Iko kushanduka kweWebhu Chikumbiro Firewall: kubva kumadziro emoto kusvika kune gore-yakavakirwa kuchengetedza masisitimu ane muchina kudzidza

Mune yedu yapfuura zvinyorwa pamusoro pemakore misoro, isu kuudzwa, nzira yekudzivirira IT zviwanikwa mugore reruzhinji uye nei maantivirus echinyakare asina kukodzera zvachose kune izvi. Mune ino post, isu tichaenderera mberi nemusoro wekuchengetedza kwegore uye kutaura nezve shanduko yeWAF uye chii chiri nani kusarudza: Hardware, software kana gore. 

Chii chinonzi WAF

Kupfuura 75% yekurwiswa kwehacker kwakanangana nekusagadzikana kwewebhu maapplication uye mawebhusaiti: kurwiswa kwakadaro kazhinji hakuonekwe kune ruzivo rwekuchengetedza ruzivo uye masevhisi ekuchengetedza ruzivo. Kusagadzikana mumashandisirwo ewebhu kunotakurawo njodzi dzekukanganisika uye hutsotsi hweakaundi evashandisi uye data rako pachako, mapassword, uye nhamba dzekadhi rechikwereti. Pamusoro pezvo, kusasimba kwewebhusaiti kunoshanda senzvimbo yekupinda yevanorwisa mukambani network.

Webhu Chikumbiro Firewall (WAF) chidzitiro chekudzivirira chinovhara kurwiswa kwewebhu maapplication: SQL jekiseni, muchinjika-saiti scripting, kure kodhi kuuraya, brute simba uye mvumo yekupfuura. Kusanganisira kurwiswa kunoshandisa zero-zuva kusasimba. Mafirewall ekushandisa anopa dziviriro nekutarisa zvirimo peji rewebhu, zvinosanganisira HTML, DHTML, uye CSS, uye kusefa zvingangoita zvakaipa zvikumbiro zveHTTP/HTTPS.

Ndedzipi dzaive sarudzo dzekutanga?

Kuedza kwekutanga kugadzira Webhu Chikumbiro Firewall kwakaitwa kumashure mukutanga 90s. Vanosvika mainjiniya matatu anozivikanwa kuve akashanda mundima iyi. Wekutanga ndipurofesa wesainzi yekombuta Gene Spafford anobva kuPurdue University. Akatsanangura magadzirirwo eiyo proxy application firewall uye akaiburitsa muna 1991 mubhuku "UNIX Security in Practice".

Yechipiri neyechitatu vaive nyanzvi dzekuchengetedza ruzivo William Cheswick naMarcus Ranum kubva kuBell Labs. Vakagadzira imwe yekutanga application firewall prototypes. Yakagoverwa neDEC - chigadzirwa chakaburitswa pasi pezita SEAL (Secure External Access Link).

Asi SEAL yakanga isiri yakazara-yakazara WAF mhinduro. Yaive yemhando yepamusoro network firewall ine advanced performance - kugona kuvharidzira kurwiswa paFTP neRSH. Nechikonzero ichi, yekutanga WAF mhinduro nhasi inoonekwa sechigadzirwa chePerfecto Technologies (yakazotevera Sanctum). Muna 1999 iye yakaunzwa AppShield system. Panguva iyoyo, Perfecto Technologies yakanga ichigadzira zvigadziriso zvekuchengetedza ruzivo zve e-commerce, uye zvitoro zvepamhepo zvakave vateereri vakatarisana nechigadzirwa chavo chitsva. AppShield yakakwanisa kuongorora zvikumbiro zveHTTP uye yakavharika kurwiswa zvichibva pane zvine simba zvekuchengetedza ruzivo.

Panguva imwecheteyo seAppShield (muna 2002), yekutanga yakavhurwa sosi WAF yakaonekwa. Akava Mod Security. Yakagadzirwa nechinangwa chekuparidzira WAF tekinoroji uye ichiri kutsigirwa neiyo IT nharaunda (heino ndiyo repository paGitHub) ModSecurity inovhara kurwiswa kwezvishandiso zvichibva pane yakajairwa seti yenguva dzose yekutaura (siginicha) - zvishandiso zvekutarisa zvikumbiro zvinoenderana nemapateni - OWASP Core Rule Set.

Nekuda kweizvozvo, vagadziri vakakwanisa kuzadzisa chinangwa chavo - mitsva yeWAF mhinduro yakatanga kuoneka pamusika, kusanganisira iyo yakavakwa pahwaro hweModSecurity.

Zvizvarwa zvitatu zvatova nhoroondo

Itsika kusiyanisa zvizvarwa zvitatu zveWAF masisitimu, ayo akashanduka nekuvandudzwa kwehunyanzvi.

Chizvarwa chokutanga. Inoshanda nemataurirwo enguva dzose (kana magirama). Izvi zvinosanganisira ModSecurity. Mupi wehurongwa anodzidza marudzi ekurwiswa kwezvishandiso uye anogadzira mapatani anotsanangura zvikumbiro zviri pamutemo uye zvingangove zvakaipa. WAF inotarisa zvinyorwa izvi uye inosarudza zvekuita mune imwe mamiriro - kuvhara traffic kana kwete.

Muenzaniso wekuona zvichibva pakutaura nguva dzose ndiyo purojekiti yatotaurwa Core Rule Set open source. Mumwe muenzaniso - Naxsi, iyo zvakare yakavhurika sosi. Masisitimu ane mataurirwo enguva dzose ane huwandu hwekuipa, kunyanya, kana hutsva hutsva hunoonekwa, maneja anofanira kugadzira mimwe mitemo nemaoko. Panyaya yehukuru-hukuru hweIT masisitimu, panogona kunge paine zviuru zvemitemo. Kubata mataurirwo mazhinji akajairwa kwakaoma, tisingataure chokwadi chekuti kuvatarisa kunogona kuderedza kuita kwetiweki.

Matauriro enguva dzose anewo mwero wakanyanya wenhema wakanaka. Nyanzvi yemitauro ine mukurumbira Noam Chomsky yakakarakadza kupatsanurwa kwegirama umo iye akaakamura muzvikamu zvina zvezvimiso zvekuoma kunzwisisa. Zvinoenderana nechikamu ichi, mataurirwo enguva dzose anogona kungotsanangura mitemo yefirewall isingasanganisi kutsauka kubva patani. Izvi zvinoreva kuti vanorwisa vanogona "kunyengedza" nyore chizvarwa chekutanga WAF. Imwe nzira yekurwisa izvi ndeyekuwedzera mavara akakosha kune zvikumbiro zvekushandisa izvo zvisingakanganisi logic yedata rakashata, asi kutyora mutemo wekusaina.

Chipiri chizvarwa. Kudzivirira kuita uye kurongeka kwenyaya dzeWAFs, chizvarwa chechipiri chekushandisa firewall chakagadzirwa. Ivo zvino vane vaparadzi vane basa rekuona dzakanyatsotsanangurwa mhando dzekurwiswa (paHTML, JS, nezvimwewo). Aya maparadzi anoshanda neakakosha tokens anotsanangura mibvunzo (semuenzaniso, chinja, tambo, isingazivikanwe, nhamba). Zvingangove zvakashata zviratidzo zvinoteedzana zvinoiswa mune yakaparadzana runyorwa, iyo iyo WAF system inogara ichitarisa ichipokana. Iyi nzira yakatanga kuratidzwa pamusangano weBlack Hat 2012 nenzira yeC / C ++ библиотеки libinjection, iyo inokubvumira kuti uone majekiseni eSQL.

Kuenzaniswa neyekutanga-chizvarwa WAFs, nyanzvi parsers anogona kukurumidza. Nekudaro, ivo havana kugadzirisa matambudziko ane chekuita nekugadzirisa sisitimu kana kurwiswa kutsva kwakashata kuchioneka.

Chizvarwa chechitatu. Iko kushanduka mune yechitatu-chizvarwa yekuongorora logic inosanganisira kushandiswa kwemichina yekudzidzira nzira dzinoita kuti zvikwanisike kuunza girama yekuona padhuze sezvinobvira kune chaiyo SQL/HTML/JS girama yeakachengetedzwa masisitimu. Iyi yekuona pfungwa inokwanisa kugadzirisa muchina weTuring kuvhara magirama anodzokororwa. Zvakare, raimbove basa rekugadzira muchina weTuring unochinjika rakanga risingagadzirike kudzamara zvidzidzo zvekutanga zvemichina yeNeural Turing zvaburitswa.

Kudzidza kwemuchina kunopa kugona kwakasarudzika kuchinjisa chero girama kuvhara chero rudzi rwekurwisa pasina nemaoko kugadzira siginecha zvinyorwa sezvinodiwa mukuonekwa kwechizvarwa chekutanga, uye pasina kugadzira nyowani tokenizers / maparser emhando nyowani dzekurwisa dzakadai Memcached, Redis, Cassandra, SSRF majekiseni. , sezvinodiwa nemaitiro echizvarwa chechipiri.

Nekubatanidza zvizvarwa zvese zvitatu zvekuona logic, tinogona kudhirowa dhayagiramu itsva umo chizvarwa chechitatu chekuonekwa chinomiririrwa neiyo tsvuku rondedzero (Mufananidzo 3). Ichi chizvarwa chinosanganisira imwe yemhinduro dzatiri kushandisa mugore pamwe chete neOnsek, muvambi wepuratifomu yekuchengetedzwa kwemaitiro ewebhu maapplication uye Wallarm API.

Iyo yekuona pfungwa ikozvino inoshandisa mhinduro kubva kuchishandiso kuti uzvigadzirise wega. Mukudzidza kwemuchina, iyi yemhinduro loop inonzi "kusimbisa." Kazhinji, kune imwe kana mamwe marudzi ekusimbisa kwakadaro:

• Ongororo yemaitiro ekupindura kwekushandisa (passive)
• Scan/fuzzer (inoshanda)
• Taura mafaira / interceptor maitiro / misungo (mushure mechokwadi)
• Manual (inotsanangurwa nemutariri)

Nekuda kweizvozvo, yechitatu-chizvarwa chekuona logic inogadzirisawo nyaya yakakosha yekurongeka. Ikozvino zvinogoneka kwete kungodzivirira manyepo enhema uye manyepo enhema, asiwo kuona akakodzera echokwadi asina kunaka, akadai sekuona kweSQL command element kushandiswa mu Control Panel, web page template loading, AJAX zvikumbiro zvine chekuita neJavaScript kukanganisa, nezvimwe.

Tevere, isu tichafunga nezve tekinoroji kugona kweakasiyana WAF kuita sarudzo.

Hardware, software kana gore - chii chaungasarudza?

Imwe yesarudzo dzekushandisa application firewalls ndeye Hardware mhinduro. Masisitimu akadaro ndeakasarudzika komputa zvishandiso izvo kambani inoisa munharaunda munzvimbo yayo yedata. Asi mune iyi kesi, iwe unofanirwa kutenga yako midziyo uye kubhadhara mari kune vanobatanidza kuigadzira uye kuigadzirisa (kana iyo kambani isina yayo IT department). Panguva imwecheteyo, chero midziyo inove yechinyakare uye inove isingashandisike, saka vatengi vanomanikidzwa kuita bhajeti rekuvandudza Hardware.

Imwe sarudzo yekuendesa WAF ndeyekushandisa software. Mhinduro yacho inoiswa sekuwedzera kune imwe software (semuenzaniso, ModSecurity inogadziriswa pamusoro peApache) uye inomhanya pane imwechete sevha nayo. Sezvo mutemo, zvigadziriso zvakadaro zvinogona kuiswa zvese pane sevha yemuviri uye mugore. Kukanganisa kwavo kushoma scalability uye rutsigiro rwemutengesi.

Yechitatu sarudzo kumisa WAF kubva mugore. Mhinduro dzakadaro dzinopihwa nevanopa gore sevhisi yekunyorera. Iyo kambani haidi kutenga uye kugadzirisa yakasarudzika hardware; aya mabasa anowira pamapfudzi emupi webasa. Chinhu chakakosha ndechekuti gore razvino WAF harirevi kutama kwezviwanikwa kupuratifomu yemupi. Iyo saiti inogona kuiswa chero kupi, kunyangwe pane-nzvimbo.

Tichatsanangura zvakare kuti sei vanhu vava kuwedzera kutarisa kune gore WAF.

Izvo WAF inogona kuita mugore

Maererano nehunyanzvi hwetekinoroji:

• Mupi ane basa rekuvandudza. WAF inopihwa nekunyoreswa, saka mupi webasa anotarisisa kukosha kwekuvandudzwa uye marezinesi. Zvigadziriso zvine chekuita kwete chete software, asiwo Hardware. Mupi anovandudza server park uye anoichengetedza. Izvo zvakare zvine basa rekutakura mitoro uye redundancy. Kana iyo WAF server ikatadza, traffic inokurumidza kuendeswa kune mumwe muchina. Rational kugovera traffic inokutendera kuti udzivise mamiriro kana firewall ichipinda ikatadza kuvhurika modhi - haigone kubata nemutoro uye inomira kusefa zvikumbiro.
• Virtual patching. Mapeche eVirtual anorambidza kupinda kune zvikamu zvakakanganisika zvechishandiso kudzamara mugadziri avhara kusazvibata. Nekuda kweizvozvo, mutengi wemupi wegore anowana mukana wekumirira zvakadzikama kusvika mupi weiyi kana iyo software yaburitsa "zvigamba" zvepamutemo. Kuita izvi nekukurumidza sezvinobvira chinhu chekutanga kune software supplier. Semuenzaniso, mupuratifomu yeWallarm, imwe yakaparadzana software module ine basa rekuona patching. Mutungamiri anogona kuwedzera matauriro echinyakare kuti avhare zvikumbiro zvine hutsinye. Iyo sisitimu inoita kuti ikwanise kumaka zvimwe zvikumbiro nemureza we "Chakavanzika data". Ipapo ma paramita avo akafukidzwa, uye pasina mamiriro ezvinhu anofambiswa kunze kwenzvimbo yekushanda firewall.
• Yakavakirwa-mukati perimeter uye vulnerability scanner. Izvi zvinokutendera kuti uzvisarudzire wakazvimirira miganhu yetiweki yeiyo IT zvivakwa uchishandisa data kubva kuDNS mibvunzo uye WHOIS protocol. Mushure mezvo, WAF inoongorora otomatiki masevhisi anomhanya mukati meiyo perimeter (inoita port scanning). Iyo firewall inokwanisa kuona marudzi ese akajairika ekusagadzikana - SQLi, XSS, XXE, zvichingodaro - uye kuziva zvikanganiso mukugadziriswa kwesoftware, semuenzaniso, kupinda kusina mvumo kuGit neBitBucket repositori uye kusazivikanwa kufona kuElasticsearch, Redis, MongoDB.
• Kurwiswa kunotariswa ne cloud resources. Sezvo mutemo, vanopa gore vane huwandu hwakawanda hwesimba rekombuta. Izvi zvinokubvumira kuti uongorore kutyisidzira nehupamhi hwepamusoro uye nekukurumidza. A cluster of filter node inoiswa mugore, iyo traffic yese inopfuura. Aya ma node anovharisa kurwiswa pamawebhu maapplication uye kutumira manhamba kuAnalytics Center. Inoshandisa muchina kudzidza algorithms kugadzirisa kuvharira mitemo kune ese akachengetedzwa maapplication. Kuitwa kwechirongwa chakadaro kunoratidzwa muFig. 4. Mitemo yekuchengetedza yakadaro inoderedza kuwanda kwemaalarm enhema.

Ikozvino zvishoma nezve maficha egore WAFs maererano nenyaya dzesangano uye manejimendi:

• Shandura kuOpEx. Panyaya yemakore WAFs, mutengo wekushandisa uchave zero, sezvo zvese zvemahara uye marezinesi zvakatobhadharwa nemupi; kubhadhara kwesevhisi kunoitwa nekunyoreswa.
• Zvirongwa zvemitero zvakasiyana. Mushandisi wegore sevhisi anogona kukurumidza kugonesa kana kudzima dzimwe sarudzo. Mabasa anotungamirirwa kubva pane imwe chete control panel, iyo yakachengeteka zvakare. Inowanikwa kuburikidza neHTTPS, uye kune maviri-factor echokwadi maitiro anoenderana neTOTP (Nguva-yakavakirwa One-Nguva Password Algorithm) protocol.
• Kubatanidza kuburikidza neDNS. Iwe unogona kushandura DNS iwe pachako uye kugadzirisa network routing. Kugadzirisa matambudziko aya hapana chikonzero chekutora uye kudzidzisa nyanzvi dzega. Sezvo mutemo, rubatsiro rwemhizha rwemupi runogona kubatsira nekugadzirisa.

Tekinoroji dzeWAF dzakashanduka kubva kumadziro akareruka ane mitemo yechigunwe kuenda kune yakaoma kudzivirira masisitimu ane muchina kudzidza algorithms. Mafirewall ekushandisa zvino anopa huwandu hwakawanda hwezvinhu zvaive zvakaoma kuita muma90s. Nenzira dzakawanda, kubuda kwekushanda kutsva kwakave kunogoneka nekuda kwemafu tekinoroji. WAF mhinduro uye zvikamu zvadzo zvinoramba zvichishanduka. Kungofanana nedzimwe nzvimbo dzekuchengetedza ruzivo.

Iwo mameseji akagadzirwa naAlexander Karpuzikov, ruzivo rwekuchengetedza chigadzirwa maneja pa cloud provider #CloudMTS.

Source: www.habr.com