使用 保护信息资源 网络应用程序防火墙外文翻译资料

 2022-08-10 04:08

SECURING INFORMATION RESOURCES USING

WEB APPLICATION FIREWALLS

Petr A. BARANOV

Associate Professor, Department of Innovations and Business in IT, National Research University Higher School of Economics

Address: 20, Myasnitskaya Street, Moscow, 101000, Russian Federation E-mail: pbaranov@hse.ru

Eldar R. BEYBUTOV

MSc Program Student, Faculty of Business and Management,

National Research University Higher School of Economics

Address: 20, Myasnitskaya Street, Moscow, 101000, Russian Federation

E-mail: eldar.beybutov@gmail.com

This paper provides an overview of core technologies implemented by comparably new products on the information security market – web application firewalls. Web applications are a very widely-used and convenient way of presenting remote users with access to corporate information resources. They can, however, become single point of failure rendering all the information infrastructure inaccessible to legitimate clients. To prevent malicious access attempts to endpoint information resources and, intermediately, to web servers, a new class of information security solutions has been created.

Web application firewalls function at the highest, seventh layer of the ISO/OSI model and serve as a controlling tunnel for all the traffic heading to and from a companyrsquo;s web application server(s). To ensure decent levels of traffic monitoring and intrusion prevention, web application firewalls are equipped with various mechanisms of data exchange session laquo;normalityraquo; control. These mechanisms include protocol check routines, machine learning techniques, traffic signature analysis and more dedicated means, such as denial of service, XSS injection and CRRF attack prevention. The ability to research and add user rules to be processed along with vendor-provided ones is important, since every company has its own security policy and, therefore, the web application firewall should provide security engineers with ways to tweak its rules to reflect the security policy more precisely.

This research is based on broad practical experience of integrating web application firewalls into the security landscape of various organizations, their administration and customization. We illustrate our research into available filtering mechanisms and their implementations with exemplary product features by market leaders.

Key words: information security, web application firewall, application server protection.

Citation: Baranov P.A., Beybutov E.R. (2015) Securing information resources using web application firewalls. Business Informatics, no. 4 (34), pp. 71–78. DOI: 10.17323/1998-0663.2015.4.71.78.

Introduction

N

owadays, many companies and businesses have an information security policy which assumes remote access to their information resources (calculation powers, cloud services, data storage). By saying laquo;remote accessraquo;, we mean access over the Internet. This could be made through letting all Internet users gain certain types of access to resources or through letting only identified corporate users remotely use the companyrsquo;s resources. Direct access to information resources is both inconvenient for users and comparably insecure because of the lack of a single access point which hinders security policy implementation. The solution is well-known and it is called Application Servers, or application-layer intermediate nodes. External users gain access to these nodes using the regular web browser, interact with unified interface and put queries to it. These queries are afterwards translated by the Application Server into more specific queries to internal information resources and, after getting a response from these resources, the Application Server transforms them into an easy-to-understand view and shows it to the external user in his/her web browser. The scheme is transparent and, once all components are installed and set up, has predictable and controllable technical support expenses. Information security breaches often lead to increased technical support expenses. In these terms, to gain control over technical support funds the company management must be sure that the security level of the single access point – the web application – is high enough to prevent malicious attempts at access and use of company data from getting through the Application Server to the data hosting infrastructure. There are national [1, 2], industry branch [3, 4] and corporate [5, 6] standards of writing secure web applications. Application development in accordance with these standards is a labor-intensive, expensive and hard-to-scale procedure. It does not guarantee safety of the result if software developed by a third party is applied. Information security officers need a versatile and configurable tool to control traffic flowing through the web application server and it must be able to prevent data endpoints and the application server itself from receiving and processing maliciously crafted traffic and queries.

Web application firewalls present a solution for the problem described. There are numerous vendors offering a variety of products who claim their products have all the mechanisms needed to provide security on top of standard web application rules. Speaking of Web application firewalls (WAF), people often become confused because of the different associations they have in mind on what features such a specific tool should contain. Even key functions of WAF are sometimes misunderstood. In this research, we would like to introduce a WAFrsquo;s typical functionality and the defense mechanisms that are essential for WAF in the modern state of the industry. The research is based on pr

剩余内容已隐藏,支付完成后下载完整资料


目录

一、英文文献一 1

SECURING INFORMATION RESOURCES USING WEB APPLICATION FIREWALLS 1

Petr A. BARANOV 1

Eldar R. BEYBUTOV 1

Introduction 1

1. Protocol check 2

2. Signature analysis 3

3. Machine learning 3

4. Injection nd XSS protection 4

5. User-defined rules of detecting illegitimate queries 4

6. laquo;Denial of serviceraquo; attack prevention 5

7. Integration of the information security landscape 5

Conclusion 6

References 6

二、英文文献二 8

International Journal of Computer Science and Mobile Computing 8

ISSN 2320–088X 8

WEB APPLICATION 8

I. INTRODUCTION 8

II. WEB APPLICATION FIREWALL 9

III. WORKING OF WEB APPLICATION FIREWALL 10

IV. WEB APPLICATION ATTACK 11

B. Sql Injection Attack 12

C. Path traversal 12

D. Cross Site scripting 12

V. PREVENTION OF WEB ATTACK BY DOTDEFENDER 12

A. Preventing Denial of Service Attacks 12

B. Preventing SQL Injection Attacks 13

VI. BENEFITS OF DOTDEFENDER 14

VII. CONCLUSION 14

ACKNOWLEDGEMENT 14

REFERENCES 14

三、英文文献三 15

Securing Web Applications against Structured Query Language Injection Attacks using a Hybrid Approach: Input Filtering and Web Application Firewall 15

ABSTRACT 15

Keywords 15

1. INTRODUCTION 15

2. LITERATURE REVIEW 15

2.1 SQL Injection Concepts and Definition 15

2.2 Types of SQLIA 17

2.2.1 Tautologies 17

2.2.2 Illegal/Logically Incorrect Queries 17

2.2.3 Union Query 17

2.2.4 Piggy-Backed Queries 18

2.2.5 Stored Procedures 18

2.2.6 Inference 18

2.2.7 Blind SQL injection 18

2.2.8 Second order SQL injection 19

2.3 SQL Injection Counter Measures. 19

2.3.1 Amnesia 19

2.3.2 SQLrand Scheme 19

2.3.3 SQL DOM Scheme 19

2.3.4 SQLIA Prevention Using Stored Procedures 20

2.3.5 Parse Tree Validation Approach 20

2.3.6 Dynamic Candidate Evaluations Approach 20

2.3.7 Ali et al.rsquo;s Scheme 20

2.3.8 SQLCHECKER Approach 20

2.3.9 Detecting Intrusions in Web Databases (DIWeDa) Approach 21

2.3.10 Manual Approaches 21

2.3.11 Automated Approaches 21

2.3.12 Parameterized statements 21

2.3.13 Escaping 21

2.3.14 Pattern check 22

2.3.15 SecuBat: A Web Vulnerability Scanner 22

2.3.16 Automatic Revised Tool for Anti-Malicious Injection 22

2.3.17 Eliminating SQL Injection Attacks - A Transparent Defense Mechanism 22

2.3.18 Defending Against Injection Attacks through Context-Sensitive String Evaluation 23

2.3.19 D-WAV: A Web Application Vulnerabilities Detection Tool using Characteristics of Web Forms 23

2.3.20 X-LOG Authentication Technique to Prevent SQL Injection Attacks 23

2.3.21 Swaddler: An Approach for the Anomaly based Detection of State Violations in Web Applications 23

2.3.23 Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection 24

2.3.24 SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation 24

2.3.25 Automated Protection of PHP Applications against SQL-injection Attacks 24

2.3.26 Using Automated Fix Generation to Secure SQL Statements 24

2.3.27 Web application Firewall 24

2.3.29 URL Validation/Filtering Approach 25

2.4 Critiques of past approaches of preventing SQL injection attacks 26

2.4.1 Overview of shortcomings of some of the existing approaches for mitigation of SQL injection attacks 26

<a

剩余内容已隐藏,支付完成后下载完整资料</a


资料编号:[238329],资料为PDF文档或Word文档,PDF文档可免费转换为Word

原文和译文剩余内容已隐藏,您需要先支付 20元 才能查看原文和译文全部内容!立即支付

以上是毕业论文外文翻译,课题毕业论文、任务书、文献综述、开题报告、程序设计、图纸设计等资料可联系客服协助查找。