Eight techniques for using firewalls to block application attacks

Are you determined to make great efforts to improve application security? After all, information such as financial transactions, credit card numbers, confidential information, user files, and so on, are too important for companies. However, these applications are too large and complicated. The most difficult thing is that these applications are exposed to direct attacks through the network firewall on port 80 (mainly used for HTTP) and port 443 (used for SSL). At this time, the firewall can come in handy. The eight technologies used by the application firewall to discover and block application attacks are as follows.

  Deep packet processing

Deep packet processing is sometimes referred to as deep packet inspection or semantic inspection. It refers to associating multiple data packets into a data stream, looking for anomalous behaviors of the attack, while maintaining the state of the entire data stream. Deep packet processing requires analyzing, detecting, and reassembling application traffic at extremely high speeds to avoid delays to applications. Each technique below represents a different level of deep packet processing.

TCP / IP termination

Application layer attacks involve multiple data packets and often involve multiple requests, ie different data streams. For a traffic analysis system to be effective, it must be able to detect data packets and requests during the entire session in which the user maintains interaction with the application to look for attacks. At the very least, it needs to be able to terminate the transport layer protocol and look for malicious patterns in the entire data stream rather than just in a single data packet.

SSL termination

Today, almost all security applications use HTTPS to ensure the confidentiality of communications. However, the SSL data stream uses end-to-end encryption and is therefore opaque to passive detectors such as intrusion detection system (IDS) products. In order to prevent malicious traffic, the application firewall must terminate SSL and decode the data flow in order to check the traffic in clear text format. This is the minimum requirement to protect application traffic. If your security policy does not allow sensitive information to be transmitted over the network without being encrypted, you will need to re-encrypt the solution before the traffic is sent to the Web server.

URL filtering

Once the application traffic is in clear text format, the URL portion of the HTTP request must be inspected for signs of malicious attacks, such as suspicious unicode encoding. Using a feature-based scheme for URL filtering, it is not enough to simply find features that match regular updates and filter out URLs related to known attacks such as red codes and Nimda. This requires a solution that not only checks the RUL, but also the rest of the request. In fact, if the application response is taken into account, the accuracy of detecting attacks can be greatly improved. Although URL filtering is an important operation that can prevent the usual script-type attacks, it is unable to defend against most application layer vulnerabilities.

Request analysis

Comprehensive request analysis technology is more effective than URL filtering alone, and it can prevent cross-site scripting vulnerabilities and other vulnerabilities in the Web server layer. Comprehensive request analysis makes URL filtering one step further: it can ensure that the request meets the requirements and adheres to the standard HTTP specifications, while ensuring that the individual request parts are within reasonable size limits. This technique is very effective in preventing buffer overflow attacks. However, request analysis is still a stateless technology. It can only detect the current request. As we know, remembering previous actions can get a very meaningful analysis, and at the same time get deeper protection.

User session tracking

The next more advanced technology is user session tracking. This is the most basic part of applying traffic state detection technology: tracking user sessions and correlating the behavior of individual users. This function is usually implemented by using session information blocks through URL rewriting. As long as a single user's request is tracked, extremely strict checks can be performed on the information block. In this way, session-hijacking and cookie-poisoning type vulnerabilities can be effectively prevented. Effective session tracking can not only track the information blocks created by the application firewall, but also digitally sign the information blocks generated by the application to protect these information blocks from tampering. This needs to be able to track the response of each request and extract information block information from it.

Response pattern matching

Response pattern matching provides more comprehensive protection for applications: it not only checks the requests submitted to the Web server, but also the responses generated by the Web server. It can extremely effectively prevent the website from being damaged, or more precisely, prevent the damaged website from being browsed. Matching the pattern in the response is equivalent to filtering the URL at the request end. There are three levels of response pattern matching. The anti-corruption work is performed by the application firewall, which digitally signs the static content on the site. If changes are found after the content leaves the Web server, the firewall replaces the damaged page with the original content. As for dealing with sensitive information leaks, the application firewall monitors the response, looking for patterns that may indicate a problem with the server, such as a long list of Java exception characters. If such patterns are found, the firewall will remove them from the response, or simply block the response.

Solutions using the "stop and go" word will look for predefined general patterns that must or may not appear in the response generated by the application. For example, you can require a copyright notice on every page provided by the application.

Behavior modeling

Behavior modeling is sometimes referred to as a positive security model or "white list" security. It is the only protection mechanism that can protect against the most difficult application vulnerabilities—zero-time vulnerabilities. Zero-time vulnerabilities refer to undocumented or "unknown" attacks. The only mechanism to deal with this type of attack is to only allow behaviors that are known to be good behaviors, and all other behaviors are prohibited. This technology requires modeling application behavior, which in turn requires a comprehensive analysis of each response to each request submitted to the application, with the goal of identifying behavioral elements on the page, such as form fields, buttons, and hypertext links. This level of analysis can discover malicious form fields and hidden form field manipulation-type vulnerabilities, and at the same time exercise extremely strict monitoring of URLs that users are allowed to access. Behavior modeling is the only technology that can effectively deal with all 16 application vulnerabilities. Behavior modeling is a good concept, but its efficacy is often limited by its own strictness.

Certain situations, such as heavy use of JavaScript or deliberate deviations from the behavioral model of the application, can lead to erroneous behavioral modeling, leading to false positives and denying reasonable users access to the application. For behavior modeling to work, it requires a certain degree of human intervention to improve the accuracy of the safety model. Automatic behavior prediction is also called automatic rule generation or application learning. Strictly speaking, it is not a traffic detection technology, but a meta-inspection technology, which can analyze traffic, build a behavior model, and generate with the help of various correlation technologies. A set of rules applied to behavior models to improve accuracy. The advantage of behavior modeling is that it can be automatically configured after a short time of learning application. Protecting port 80 is one of the most significant and important challenges facing security personnel. Fortunately, innovative solutions to this problem have emerged and are constantly being improved. If an application firewall capable of blocking 16 types of application vulnerabilities is integrated into the layered security infrastructure, you can solve the problem of application security.