|
| 您的位置:
首页> 技术 > 应用防火墙技术 |
| |
|
|
| |
|
防火墙技术发展了很多年,为何网络攻击还是层出不穷,是技术的缺陷还是攻击技术的进步?为何需要应用防火墙?......
|
|
|
|
| 正文 |
|
|
| A7 |
Improper Error Handling |
Error conditions that occur
during normal operation are not handled properly. If
an attacker can cause errors to occur that the web application
does not handle, they can gain detailed system information,
deny service, cause security mechanisms to fail, or
crash the server. |
| A8 |
Insecure Storage |
Web applications frequently use cryptographic
functions to protect information and credentials. These
functions and the code to integrate them have proven
difficult to code properly, frequently resulting in
weak protection. |
| A9 |
Denial of Service |
Attackers can consume web application
resources to a point where other legitimate users can
no longer access or use the application. Attackers can
also lock users out of their accounts or even cause
the entire application to fail. |
| A10 |
Insecure Configuration Management |
Having a strong server configuration
standard is critical to a secure web application. These
servers have many configuration options that affect
security and are not secure out of the box. |
|
| 业界标准的应用防火墙一般采用主动安全技术实现对应用的保护。主动安全技术是指建立正面规则集,也就是说明哪些行为和访问是合法的规则描述。对于接收到的应用数据(从网络协议还原出来的应用数据,不是数据报文头),判断是否符合合法规则。因为只允许通过已知的正常数据,这种方式可以防御所有的未知攻击。
下表是应用防火墙技术和传统安全产品功能的比较:
| |
|
|
|
|
| Unvalidated Input |
|
|
|
| Broken Access Control |
|
|
|
| Broken Authentication and Session Management |
|
|
|
| Cross Site Scripting (XSS) Flaws |
|
|
|
| Buffer Overflows |
|
|
|
| Injection Flaws |
|
|
|
| Improper Error Handling |
|
|
|
| Insecure Storage |
|
|
|
| Denial of Service |
|
|
|
| Insecure Configuration Management |
|
|
|
| Unknown Attacks |
|
|
|
|
| 应用防火墙技术是现有网络安全架构的一个重要的补充,并不是取代传统防火墙和入侵检测等安全设备。传统安全设备阻挡攻击者从正面入侵,着重进行网络层的攻击防护;而应用防火墙着重进行应用层的内容检查和安全防御,与传统安全设备共同构成全面,有效的安全防护体系。 |
|
|
|
