As a third-party online payment company's CIO, Dave for the company's series of recent security incidents hands full. Although the exit of the company's network deployment of a firewall, intrusion detection systems and other safety Equipment, but a few months ago, the company Web site and pay the server or subjected to denial of service attack causes paralysis of business. Denial of service attacks, not processed, Dave has received a staff report, the company portal is Google reported to contain malicious software. Security challenges from the Web Dave has trouble actually a microcosm of many IT managers encounter one. As the body gradually to the computing and business resources, a high concentration of data centers, Web as a universal platform, above the core of carrying more and more Business. The opening of a rich Web resources, high efficiency, new ways of working, but also the assets of the institutions exposed to the threat of more and more. Web security issues today, it is not uncommon for us, the following is a collection Recorded in the International Security Organization WASC WHID project several security incidents: May 26, 2009, the French mobile operator Orange France to provide a photo management Web site channels SQL injection vulnerability for hackers to exploit this vulnerability to 245,000 customer records section (including the E-mail, name, and expressly Mode password). January 26, 2009, two important U.S. military by Turkish hackers penetrate the server, the page was altered, the hacker used a SQL injection attacks. January 26, 2009, the Indian Embassy in Spain website is linked to Malaysia (iFrame attacks by malicious code.) Web Application Security Protection Solutions Web application security problems are essentially derived from software quality issues. But Web applications compared to traditional software, is unique. Web applications are often unique to the application of an institution, its loopholes are known to the general drain Lack of effectiveness of the signature hole; require frequent changes to meet business objectives, which makes it difficult to maintain the orderly development cycle; need to take full account of client and service side of the complex interaction scenarios, and often a lot of developers do not Have a good understanding of business processes; people often think that Web development is simpler, less experienced developers who can do the job. For Web application security, ideally should be followed in the software development life cycle security coding principles, and at all stages take appropriate safety measures. However, the reality is that most websites: a lot of early development Web applications, due to historical reasons, there are different levels of security. For those already on the line, is providing the production of Web applications, as determined by the characteristics of its customized not generic patch available, and the rectification by generation of code Price is too large to become more difficult to rectification purposes or require a longer period. For this situation, the professional Web security tools is a reasonable choice. Web application firewall (hereinafter referred to as the WAF) is the professional tool that provides a secure means of operation and maintenance control: Based on HTTP / HTTPS traffic of the two-way analysis of Web applications to provide real-time protection. And the traditional firewall / IPS device compared, WAF technology the most significant difference is reflected in: Understanding of the nature of HTTP are: to complete parsing HTTP, including the packet header, parameters and loads. Support various HTTP codes (such as chunked encoding, request / response compression); provide strict HTTP Protocol verification; provide HTML restrictions; support a variety of character set encoding; with response filtering capabilities. Rules to provide the application layer: Web applications are usually custom, traditional rules for known vulnerabilities are often not sufficiently effective. WAF provides specific rules for the application layer, and have the ability to detect deformation of attacks, such as the detection of SSL encryption Mixed traffic attacks. Provides positive security model (white list): only allow known valid input through, for the Web application provides a mechanism for external input validation, security, more reliable. Protection mechanisms to provide session: HTTP protocol biggest flaw is the lack of a reliable session management mechanism. WAF effective supplement to this end, protective type of session-based attacks, such as cookie tampering, and session hijacking attacks. How to Select WAF Does not provide protection against Web server "box" is WAF. In fact, a truly meet the needs of WAF protection system should have two dimensions: Provide defense in depth vertical: level through the establishment of protocol, information flow and other vertical structural level, to build a variety of effective defensive measures to stop the attack and issued a warning. Horizontal: meet compliance requirements; mitigate various types of security threats (including the network level, Web infrastructure and Web application level); reduce service response time, significantly improving the end-user experience, optimize resources and improve the business should be With the system agility.

Previous:Identify strengths and weaknesses of several hardware firewall performance stand
Next： Chinese public security fire department to firewall works to the rural communi