Scribd Logo
Upload

Welcome to Scribd!

  • WAF Hotnews V1x

    Uploaded by

    lethanhdong64
    10 views7 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views7 pages

    WAF Hotnews V1x

    Uploaded by

    lethanhdong64

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Web Application Firewall

    1

    Web Application Firewall- Bo mt cc ng dng Web

    L Vn Khoa
    P. Gii php Truyn thng HCM
    Trung tm Tch hp h thng

    Thng 9-2008, ti hi ngh OWASP NYC APPSEC 2008 tp trung hn 50 chuyn gia hng
    u th gii v bo mt trnh by nhng ch v bo mt cho cc ng dng nh:
    Phn tch cc him ha tn cng c s d liu qua web Ofer Shezaf
    D n OWASP Google Hacking Christian Heinrich
    nh hng bo mt ng dng Web Joe White
    Nghin cu HTTP Bot Andre M.DiMin
    Cc vn c trnh by trong hi tho u xoay quanh vic phng chng cc cuc tn cng
    xut pht t mi trng Internet m cc phng thc, thit b tng la Firewall thng
    thng khng c (hoc khng c trang b) ngn chn cc cuc tn cng nh: SQL
    Injection, Cross script,

    Cc him ha trong mi trung Internet


    Web Application Firewall

    2
    Chuyn gia Joe White ca hng Cyber | LockSmith nhn nh xu th pht trin cc gii php
    bo mt cho cc ng dng Web s thnh xu hng pht trin trong nhng nm sp ti c hai
    lnh vc: thit b phn cng v phn mm.
    1. Nhu cu cp thit cho ng dng web
    Nh mi ngi u bit, thng thng vic bo v cc h thng mng u c giao cho cc
    thit b Firewall truyn thng. Vic theo di, gim st ny c Firewall da vo a ch IP
    ngun v ch kt hp vi cng-port ca lung d liu vn hnh trong h thng mng.

    M hnh hoat dng ca firewall truyn thng
    Hnh v trn cho chng ta thy r mt vn ln ca h thng: lung d liu kt ni Web ( s
    dng giao thc HTTP) t bn ngoi vo bn trong,truy xut ti h thng d liu Database m
    khng c s gim st ni dung ca Firewall. Tm hiu r hn v c ch hot ng ca
    Firewall truyn thng, chng ta thy c mt iu l cc thit b ny hot ng ch yu 4
    tng u tin trong m hnh IOS, trong khi hu ht cc ng dng c xy dng trong h
    thng mng tun th 3 lp trn cng. y l nguyn nhn khin Firewall khng th kim sot
    c ni dung ca cc kt ni t Web vo Database.


    Web Application Firewall

    3

    M hnh ng dng OSI

    2. Gii php Web Application Firewall - WAF
    WAF l gii php bo mt ton din v mnh m dnh cho cc ng dng Web.WAF a ra mt
    phng thc phng v chng li cc hot ng nh tin tc, khai thc cc l hng v giao thc.
    Bn cnh , WAF cn cnh bo cho bn v nhng li ng dng m cc hacker c th khai
    thc, nh cp thng tin, gy li t chi dch v hoc lm thay i giao din trang web ca bn.
    Mc ch chnh ca WAF l:
    ng dng m rng hoc chn lc cho my ch dch v web nhm thit lp cc chnh
    sch cho cc kt ni ngi dng HTTP.
    Bo v h thng trc cc loi tn cng ph bin nh: Cross-site Scripting (XSS) and
    SQL Injection
    Kim tra c ni dung cc truy cp Web s dng giao thc HTTP lp ng dng
    Phn tch nhng yu cu v cnh bo ngay khi c mt hot ng ng nghi no trn
    h thng.
    Tng kh nng hin th ca lu lng website.

    Tin phong trong lnh vc ny, chng ta c th k n cc sn phm ca cc nh cung cp
    sn phm bo mt ni ting nh sau:
    Citrix Application Firewall - Citrix (www.citrix.com)
    SecureSphere - Imperva (www.imperva.com)

    Web Application Firewall

    4

    Application Security Manager - F5 (www.f5.com)
    Web Application Controller - Barracuda (www.barracudanetworks.com)
    Application Security Solutions (www.applicure.com)
    DenyAll Security Solutions (http://pci.denyall.com)
    Xu hng ng dng gii php WAF:
    Bn khng th bo v nhng ci bn khng thy
    Bn cn phi c mt ci nhn tt hn vo lu lng ca tng ng dng
    y lun l thnh phn m i ng iu hnh bo mt khng thu hiu
    WAF s gim st v pht hin nhng cuc tn cng nhm gy tn hi vo h thng t
    ngi dng
    WAF cung cp mt cch hin th tt hn i vi nhng s kin bo mt trong h thng
    Nh mt sn phm WAF hon chnh, bn c th mong i rng WAF s cp nht
    nhng l hng theo thi gian thc bi cng c bo mt ng dng web ca bn, nh
    c th ch ng ngn chn nhng cuc tn cng mi c pht hin.
    Mt phn kh vn dng y l bn cn c s gip ca nhng ngi trong ban
    iu hnh bo mt bn c th trin khai thnh cng WAF vo trong mi trng kinh
    doanh.


    M hnh ng dng WAF

    Web Application Firewall

    5

    3. Nhng ri ro tim n ca WAF
    Nm 2008 d n v WAF ra i tnh ti thi im ny l hn 2 nm (tham chiu theo
    website: www.webappsecroadmap.com), c rt nhiu sn phm ra i p ng y cc nhu
    cu m WAF mong mun.
    Song bn cnh , mng Internet ton cu ang ngy cng pht trin nh v bo ko theo rt
    nhiu ri ro tim n m cc nh nghin cu WAF vn cha tm ra cch no ngn chn trit
    ton din nht. Trong mt cuc kho st tng hp cc ri ro xy ra trong mi trng Internet
    cho thy c kt qu nh sau:

    Bng dnh gi cc kiu tn cng Website
    Nm 2009, t chc Positive Technologies mt t chc hng u v bo mt ca Nga tin
    hnh mt cuc kim tra cht lng v cc gii php WAF.S dng 2 cng ngh SQL Injection
    v Cross-site Script, nhm nghin cu th nghim thnh cng phng thc ByPass qua
    WAF gm c:
    SQL Injection Normalization, HTTP Parameter Pollution HPP, Blind,
    Signature ByPass: S dng cc tham s truyn bin ca cc hm SQL truy vn
    c yu cu tr v nhm mc tiu tng tc ti d liu truy cp tri php t
    pha ngi thc hin tn cng h thng.



    Web Application Firewall

    6

    HTTP Parameter Pollution HPP

    Cross-site Script HTTP Parameter Pollution HPP, Blind, Signature
    ByPass:.thc hin vic tn cng thng qua s phn hi cc yu cu t pha ngi
    dng khi tng tc vi h thng qua cc on m tng tc s dng Javascript.


    Cross-site Script HTTP

    Path Traversal, Local/Remote File Inclusion: k thut truyn bin thng qua
    trnh duyt thc thi mt on m tri php tn cng vo h thng.





    Web Application Firewall

    7


    Path Traversal, Local/Remote File Inclusion


    4. Nhn inh chung v WAF
    Vic ng dng gii php WAF i hi c mt qu trnh trin khai lu di v bn thn mi trng
    Internet lun cha ng nhiu ri ro: tn cng dch v, m c, th rc,..Ngy nay, cng vi
    nhu cu pht trin x hi, dch v thng mi in t mang n nhiu tin ch: mua bn hng
    trn mng online, giao dch chng khon, t v khch sn, sn bay, Nhng vic ny s to
    c hi tt cho k xu (hacker) tm cch tn cng, khai thc thng tin.
    Gii php WAF c a ra p ng c nhu cu bo mt cc ng dng web hin nay, song
    bn cnh cc nh cung cp dch v cng cn phi bit kt hp vi cc gii php tng la
    truyn thng nhm mang li mt gii php hon chnh cho ton h thng iu nay chnh l
    vic ca cc nh tch hp h thng cn lm.
    Phn ch thch:
    Hai kiu tn cng: SQL Injection &Cross-Site Scripting chim t l rt cao trong cc loi tn cng
    h thng trn mng Internet ton cu.
    Cross-Site Scripting (XSS) l mt trong nhng k thut tn cng ph bin nht hin nay, ng
    thi n cng l mt trong nhng vn bo mt quan trng i vi cc nh pht trin web v
    c nhng ngi s dng web.Bt k mt website no cho php ngi s dng ng thng tin
    m khng c s kim tra cht ch cc on m nguy him th u c th tim n cc li XSS.
    SQL injection l mt k thut in vo nhng on m SQL bt hp php cho php khai thc
    mt l hng bo mt tn ti trong c s d liu ca mt ng dng. L hng bo mt ny c th
    xut hin khi ng dng khng c on m kim tra chui k t thot nhng trong cu truy vn
    SQL hoc do s nh kiu u vo khng r rng hay do li c php SQL ca lp trnh vin
    khin cho mt on m ngoi lai c th c x l ngoi mun. N l mt v d ca s ri ro
    khi mt ngn ng lp trnh hay ngn ng kch bn c nhng trong mt ngn ng khc. Tn
    cng SQL injection cn c th hiu l hnh thc tn cng chn bt hp php cc on m SQL.

    You might also like