Kundaba yethu yangaphambilini ngezihloko zamafu, thina , indlela yokuvikela izinsiza ze-IT efwini lomphakathi nokuthi kungani ama-antivirus endabuko engafaneleki ngokuphelele kulezi zinhloso. Kulokhu okuthunyelwe, sizoqhubeka nesihloko sokuphepha kwamafu futhi sikhulume ngokuvela kwe-WAF nokuthi yini engcono ukukhetha: i-hardware, isofthiwe noma ifu.
Yini i-WAF
Ngaphezulu kwama-75% okuhlasela kwama-hacker kuhloswe ngawo ukuba sengozini kwezinhlelo zokusebenza zewebhu namawebhusayithi: ukuhlasela okunjalo kuvame ukungabonakali kungqalasizinda yokuvikela ulwazi kanye nezinsizakalo zokuphepha kolwazi. Ubungozi ezinhlelweni zokusebenza zewebhu buthwala, ubungozi bokufakwa ebucayini kanye nokukhwabanisa kwama-akhawunti omsebenzisi nedatha yomuntu siqu, amaphasiwedi, nezinombolo zekhadi lesikweletu. Ngaphezu kwalokho, ubungozi kuwebhusayithi busebenza njengendawo yokungena yabahlaseli kunethiwekhi yebhizinisi.
I-Web Application Firewall (WAF) iyisikrini esivikelayo esivimba ukuhlaselwa kwezinhlelo zokusebenza zewebhu: umjovo we-SQL, ukubhalwa kwe-cross-site, ukukhishwa kwekhodi okude, amandla anonya kanye nokudlula kokugunyazwa. Kubandakanya ukuhlasela okusebenzisa ubungozi bosuku oluyiziro. Izivimba-mlilo zohlelo zihlinzeka ngokuvikeleka ngokuqapha okuqukethwe kwekhasi lewebhu, okuhlanganisa i-HTML, i-DHTML, ne-CSS, nokuhlunga izicelo eziyingozi ze-HTTP/HTTPS.
Yiziphi izinqumo zokuqala?
Imizamo yokuqala yokwakha i-Web Application Firewall yenziwa emuva ekuqaleni kwawo-90s. Okungenani onjiniyela abathathu baziwa ukuthi bake basebenza kulo mkhakha. Owokuqala uprofesa wesayensi yekhompyutha uGene Spafford wasePurdue University. Uchaze ukwakheka kwe-firewall yesicelo sommeleli futhi wayishicilela ngo-1991 encwadini .
Owesibili nowesithathu kwakungochwepheshe bezokuphepha kolwazi uWilliam Cheswick noMarcus Ranum baseBell Labs. Bakha enye yama-prototypes e-firewall yokuqala yohlelo lokusebenza. Yasatshalaliswa yi-DEC - umkhiqizo wakhululwa ngaphansi kwegama elithi SEAL (Vikela Isixhumanisi Sokufinyelela Kwangaphandle).
Kepha i-SEAL bekungesona isixazululo se-WAF esigcwele. Bekuyi-firewall yenethiwekhi yakudala enokusebenza okuthuthukile - amandla okuvimba ukuhlaselwa kwe-FTP ne-RSH. Ngalesi sizathu, isixazululo sokuqala se-WAF namuhla sithathwa njengomkhiqizo we-Perfecto Technologies (kamuva iSanctum). Ngo-1999 yena Uhlelo lwe-AppShield. Ngaleso sikhathi, i-Perfecto Technologies yayithuthukisa izixazululo zokuphepha kolwazi ze-e-commerce, futhi izitolo eziku-inthanethi zaba izethameli ezihlosiwe zomkhiqizo wazo omusha. I-AppShield ikwazile ukuhlaziya izicelo ze-HTTP futhi yavinjwa ukuhlasela okusekelwe kuzinqubomgomo zokuphepha zolwazi olunamandla.
Cishe ngesikhathi esifanayo ne-AppShield (ngo-2002), kwavela umthombo wokuqala ovulekile we-WAF. Waba . Yakhiwe ngenhloso yokwazisa ubuchwepheshe be-WAF futhi isasekelwa umphakathi we-IT (nansi ). I-ModSecurity ivimba ukuhlaselwa kwezinhlelo zokusebenza ngokusekelwe kusethi evamile yezinkulumo ezivamile (amasiginesha) - amathuluzi okuhlola izicelo ngokusekelwe kumaphethini - .
В итоге разработчикам удалось добиться своей цели — на рынке начали появляться новые WAF-решения, в том числе построенные на базе ModSecurity.
Izizukulwane ezintathu seziwumlando
Kuyisiko ukuhlukanisa izizukulwane ezintathu zezinhlelo ze-WAF, ezithuthuke ngokuthuthuka kobuchwepheshe.
Isizukulwane sokuqala. Isebenza ngezinkulumo ezijwayelekile (noma uhlelo lolimi). Lokhu kufaka i-ModSecurity. Umhlinzeki wesistimu ufunda izinhlobo zokuhlaselwa kwezinhlelo zokusebenza futhi akhiqize amaphethini achaza izicelo ezisemthethweni nezinamandla ezinonya. I-WAF ihlola lolu hlu bese inquma ukuthi yenzeni esimweni esithile - ukuvimba ithrafikhi noma cha.
Isibonelo sokutholwa okususelwe kuzinkulumo ezijwayelekile iphrojekthi esivele ishiwo umthombo ovulekile. Esinye isibonelo - , okubuye kube umthombo ovulekile. Amasistimu anezinkulumo ezivamile anenani lokungalungi, ikakhulukazi, lapho kutholwa ubungozi obusha, umlawuli kufanele enze imithetho eyengeziwe mathupha. Endabeni yengqalasizinda ye-IT yezinga elikhulu, kungase kube nemithetho eyizinkulungwane ezimbalwa. Ukuphatha izinkulumo eziningi ezijwayelekile kunzima impela, ingasaphathwa eyokuthi ukuzihlola kunganciphisa ukusebenza kwenethiwekhi.
Izinkulumo ezivamile nazo zinenani eliphezulu elingelona iqiniso. Isazi sezilimi esidumile uNoam Chomsky uhlongoze ukuhlukaniswa kwezinhlelo zolimi azihlukanisa zibe yinkimbinkimbi ezinemibandela ezinemibandela. Ngokwalokhu kuhlukaniswa, izinkulumo ezivamile zingachaza kuphela imithetho ye-firewall engafaki ukuchezuka kuphethini. Lokhu kusho ukuthi abahlaseli bangakwazi "ukukhohlisa" isizukulwane sokuqala se-WAF. Enye indlela yokulwa nalokhu iwukwengeza izinhlamvu ezikhethekile ezicelweni zohlelo lokusebenza ezingaphazamisi ukuqonda kwedatha enonya, kodwa ezephula umthetho wesiginesha.
Isizukulwane sesibili. Ukuze kugwenywe izinkinga zokusebenza nokunemba kwama-WAF, kwakhiwe izibhulamlilo zesizukulwane sesibili. Manje banabahlaziyi abanomthwalo wemfanelo wokuhlonza izinhlobo ezichazwe ngokuqinile zokuhlasela (ku-HTML, JS, njll.). Laba bahlahli basebenza namathokheni akhethekile achaza imibuzo (isibonelo, okuguquguqukayo, uchungechunge, okungaziwa, inombolo). Ukulandelana kwamathokheni okungenzeka kunonya kubekwa ohlwini oluhlukile, uhlelo lwe-WAF oluvame ukuluhlola. Le ndlela yaqala ukuboniswa engqungqutheleni ye-Black Hat 2012 ngendlela ye-C/C++ , okuvumela ukuthi uthole imijovo ye-SQL.
Uma kuqhathaniswa nama-WAF esizukulwane sokuqala, abahlaluli abakhethekile bangashesha. Kodwa-ke, abazange baxazulule ubunzima obuhlobene nokumisa isistimu mathupha lapho kuvela ukuhlasela okunonya okusha.
Isizukulwane sesithathu. Inguquko kumqondo wokuthola wesizukulwane sesithathu iqukethe ukusetshenziswa kwezindlela zokufunda zomshini ezenza kube nokwenzeka ukuletha uhlelo lolimi eduze ngangokunokwenzeka kuhlelo lolimi lwe-SQL/HTML/JS lwangempela lwamasistimu avikelwe. Le logic yokuthola iyakwazi ukulungisa umshini we-Turing ukuze uhlanganise izinhlelo zolimi eziphindaphindwayo. Ngaphezu kwalokho, ngaphambilini umsebenzi wokudala umshini we-Turing oguquguqukayo wawungaxazululeki kwaze kwaba yilapho kushicilelwa izifundo zokuqala zemishini ye-neural Turing.
Ukufunda ngomshini kunikeza ikhono eliyingqayizivele lokujwayela noma yiluphi uhlelo lolimi ukuze luhlanganise noma yiluphi uhlobo lokuhlasela ngaphandle kokuzenzela mathupha uhlu lwesiginesha njengoba kudingekile ekutholeni isizukulwane sokuqala, futhi ngaphandle kokuthuthukisa amathokheni/ama-parser amasha wezinhlobo ezintsha zokuhlasela njenge-Memcached, Redis, Cassandra, SSRF imijovo. , njengoba kudingwa indlela yokwenza yesizukulwane sesibili.
Ngokuhlanganisa zonke izizukulwane ezintathu zokuqonda kokutholwa, singadweba umdwebo omusha lapho isizukulwane sesithathu sokutholwa simelelwa uhlaka olubomvu (Umfanekiso 3). Lesi sizukulwane sihlanganisa esinye sezixazululo esizisebenzisayo efwini kanye no-Onsek, umthuthukisi wenkundla yokuvikela okuguquguqukayo kwezinhlelo zokusebenza zewebhu kanye ne-Wallarm API.
I-logic yokuthola manje isebenzisa impendulo evela kuhlelo lokusebenza ukuze izilungise ngokwalo. Ekufundeni komshini, le loop yempendulo ibizwa ngokuthi “ukuqinisa.” Ngokuvamile, kukhona uhlobo olulodwa noma eziningi zokuqiniswa okunjalo:
- Ukuhlaziywa kokuziphatha kwempendulo yohlelo lokusebenza (okungenzi lutho)
- Iskena/i-fuzzer (iyasebenza)
- Bika amafayela/izinqubo ze-interceptor/izicupho (ngemuva kweqiniso)
- Imanuwali (ichazwe umphathi)
Njengomphumela, ingqondo yokuthola isizukulwane sesithathu nayo ibhekana nenkinga ebalulekile yokunemba. Manje akwenzekanga nje kuphela ukugwema izinto ezingezinhle nezingezinhle ezingamanga, kodwa futhi nokuthola izinto ezingezinhle eziyiqiniso ezivumelekile, njengokutholwa kokusetshenziswa kwesici somyalo we-SQL ku-Control Panel, ukulayisha isifanekiso sekhasi lewebhu, izicelo ze-AJAX ezihlobene namaphutha e-JavaScript, nokunye.
Okulandelayo, sizocubungula amakhono ezobuchwepheshe ezinketho ezahlukene zokusebenzisa i-WAF.
Hardware, isofthiwe noma ifu - yini ukukhetha?
Enye yezinketho zokusebenzisa i-firewall yohlelo lokusebenza isisombululo se-hardware. Amasistimu anjalo angamadivayisi ekhompyutha akhethekile afakwa yinkampani endaweni endaweni yayo yedatha. Kodwa kulokhu, kufanele uthenge imishini yakho futhi ukhokhe imali kubahlanganisi ngokuyimisa nokuyilungisa (uma inkampani ingenawo umnyango wayo we-IT). Ngasikhathi sinye, noma imuphi umshini uphelelwa isikhathi futhi ungasebenziseki, ngakho amakhasimende ayaphoqeleka ukuthi enze isabelomali sokuthuthukiswa kwehadiwe.
Enye inketho yokuthumela i-WAF ukuqaliswa kwesoftware. Isixazululo sifakwe njengesengezo sesoftware ethile (isibonelo, i-ModSecurity ilungiselelwe ngaphezulu kwe-Apache) futhi isebenza kuseva efanayo nayo. Njengomthetho, izixazululo ezinjalo zingasatshalaliswa kokubili kuseva ebonakalayo nasefwini. Okubi kwabo ukuscalability okulinganiselwe kanye nokwesekwa komthengisi.
Inketho yesithathu ukusetha i-WAF evela efwini. Izixazululo ezinjalo zinikezwa abahlinzeki bamafu njengesevisi yokubhalisa. Inkampani ayidingi ukuthenga nokumisa ihadiwe ekhethekile; le misebenzi iwela emahlombe omhlinzeki wesevisi. Iphuzu elibalulekile ukuthi i-WAF yefu yesimanje ayisho ukuthuthwa kwezinsiza endaweni yesikhulumi somhlinzeki. Isayithi lingatshalwa noma kuphi, ngisho nasendaweni.
Sizochaza ngokuqhubekayo ukuthi kungani abantu manje sebebheke kakhulu kumafu we-WAF.
Yini i-WAF engayenza emafwini
Ngokwamakhono ezobuchwepheshe:
- Umhlinzeki unesibopho sezibuyekezo. I-WAF ihlinzekwa ngokubhalisa, ngakho umhlinzeki wesevisi uqapha ukuhambisana kwezibuyekezo namalayisense. Izibuyekezo azikhathazi isofthiwe kuphela, kodwa futhi hardware. Umhlinzeki uthuthukisa i-server park futhi ayigcine. Iphinde ibe nesibopho sokulinganisa ukulayisha kanye nokungadingeki. Uma iseva ye-WAF yehluleka, ithrafikhi iqondiswa kabusha ngokushesha komunye umshini. Ukusatshalaliswa okunengqondo kwethrafikhi kukuvumela ukuthi ugweme izimo lapho i-firewall ingena kwimodi evulekile yehluleka - ayikwazi ukubhekana nomthwalo futhi imisa izicelo zokuhlunga.
- Ukuchibiyela okubonakalayo. Amapeshi abonakalayo akhawulela ukufinyelela ezingxenyeni ezisengozini zohlelo lokusebenza kuze kube yilapho unjiniyela evala ukuba sengozini. Ngenxa yalokho, ikhasimende lomhlinzeki wamafu lithola ithuba lokulinda ngokuthula kuze kube yilapho umhlinzeki walokhu noma leyo software eshicilela "ama-patches" asemthethweni. Ukwenza lokhu ngokushesha ngangokunokwenzeka kuyinto ehamba phambili kumphakeli wesofthiwe. Isibonelo, endaweni yesikhulumi se-Wallarm, imojula yesofthiwe ehlukile inesibopho sokuchibiyela okubonakalayo. Umlawuli angakwazi ukwengeza izinkulumo ezijwayelekile ngokwezifiso ukuvimba izicelo ezinonya. Isistimu yenza kube nokwenzeka ukumaka ezinye izicelo ngefulegi elithi “Idatha eyimfihlo”. Khona-ke imingcele yabo iyafihlwa, futhi ngaphansi kwanoma yiziphi izimo idluliselwa ngaphandle kwendawo yokusebenza ye-firewall.
- Ipherimitha eyakhelwe ngaphakathi nesikena sokuba sengozini. Lokhu kukuvumela ukuthi unqume ngokuzimela imingcele yenethiwekhi yengqalasizinda ye-IT usebenzisa idatha evela kumibuzo ye-DNS kanye nephrothokholi ye-WHOIS. Ngemva kwalokho, i-WAF ihlaziya ngokuzenzakalela izinsiza ezisebenza ngaphakathi kwepherimitha (yenza ukuskena kwembobo). I-firewall iyakwazi ukubona zonke izinhlobo ezivamile zobungozi - i-SQLi, i-XSS, i-XXE, njll. - kanye nokuhlonza amaphutha ekucushweni kwesofthiwe, isibonelo, ukufinyelela okungagunyaziwe kumakhosombe we-Git ne-BitBucket namakholi angaziwa ku-Elasticsearch, Redis, MongoDB.
- Ukuhlasela kugadwa izinsiza zamafu. Njengomthetho, abahlinzeki bamafu banenani elikhulu lamandla wekhompyutha. Lokhu kukuvumela ukuba uhlaziye izinsongo ngokunemba okuphezulu nangesivinini. Iqoqo lama-filter node lisetshenziswa emafini, lapho kudlula khona yonke ithrafikhi. Lawa ma-node avimba ukuhlaselwa kwezinhlelo zokusebenza zewebhu futhi athumele izibalo ku-Analytics Center. Isebenzisa ama-algorithms okufunda komshini ukuze ibuyekeze imithetho yokuvimba yazo zonke izinhlelo zokusebenza ezivikelwe. Ukuqaliswa kohlelo olunjalo kuboniswe ku-Fig. 4. Imithetho enjalo yezokuphepha eyenzelwe wena inciphisa inani lama-alamu omlilo angamanga.
Manje okuncane mayelana nezici zamafu WAFs mayelana nezindaba zenhlangano nokuphathwa:
- Ukushintshela ku-OpEx. Endabeni yama-WAF wamafu, izindleko zokusebenzisa zizoba nguziro, njengoba zonke izingxenyekazi zekhompuyutha namalayisense sezikhokhelwe umhlinzeki; ukukhokhelwa kwesevisi kwenziwa ngokubhaliselwe.
- Izinhlelo ze-tariff ezihlukene. Umsebenzisi wesevisi yefu anganika amandla ngokushesha noma akhubaze izinketho ezengeziwe. Imisebenzi ilawulwa ngephaneli yokulawula eyodwa, nayo evikelekile. Ifinyelelwa nge-HTTPS, futhi kukhona indlela yokuqinisekisa yezinto ezimbili esekelwe kuphrothokholi ye-TOTP (I-Algorithm Yephasiwedi Esekelwe Esikhathini Esesikhathini esisodwa).
- Ixhuma nge-DNS. Ungazishintsha i-DNS ngokwakho futhi ulungiselele umzila wenethiwekhi. Ukuxazulula lezi zinkinga asikho isidingo sokuqasha nokuqeqesha ochwepheshe ngabanye. Njengomthetho, ukwesekwa kobuchwepheshe bomhlinzeki kungasiza ekusetheni.
Ubuchwepheshe be-WAF buthuthukile busuka ezindongeni ezilula ezinemithetho yesithupha ukuya ezinhlelweni zokuvikela eziyinkimbinkimbi ezinama-algorithms okufunda komshini. Izinqamuleli zohlelo lokusebenza manje zinikeza izinhlobonhlobo zezici obekunzima ukuzisebenzisa ngeminyaka yama-90s. Ngezindlela eziningi, ukuvela kokusebenza okusha kwaba ngenxa yobuchwepheshe bamafu. Izixazululo ze-WAF kanye nezingxenye zazo ziyaqhubeka nokuvela. Njengezinye izindawo zokuvikeleka kolwazi.
Umbhalo ulungiswe ngu-Alexander Karpuzikov, umphathi wokuthuthukiswa komkhiqizo wokuphepha kolwazi kumhlinzeki wamafu #CloudMTS.
Source: www.habr.com