leakage, as follows:
Web protection
1. Network layer: DDOS attack, Syn Flood, Ack Flood, Http / Https Flood (CC attack), slow attack;
2. Application layer: URL black and white list, HTTP protocol specifications (including special character filtering, request method, content transmission method, for example: multipart / form-data, text / xml, application / x-www-form-urlencoded)
3. Injection attacks (form and URL parameters, post and get): SQL injection defense, LDAP injection defense, command injection protection (OS commands, webshell, etc.), XPath injection, Xml / Json injection, XSS attacks (form and URL parameters, Post and get are currently divided into three types of attacks: storage-type (hazardous and popular), reflective, Dom-based XSS);
4. Directory Traversal (Path Traversal)
5.form form data verification and form tampering and injection (form verification bank card, data, date, etc.)
6. Authentication management and session hijacking (cookie encryption: protection against session hijacking, including cookie timeout).
7. Content filtering (emphasis on uploading content filtering post form and get parameters, the main application forum)
8. Web server vulnerability detection (apache version hidden, site hidden)
9. Crawler protection (based on SRC IP, periodic judgment of the number of visits, except for the white list of crawlers)
10. CSRF (Cross-site request forgery) (WAF can be solved by token method)
11. Tampering (including hotlinking) (WAF periodically crawls the server webpage for comparative verification, if tampering is found, the Client visits the WAF webpage)
12Web server vulnerability scanning (simulate attacks, determine defects, automatically configure corresponding rules)
13.cache acceleration (static page optimization, PDF, pictures, etc., need periodic image)
14. Error code filtering (probe service, and its directory structure)
15. Site conversion (URL rewrite)
16. Discovery attack lock (discover attack, lock user)
17. Check antivirus
18. Encrypted transmission (http-> https conversion, that is, client-waf passes https, and waf and server http).
URL ACL (URL matches some rules).
Prevent Web Information Leakage
Bank cards (credit cards, debit cards), social security cards, driver's licenses, etc. are covered and hidden.
Sensitive word filtering, keywords in the Web (political sensitive words, technical keywords, etc.)
Prevent file leakage (word, pdf and other extended files and their keywords), files on the Web server.