A, WAF generated background
With the wide application of B / S structure, function more rich WEB application, which means that contains more valuable information. WEB application hacker then became the main targets (fifth layer application layer). Traditional firewalls can not resolve the details of the HTTP application layer firewall in just the third layer (network layer), filter rules are too rigid and can not provide adequate protection (defense in depth) as a WEB application. So WAF was born.
WAF (Web Application Firewall) represent a class of emerging information security technologies, WAF called WEB application firewall, is for HTTP, HTTPS security policy to specifically for web applications, providing protection through the implementation of a series of a product. WAF is the beginning of a rules-based protection protective equipment; rule-based protection, can provide a variety of web application security rules, WAF manufacturers to maintain the rule base, and its real-time updates, users follow these rules, you can apply for full protection.
Two, WAF species
1. Hardware WAF
(Green League NSFOCUS Web Application Firewall, Apple with Imperva)
2. Software WAF
(ngx_lua_waf, ModSecurity, science and technology pavilion, Hengxin interest rates, Fortinet, iridium fast information)
3. code embedded WAF
(foreign OneRASP, Baidu's OpenRASP)
4. cloud the WAF
(Ali cloud shield, etc.)
Three, WAF's basic functions
1. The abnormality detection protocol
Web application firewalls will request the HTTP anomaly detection, denial HTTP request does not meet the standards.
And it also can allow only the HTTP protocol through some of the options to reduce the scope of the attack.
2. Enhanced input validation
Enhanced input validation, can effectively prevent tampering with web pages, information disclosure, implants Trojans and other malicious network intrusion.
Thereby reducing the likelihood Web server attack.
3. Rule-based protection and anomaly-based protection
Rule-based protection can provide a variety of security rules Web applications, WAF producers will maintain the rule base,
and from time to time for updates. Users can be applied to all aspects of detection in accordance with these rules.
There products can be modeled based on a legitimate application data, and as a basis for judging the abnormal application data.
4. State Management
WAF can determine whether the user is the first visit and the request is redirected to the default login page and log events.
By detecting the user's entire operating behavior we can more easily identify attacks.
State management mode can detect unusual events (such as login failures), and processed when limits are reached.
Four, WAF advanced features
URL strategy / policy page layer
WAF can not modify the source code of the case, playing virtual patch for the vulnerable URL or page.
Request for access control,
can proactively identify,
attack has been thwarted, as now intelligent AI, can take the initiative to find a security threat to its defense.
Not limited to rules and policies in the passive state to protection.
CC attack to prevent
this attack is hard to find and defense, WAF needs identified, the request malware filtering cleansed,
reflecting the normal flow into the source station. The most common is the senior advanced DDOS attack, CC attack,
in defense when they are also through after DNS, replace the hidden source IP, the use of WAF fingerprinting architecture,
will request access to all the filters clean, normal access requirements return clients.
Other protection techniques:
WAF there are some security enhanced functionality can be used to solve the problem of too much trust WEB programmer input data brings.
For example, sensitive words filtered, to avoid the anti-intrusion technology, response monitoring and information leakage protection.
Five, WAF frame design
Rules Module (parse / match)
IP black and white list configuration, URL black list configuration and other rule-based protection policy. Low false alarm rate, false negative rate.
Action module
has observer mode, and instant interception mode.
Log module
logging module is very important, if the log large amount of data, we must use big data technologies to handle security log.
Independent log portion may be formed separately from the WAF security products, with kafka, filebeat, storm used.
Error handling module
if you want to print error handling, error handling to set the upper limit of consumption of resources.
Configuration module
As the saying goes, one-third of Technology, seven management, WAF in order to achieve an effect should be configured properly.
The default configuration includes boundary processing operation, the particle size of the log, the protocol analysis.
Protocol analysis module
protocol resolution is output at the next operation target detection rule module,
parsing granularity directly affect WAF protection effect.
For the parasitic WAF module to the web server cloud WAF mode,
generally depends on the resolution capability of the WEB server.
Six, WAF realization of the principle
WAF serial access, work before the web server, the HTTP protocol-based communications to detect and identify.
WAF usually load balancing and coordinating with other common Web Cache Web server products before deployment.
Common website vulnerability attacks such as SQL injection, XML injection, XSS, etc. can be detected feature library.
Generally for the application layer instead of the network invasion layer,
from a technical point of view it should be called Web IPS. Its focus is SQL injection protection.
More complex scenarios, respectively, by parsing the HTTP data in different fields in the feature, and other dimensions of the rule base judgment
result of the judgment as the basis to decide whether to intercept whether release.
Use regular expressions to determine the legality of data analysis, and
generate a whitelist, blacklist, and finally, access control.
Access control block corresponding to a specific operation including, recording, alarm, release and the like.
The WAF rule-based, omission is present, manufacturers need maintenance, low false positives, however, easy to use them.
Based on misuse detection of WAF, omission high, but high false positive, is not very customer trust, who frequently need to review the logs.
Good WAF is typically used in conjunction with two strategies.
Imperva WAF company's products while providing intrusion prevention, device automatically pre-learning business characteristics.
WAF This machine learning is actually an application error detection technique used.
Seven, WAF advantages and disadvantages
Rules are dead person is alive, there is always the unknown bypass means can be achieved invasion.
Let me talk about the hardware WAF:
Advantages:
1. Low maintenance costs. Hardware WAF to deploy simple, plug and play.
It will be automatically upgraded networking, update speed, automatic network update.
2. Hardware WAF easily extended, if the performance is not enough, and then to switch on a string.
3. Hardware WAF large range of protection, since the string to the next switch, the switch can be protective in the host.
Disadvantages:
1. have a chance to bypass the device fits, one can bypass, table station may bypass.
2. expensive, low cost, it is only by administrative units.
Because it is procuring usually take over equipment personnel are not security personnel.
Configure up at random, without affecting service on the line.
3. In the absence of multiple devices, the performance of a single piece of equipment has been insufficient to meet the high concurrency.
And even some hardware firewall full release in the face of high concurrency, think about all terrible.
Then introduced software WAF:
Advantages:
1. Free, open-source products such as the huge number of OpenWAF, commercial products have a free version. Such as the famous dog safety.
2. powerful, from the front-end UI interface to each function module can be customized secondary development.
3. Easy management, software management functions can be adjusted based management, strengthen the concept of management.
Disadvantages:
1. High maintenance costs. Function is too rough, almost all the features require secondary development was in line with expectations.
Mindful of the latest vulnerabilities, and timely push patches to WAF.
2. Fees server performance. The greater the flow, WAF consumption performance is also greater.
Some computer algorithm poor WAF will increase the burden on the processor 20-30%.
3. have a chance of bypassing the soft WAF customize each rule more sophisticated, resulting in false negatives between manslaughter and not well balanced,
analytical refinement too easy to be deceived bypassed.
Code embedded WAF (RASP):
Advantages:
1. Very low false positives. Because the code is embedded WAF for detecting misuse of resources and low false alarm rate.
2. Low maintenance costs, no need to update. Although various invaders clever deception,
the purpose is always only one is to look at sensitive resources.
3. confidentiality, this WAF non-networked, does not analyze sensitive data user's web browser and grab the network.
The most important thing is, can accurately identify and block, play a very good protection.
Disadvantages:
1. Deploy difficult, a source is necessary with a WAF.
Different languages have different characteristics, large configuration differences. Promotion difficult.
2. Fees server performance. Because the technology is relatively frontier, without good design patterns can still be used.
3. Protection of small range, the intruder may find a breakthrough from the other application, and then set up the back door, which can not be perceived throughout the RASP.
Cloud WAF:
Advantages:
1. Easy to deploy
2. Low maintenance
3. Powerful
Disadvantages:
1. bypassing the risk, hackers can bypass the DNS resolution, using direct IP servers.
2. Low availability, DNS, or WAF problems will lead to a site inaccessible, this problem can only be resolved by the cloud platform.
3. The poor security, a cloud data is managed easily leak.
Eight, how to examine a WAF is excellent
1, detection engine
2, functional testing
3, performance under overload (not configure the security policy)
4, property (a security policy) under load
5, the user response time delay and
6, the stability and reliability
7, manage and configure
8, the parallel session management (conditions)
9, persistence
Nine, WAF commercial product competitiveness
WAF support library (threat detection libraries)
Precision fall found inside the host, helps security teams to quickly and accurately locate the threat lies.
Using massive data base within the network traffic and determines whether log hackers intranet.
Trojan feature analysis protocol analysis, and other detection methods based on DGA depth learning algorithm
WAF rules to safeguard (domestic and foreign production of black information)
even if some vulnerability has not been disclosed, a high level of security vendors have their own attack and defense laboratories, dig holes and then open interior.
Vendors have industry background, inside a black circle planted a production liner,
quickly synchronizing information to the product development department, update patches move faster.
X. Summary
Safety is our need to achieve 100 points, 99 points is even unsafe. WAF single product can not meet the complex business security needs, WAF product only play a relief role. Just once and for all obscenity. Like Road, Columbia said, this is Internet security, network security research with a group of people become unsafe. Implement the practical work to achieve security of the entire system, researchers rely on our security is not enough, each person must reach a consensus, so that the security system is stable, safety is everyone's needs.
