M'zinthu zathu zam'mbuyomu pamitu yamtambo, ife , momwe mungatetezere zida za IT mumtambo wapagulu komanso chifukwa chake ma antivayirasi achikhalidwe sali oyenera pazolinga izi. Mu positi iyi, tipitiliza mutu wa chitetezo chamtambo ndikulankhula za kusinthika kwa WAF ndi zomwe zili bwino kusankha: hardware, mapulogalamu kapena mtambo.
WAF ndi chiyani
Kupitilira 75% ya ziwopsezo za owononga zimayang'ana pakuwonongeka kwa mawebusayiti ndi mawebusayiti: ziwopsezo zotere nthawi zambiri siziwoneka ndi chitetezo chazidziwitso ndi ntchito zachitetezo chazidziwitso. Ziwopsezo zapaintaneti zimakhalanso ndi ziwopsezo zosokoneza komanso kubera maakaunti a ogwiritsa ntchito ndi data yanu, mawu achinsinsi, ndi manambala a kirediti kadi. Kuphatikiza apo, zofooka zomwe zili patsambali zimakhala ngati malo olowera kwa omwe akuukira mu network yamakampani.
Web Application Firewall (WAF) ndi chinsalu choteteza chomwe chimatchinga kuukira kwa mapulogalamu a pa intaneti: jakisoni wa SQL, kulemba pamasamba, kutsata ma code akutali, nkhanza zankhanza komanso kuloleza kudutsa. Kuphatikizira kuwukira komwe kumagwiritsa ntchito kusatetezeka kwamasiku a ziro. Zozimitsa moto zimateteza pakuwunika zomwe zili patsamba, kuphatikiza HTML, DHTML, ndi CSS, ndikusefa zomwe zingakhale zoyipa za HTTP/HTTPS.
Kodi zisankho zoyamba zinali zotani?
Kuyesera koyamba kupanga Web Application Firewall kudapangidwa koyambirira kwa 90s. Pafupifupi mainjiniya atatu amadziwika kuti adagwirapo ntchito imeneyi. Woyamba ndi pulofesa wa sayansi ya makompyuta Gene Spafford wochokera ku yunivesite ya Purdue. Adafotokozanso za kamangidwe ka pulogalamu ya proxy application firewall ndikusindikiza mu 1991 m'bukuli .
Wachiwiri ndi wachitatu anali akatswiri odziwa chitetezo William Cheswick ndi Marcus Ranum ochokera ku Bell Labs. Iwo adapanga chimodzi mwazinthu zoyamba kugwiritsa ntchito ma firewall prototypes. Idagawidwa ndi DEC - katunduyo adatulutsidwa pansi pa dzina lakuti SEAL (Secure External Access Link).
Koma SEAL sinali yankho lokwanira la WAF. Inali pulogalamu yapaintaneti yapamwamba yokhala ndi magwiridwe antchito apamwamba - kuthekera koletsa kuwukira pa FTP ndi RSH. Pachifukwa ichi, yankho loyamba la WAF lero limatengedwa kuti ndilopangidwa ndi Perfecto Technologies (kenako Sanctum). Mu 1999 iye Pulogalamu ya AppShield. Panthawiyo, Perfecto Technologies anali kupanga njira zotetezera zidziwitso pazamalonda a e-commerce, ndipo malo ogulitsira pa intaneti adakhala omvera omwe akufuna kugula chatsopanocho. AppShield inatha kusanthula zopempha za HTTP ndikuletsa ziwopsezo potengera mfundo zachitetezo chazidziwitso.
Pafupifupi nthawi yomweyo AppShield (mu 2002), WAF yoyamba yotseguka idawonekera. Iye anakhala . Idapangidwa ndi cholinga chofuna kutchuka matekinoloje a WAF ndipo imathandizidwabe ndi gulu la IT (ndi izi. ). ModSecurity imaletsa kuukira kwa mapulogalamu potengera mawonekedwe anthawi zonse (ma siginecha) - zida zowunikira zopempha potengera mapatani - .
Zotsatira zake, opanga adakwanitsa kukwaniritsa cholinga chawo - mayankho atsopano a WAF adayamba kuwonekera pamsika, kuphatikiza omwe adamangidwa pamaziko a ModSecurity.
Mibadwo itatu ndi mbiri yakale
NdichizoloΕ΅ezi kusiyanitsa mibadwo itatu ya machitidwe a WAF, omwe asintha ndi chitukuko chaukadaulo.
Chiyambi choyamba. Zimagwira ntchito ndi mawu okhazikika (kapena galamala). Izi zikuphatikiza ModSecurity. Wopereka makina amasanthula mitundu ya ziwopsezo pa mapulogalamu ndikupanga mawonekedwe omwe amafotokoza zopempha zovomerezeka komanso zoyipa. WAF imayang'ana mindandanda iyi ndikusankha zoyenera kuchita pazochitika zina - kuletsa magalimoto kapena ayi.
Chitsanzo chodziwikiratu potengera mawu okhazikika ndi ntchito yomwe yatchulidwa kale gwero lotseguka. Chitsanzo china - , yomwe ilinso gwero lotseguka. Machitidwe okhala ndi mawu okhazikika amakhala ndi zovuta zingapo, makamaka, pamene chiwopsezo chatsopano chikapezeka, woyang'anira ayenera kupanga malamulo owonjezera pamanja. Pankhani ya zomangamanga zazikulu za IT, pangakhale malamulo zikwi zingapo. Kuwongolera mawu ambiri okhazikika kumakhala kovuta, osanenapo kuti kuwayang'ana kungachepetse magwiridwe antchito a netiweki.
Mawu okhazikika amakhalanso ndi chiwopsezo chabodza chambiri. Katswiri wina wa zinenero dzina lake Noam Chomsky ananena kuti agaΕ΅ire galamala mβmagulu anayi ogwirizana. Malinga ndi gulu ili, mawu okhazikika amatha kufotokoza malamulo a firewall omwe samaphatikizapo kupatuka kwapateni. Izi zikutanthauza kuti owukira amatha "kupusitsa" m'badwo woyamba wa WAF. Njira imodzi yothanirana ndi izi ndikuwonjezera zilembo zapadera pazofunsira zofunsira zomwe sizimakhudza malingaliro a data yoyipa, koma kuphwanya lamulo losayina.
M'badwo wachiwiri. Kuti tipewe magwiridwe antchito ndi kulondola kwa ma WAFs, zida zozimitsa moto za m'badwo wachiwiri zidapangidwa. Tsopano ali ndi magawo omwe ali ndi udindo wozindikira mitundu yodziwika bwino (pa HTML, JS, ndi zina). Ophatikizawa amagwira ntchito ndi zizindikiro zapadera zomwe zimafotokozera mafunso (mwachitsanzo, zosinthika, zingwe, zosadziwika, nambala). Ma tokeni omwe angakhale oyipa amayikidwa pamndandanda wosiyana, womwe WAF imawunika pafupipafupi. Njirayi idawonetsedwa koyamba pamsonkhano wa Black Hat 2012 mu mawonekedwe a C / C ++ , zomwe zimakulolani kuti muzindikire jakisoni wa SQL.
Poyerekeza ndi ma WAF am'badwo woyamba, ophatikiza apadera amatha kukhala othamanga. Komabe, iwo sanathe kuthetsa mavuto okhudzana ndi kukonza pamanja dongosolo pamene ziwopsezo zatsopano zowononga zikuwonekera.
Mbadwo wachitatu. Kusintha kwa chidziwitso cha m'badwo wachitatu kumaphatikizapo kugwiritsa ntchito njira zophunzirira makina zomwe zimapangitsa kuti zikhale zotheka kubweretsa galamala yodziwika bwino kwambiri ndi galamala yeniyeni ya SQL / HTML / JS ya machitidwe otetezedwa. Malingaliro ozindikira awa amatha kusintha makina a Turing kuti azitha kuwerengera galamala mobwerezabwereza. Komanso, m'mbuyomu ntchito yopanga makina osinthika a Turing inali yosasinthika mpaka maphunziro oyamba a makina a neural Turing adasindikizidwa.
Kuphunzira pamakina kumapereka kuthekera kwapadera kosinthira galamala iliyonse kuti iwononge mtundu uliwonse wa kuukira popanda kupanga pamanja mindandanda ya siginecha monga momwe zimafunikira pakuzindikirika kwa m'badwo woyamba, komanso popanda kupanga ma tokenizer / ophatikizira atsopano amitundu yatsopano monga Memcached, Redis, Cassandra, SSRF jakisoni. , monga momwe zimafunira m'badwo wachiwiri njira.
Mwa kuphatikiza mibadwo yonse itatu ya malingaliro ozindikira, titha kujambula chithunzi chatsopano momwe m'badwo wachitatu wodziwikira umayimiridwa ndi autilaini yofiira (Chithunzi 3). M'badwo uno umaphatikizapo njira imodzi yomwe tikugwiritsa ntchito mumtambo pamodzi ndi Onsek, woyambitsa nsanja yotetezera kusinthika kwa mapulogalamu a pa intaneti ndi Wallarm API.
Njira yodziwira tsopano imagwiritsa ntchito mayankho a pulogalamuyo kuti idzikonzere yokha. Pophunzira pamakina, njira yoyankha iyi imatchedwa "kulimbikitsa." Nthawi zambiri, pali mtundu umodzi kapena zingapo zolimbikitsira izi:
- Kuwunika kwa machitidwe oyankhira ntchito (yopanda pake)
- Scan/fuzzer (yogwira)
- Nenani mafayilo / njira zolumikizira / misampha (pambuyo pake)
- Buku (lotanthauzidwa ndi woyang'anira)
Zotsatira zake, malingaliro ozindikira a m'badwo wachitatu amawongoleranso nkhani yofunika kwambiri yolondola. Tsopano ndizotheka osati kungopewa zabwino zabodza ndi zolakwika zabodza, komanso kuzindikira zolakwika zowona, monga kuzindikira kugwiritsa ntchito kwa SQL command mu Control Panel, kutsitsa template ya tsamba lawebusayiti, zopempha za AJAX zokhudzana ndi zolakwika za JavaScript, ndi zina.
Kenako, tiwona kuthekera kwaukadaulo pazosankha zosiyanasiyana za WAF.
Hardware, mapulogalamu kapena mtambo - zomwe mungasankhe?
Chimodzi mwazosankha zogwiritsa ntchito ma firewall ndi njira ya Hardware. Makina oterowo ndi zida zapadera zamakompyuta zomwe kampani imayika komweko kumalo ake a data. Koma pakadali pano, muyenera kugula zida zanu ndikulipira ndalama kwa ophatikiza kuti akhazikitse ndikuwongolera (ngati kampaniyo ilibe dipatimenti yake ya IT). Panthawi imodzimodziyo, zipangizo zilizonse zimakhala zachikale ndipo zimakhala zosagwiritsidwa ntchito, kotero makasitomala amakakamizika kupanga bajeti ya kukonzanso kwa hardware.
Njira ina yotumizira WAF ndikukhazikitsa mapulogalamu. Yankho lake limayikidwa ngati chowonjezera cha mapulogalamu ena (mwachitsanzo, ModSecurity imakonzedwa pamwamba pa Apache) ndipo imayendetsa pa seva yomweyo nayo. Monga lamulo, mayankho otere amatha kutumizidwa pa seva yakuthupi komanso pamtambo. Zoyipa zawo ndizochepa scalability ndi chithandizo chaogulitsa.
Njira yachitatu ndikukhazikitsa WAF kuchokera pamtambo. Mayankho oterowo amaperekedwa ndi opereka mtambo ngati ntchito yolembetsa. Kampaniyo sifunika kugula ndi kukonza zida zapadera; ntchito izi zimagwera pamapewa a wothandizira. Mfundo yofunika kwambiri ndi yakuti WAF wamakono wamtambo sukutanthauza kusamuka kwazinthu ku nsanja ya wothandizira. Tsambali litha kutumizidwa kulikonse, ngakhale pamalopo.
Tifotokozeranso chifukwa chake anthu akuyang'ana kwambiri kumtambo WAF.
Zomwe WAF ingachite mumtambo
Pankhani ya luso laukadaulo:
- Wopereka chithandizo ali ndi udindo wosintha. WAF imaperekedwa ndi kulembetsa, kotero wopereka chithandizo amayang'anira kufunikira kwa zosintha ndi zilolezo. Zosintha sizimangokhudza mapulogalamu, komanso hardware. Woperekayo amakweza paki ya seva ndikuisamalira. Ilinso ndi udindo wowongolera katundu ndi kubwezeredwa. Ngati seva ya WAF ikulephera, magalimoto amatumizidwa nthawi yomweyo kumakina ena. Kugawa koyenera kwa magalimoto kumakupatsani mwayi kuti mupewe zochitika zomwe firewall imalowa ikalephera kutsegula - sikungathe kuthana ndi katunduyo ndikuyimitsa zopempha.
- Virtual patching. Mawonekedwe owoneka bwino amaletsa mwayi wofikira magawo omwe asokonezedwa mpaka wopanga atseka zomwe zingatetezedwe. Zotsatira zake, kasitomala wa wopereka mtambo amapeza mwayi wodikirira modekha mpaka wopereka izi kapena pulogalamuyo atasindikiza "zigamba" zovomerezeka. Kuchita izi mwachangu momwe mungathere ndi chinthu chofunikira kwambiri kwa wopereka mapulogalamu. Mwachitsanzo, pa nsanja ya Wallarm, gawo la pulogalamu yosiyana ndi yomwe imayang'anira patching. Woyang'anira atha kuwonjezera mawu okhazikika kuti aletse zopempha zoyipa. Dongosololi limapangitsa kuti zitheke kuyika zopempha zina ndi mbendera ya "Chinsinsi". Kenako magawo awo amaphimbidwa, ndipo nthawi zonse amatumizidwa kunja kwa malo ogwirira ntchito zozimitsa moto.
- Zomangamanga zozungulira ndi scanner yavulnerability. Izi zimakupatsani mwayi wodziyimira pawokha malire a netiweki amtundu wa IT pogwiritsa ntchito deta kuchokera ku mafunso a DNS ndi protocol ya WHOIS. Pambuyo pake, WAF imangosanthula ntchito zomwe zikuyenda mkati mozungulira (zimapanga scanning ya doko). Chowotcha moto chimatha kuzindikira mitundu yonse ya zovuta zowonongeka - SQLi, XSS, XXE, etc. - ndikuzindikiritsa zolakwika pakukonzekera mapulogalamu, mwachitsanzo, kupeza kosavomerezeka kwa Git ndi BitBucket repositories ndi mafoni osadziwika kwa Elasticsearch, Redis, MongoDB.
- Zowukira zimayang'aniridwa ndi zida zamtambo. Monga lamulo, opereka mitambo ali ndi mphamvu zambiri zamakompyuta. Izi zimakuthandizani kuti mufufuze zowopseza molondola kwambiri komanso mwachangu. Gulu la zosefera zimayikidwa mumtambo, momwe magalimoto onse amadutsa. Ma node awa amaletsa kuukira kwa mawebusayiti ndikutumiza ziwerengero ku Analytics Center. Imagwiritsa ntchito makina ophunzirira makina kuti asinthe malamulo oletsa mapulogalamu onse otetezedwa. Kukhazikitsidwa kwa chiwembu chotere kukuwonetsedwa mkuyu. 4. Malamulo otetezedwa otere amachepetsa kuchuluka kwa ma alarm abodza.
Tsopano pang'ono za mawonekedwe a ma WAF amtambo malinga ndi zovuta zamabungwe ndi kasamalidwe:
- Kusintha kwa OpEx. Pankhani ya ma WAF amtambo, mtengo wokhazikitsa udzakhala zero, popeza zida zonse ndi zilolezo zidalipiridwa kale ndi wopereka; kulipira kwautumiki kumapangidwa ndikulembetsa.
- Mapulani osiyanasiyana a tariff. Wogwiritsa ntchito mtambo amatha kuthandizira mwachangu kapena kuletsa zina zowonjezera. Ntchito zimayendetsedwa kuchokera ku gulu limodzi lolamulira, lomwe limakhalanso lotetezeka. Imafikiridwa kudzera pa HTTPS, komanso pali njira yotsimikizira zinthu ziwiri kutengera TOTP (Time-based One-Time Password Algorithm) protocol.
- Kulumikizana kudzera pa DNS. Mutha kusintha DNS nokha ndikusintha maukonde. Kuthetsa mavutowa palibe chifukwa cholembera ndi kuphunzitsa akatswiri pawokha. Monga lamulo, chithandizo chaukadaulo cha wothandizira chingathandize pakukhazikitsa.
Tekinoloje za WAF zasintha kuchokera ku zowotcha zozimitsa moto zosavuta zokhala ndi malamulo am'manja kupita ku machitidwe ovuta achitetezo okhala ndi makina ophunzirira makina. Ma firewall ogwiritsira ntchito tsopano amapereka zinthu zambiri zomwe zinali zovuta kuzikwaniritsa mu 90s. Munjira zambiri, kutuluka kwa magwiridwe antchito atsopano kunatheka chifukwa cha matekinoloje amtambo. Mayankho a WAF ndi zigawo zawo zikupitilirabe kusinthika. Monga madera ena achitetezo chazidziwitso.
Mawuwa adakonzedwa ndi Alexander Karpuzikov, woyang'anira chitukuko chachitetezo chazidziwitso pa cloud provider #CloudMTS.
Source: www.habr.com