KR100958250B1 - Method for Securiting Web Server and Web Firewall Therefor - Google Patents

Abstract

The present invention relates to a method for securing a web server and a web firewall for the same, comprising: a first step of distinguishing a receive packet from a send packet and a send packet for checking only an area in which hacking occurs; A second step of handing over packets divided into a ReceiveFirewall and a SendFirewall to apply a different security policy, a third step of inspecting the packet by an applied security policy, and proof in the case of hacking A fourth step is to record the log to leave the data. According to the present invention, by providing a web server security method and a web firewall for reducing the occurrence of duplicate checks to avoid excessive security options, there is an effect of preventing the slowdown of web services and at the same time provide a strong security options. .

Web, application, firewall, hack, log

Description

Method for Securiting Web Server and Web Firewall Therefor}

The present invention relates to a method for securing a web server and a web firewall therefor, and more particularly, to a method and system for securing a web server using a web firewall.

In the Web of the Web 1.0 era, the server only displayed the information on the screen. In the Web of the Web 2.0 era, the Web has evolved into a model that allows users to produce and consume information.

Web 2.0 provides various services by developing web applications based on technologies such as JavaScript, Extensible Markup Language (XML), and Relay Spam Stopper (RSS) so that users can use various contents. However, vulnerabilities arise in interactive web pages for user-centered environment construction, and hacking cases for gaining intellectual property or financial gains using these vulnerabilities are increasing.

Users have difficulty finding vulnerabilities on the server, such as cross-site scripting or malicious code that occurs when they upload their data to web applications as scripts or specific code. In addition to the existing vulnerabilities in Web 1.0, Web 2.0 vulnerabilities are occurring.

About Web Vulnerabilities Open Web Application Project (OWASP) released 10 web application security vulnerabilities in 2004 and 2007 to improve the security of web application services. .

Recently developed web applications are developed in consideration of security in the development stage, but there are many security vulnerabilities of web applications that provide existing web services developed without considering vulnerabilities.

A typical network consists of network equipment between users and web servers providing services and intrusion detection systems for security. Here, the intrusion detection system includes an intrusion detection system (IDS) and an intrusion prevention system (IPS).

Hacking targets of the most prevalent web applications attack vulnerabilities by bypassing areas detected by existing security devices. This attack is possible because different security devices have different layers of inspection. Network firewalls block all ports except the ones they use, or block specific IPs. Since IDS and IPS examine and block the attack patterns of the IP layer and the TCP layer, security vulnerabilities in the lower layer of TCP / IP, that is, the application layer 110 and the presentation layer 120, as shown in FIG. This happens.

Web application vulnerabilities are well known by OWASP TOP 10, published by OWASP. Figure 2 shows the OWASP TOP 10 released by OWASP, cross-site scripting vulnerabilities, injection vulnerabilities, malicious file execution vulnerabilities, insecure direct object reference vulnerabilities, cross-site request tampering vulnerabilities, information leakage and improper error handling vulnerabilities, Indicates weak authentication and session management vulnerabilities, unstable cryptographic storage vulnerabilities, unstable communication vulnerabilities, and URL access notification failure vulnerabilities. In addition to these vulnerabilities, there are various web application vulnerabilities.

Meanwhile, a web application firewall is installed in response to a vulnerability of the web application. The web application firewall is classified into a network base and a web server base according to the installation location. A typical network-based web server is a gateway type web application firewall. Gateway type web application firewall is located at the front of web server based on H / W device to protect web application regardless of web server and operating system type, but excessive filtering causes traffic increase, thus reducing server's ability Occurs. Web server-based application firewall is installed as a plug-in of the web server based on the application programming interface (API) provided by the web server. Therefore, it is fast, compatible with web servers and operating systems, easy to install, while difficult to apply various security policies, and is dependent on web servers and operating systems.

Disclosure of Invention The present invention has been made to solve the above problems, and an object thereof is to provide a web server security method and a web firewall for reducing the occurrence of duplicate checks by avoiding excessive security options.

Another object of the present invention is to provide a web firewall to which a filter of an NDIS intermediate driver is applied.

In order to achieve the above object, the present invention is constructed as an intermediate driver of a network driver interface specification (NDIS) driver model, and includes a receive packet and a transmit packet flowing into the intermediate driver. SendPacket) provides a web firewall for web server security, characterized by recording logs to apply the security policy and classify intrusions as evidence.

The present invention provides a first step of distinguishing a ReceivePacket and a SendPacket to examine only an area where hacking occurs, and a ReceiveFirewall to apply a different security policy to each of the divided packets. And a second step of handing over packets divided into SendFirewall, a third step of inspecting the packet according to an applied security policy, and a fourth step of recording a log to leave evidence in case of hacking. It provides a web server security method comprising the.

As described above, according to the present invention, a web server security method and a web firewall for reducing duplication checking are avoided by avoiding excessive security options, thereby preventing a slowdown of web services and at the same time providing a strong security option. It is effective to provide.

In addition, by applying the filter of the NDIS Intermediate Driver earlier than the web server-specific filter like IIS and Apache, the disadvantage of the dedicated server can be solved. It reduces the burden of moving the web server, and if several web servers are operated by an institution such as a university, the web firewall according to the present invention is installed in the area exiting from the LAN to the WAN. It has the effect of building a system.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

In the present invention, FOW (Firewall Of Web) means a web application firewall.

There are two models of web firewalls: positive security model and negative security model. Two types of web firewalls can be implemented using two models. Two types of implementations that implement only the positive security model and the negative security model separately, and a mixture of the two models.

The positive security model allows only what is defined as safe and rejects all others. Negative security model is a security model that denies only what is defined as dangerous and allows all others. It checks only web traffic that passes positive security model and performs abnormal pattern intrusion detection.

On the other hand, the types that need to be verified for security policies include data types (strings, integers, and reals) and whether they allow duplicates.

In the present invention, a security policy for input value verification, session management, system command execution, inappropriate environment setting, and inappropriate error handling is configured based on the verification types in Table 1.

Security policies and logging to detect and defend against intrusions over the Web can slow system performance. Therefore, the security policy should accurately extract the part that needs to be scanned and apply the security policy only to the corresponding area to reduce the performance degradation as much as possible.

Example

3 is a block diagram showing a schematic configuration inside a web firewall according to a preferred embodiment of the present invention.

Referring to FIG. 3, the web firewall 300 according to the present invention is constructed as an intermediate driver of a network driver interface specification (NDIS) driver model, and receives a packet flowing into the intermediate driver. After applying the security policy by dividing the SendPacket and the SendPacket, the log is recorded to make intrusion evidence as evidence.

The web firewall 300 according to the present invention clearly distinguishes between a receiving packet and a sending packet in order to inspect only an area where hacking occurs, and advances an area such as a method, a URL, a version, and a cookie. Packet splitting unit 310 for splitting, packet forwarding unit 320 for delivering a packet divided into a receiving firewall (ReceiveFirewall) and a sending firewall (SendFirewall) in order to apply a different security policy to each divided packet, the applied security policy A packet inspection unit 330 for inspecting packets by a packet, a log recording unit 340 for recording a log to leave evidence in case of hacking, and an access restriction unit 350 for transmitting a page for restricting access in response to the hacking; It is configured to include.

The web firewall 300 according to the present invention sets a security policy using an Extensible Markup Language (XML) file, and applies it by reloading the driver when the security policy is reset. If the service is blocked by the strong security policy even if the service request is normal, the security policy will be logged in order to apply the security policy to the web service provider's environment.

In addition, the web firewall 300 is implemented in the form of a driver and provides only an interface for an editor for setting an XML file and a viewer for viewing logs at a glance.

4 is a flowchart illustrating a method of filtering a received packet according to a preferred embodiment of the present invention.

Referring to FIG. 4, a packet that is requested when a web connection from a client to a server is attempted is filtered to a TCP / HTTP packet among packets coming into an intermediate driver through a miniport in a network information center (NIC). Only filter on.

First, an incoming packet is received from the miniport via the PtReceivePacket () function (S410).

Subsequently, FowPacketFilter () function which analyzes the packet and analyzes the web attack pattern is called (S420) to determine whether the received packet is hacked (S430), and if the received packet is hacked, the packet is not stacked in the queue immediately Release (S432).

If the packet received in step S430 is not hacked, PtQueueReceivePacket () function is called to stack the packet in the queue (S440).

Subsequently, the packets accumulated in the queue are transmitted to the server. At this time, in order to transmit the packets accumulated in the queue area to the server side, the queue is full of packets or the packet status is checked and transmitted. In the former case, the queue can be counted and determined. In the latter case, the PtQueueReceivePacket function is used by the PtReceivePacket () function. By calling NDIS_GET_PACKET_STATUS () function before calling () function, it is determined that the packet should be sent immediately when the status value is STATUS_RESOURCES.

Finally, by using the NdisMIndicateReceivePacket () function to pass the address and the accumulated number of packets to the queue (S450), it is delivered to the server through a higher protocol driver (Protocol Driver).

5 is a flowchart illustrating a method of filtering a transmission packet according to a preferred embodiment of the present invention.

Referring to FIG. 5, in general, IIS is run on Windows and Apache is run on a Linux server to a server. In such a server, a packet enters a protocol driver of NDIS to respond to a client's request.

The protocol driver transmits the received packet back to the intermediate driver, which is transmitted through the MPSendPacket () function of the intermediate driver (S510). The received packet is controlled by copying the packet in the same way as the filtering method of the received packet. In order to filter the packet and determine the hacking, the FowPacketFilter () function is applied (S520).

Subsequently, it is determined whether the received packet is hacked through the FowPacketFilter () function (S530). If the received packet is hacked, the packet is released immediately without being transmitted to the client (S532).

If the packet received in step S530 is not hacked, the NdisSend () function is normally called and transmitted to the lower miniport driver (S540). At this time, the miniport driver transmits to the client through the NIC.

6 is a flowchart illustrating a method for determining whether to hack a transmission / reception packet according to a preferred embodiment of the present invention.

Referring to FIG. 6, the FowPacketFilter () function, which is a function called in two processes of filtering a transmission / reception packet, analyzes each header of a packet and determines whether to block or transmit an attack pattern according to a security policy. Function.

Structures for the Ethernet, IP, TCP, and HTTP headers are allocated in advance, and the Ethernet header is analyzed through the GetEthernetHeader () function (S610), and then the IP header is analyzed through the GetIPHeader () function (S620).

Subsequently, if the protocol area of the IP header is TCP, the TCP header is analyzed through the GetTCPHeader () function (S630). If the port of the TCP header is HTTP, the data is obtained through the GetTcpData () function (S640).

In step S640, if the destination port number is HTTP, if the destination port number is HTTP, it is determined as an HTTP packet requested to the server side, the HTTP request header is analyzed through the GetReceiveHttpHeader () function (S650), and the FowReceiveFirewall () function is called (S650). . If the transmission port number is HTTP, the server determines that the packet is sent to the client, analyzes the HTTP response header through the GetSendHttpHeader () function (S652), and calls the FowSendFirewall () function (S654).

Finally, the attack pattern is analyzed according to a predetermined security policy through each called function (S670), and whether or not a hack is determined (S680).

If the packet is not hacked at step S680, the result is returned as false (S690).

If the packet is hacked in step S680, the InterceptSendPacket () function is called to transmit the page to the client (S682), after which the result is returned to True (S684).

7 is a flowchart illustrating a method for determining whether to hack an HTTP header unit according to the present invention.

Referring to FIG. 7, the FowReceiveFirewall () function is a core function for flowing into the core of the web firewall 300. The received HTTP data accurately extracts the method, URL, version, cookie, content, and post data and applies the security policy for that part. In this case, the performance of the web firewall 300 depends on how robust the security policy is applied.

In the header of HTTP, request methods such as GET, HEAD, and POST are first scanned to check whether they are request packets. In case of the request packet, the scan is started using the security policy, and the pattern is analyzed through each scan function (method, version, content, cookie, and URL) (S710, S720, S730, S740, S750) to determine whether the hack is present (S760). If the packet is hacked, the result is returned as true (S770). Each scan function analyzes patterns by several security policies, and considers whether or not to block a specific attack in consideration of a preset security policy. This is because the web applications and web servers of the servers are different for each company, company, and individual with each server, and the web server may not work properly if certain attacks are prevented. .

In addition, if the packet is not hacked in step S760, the result is returned as a false (S762).

The configuration of system functions for checking in accordance with the security policy in the web firewall 300 is shown in Table 2.

Referring to Table 2, first, the scan method (ScanMethod) analyzes the allowed method.

Secondly, ScanVersion checks the allowed version and the length of the version.

Thirdly, ScanContents classifies the types of content so that when a cookie is scanned, a policy according to the data type is applied and the length of the content is checked.

Fourth, to check cookies, it checks the input value that the user is blowing and encodes SQL Injection, DirectoryTraversal, HighbitShellcode, and XSS. In some cases, post data may be checked.

Fifth, the URL part is divided into address and query parts to check all input values such as length, unauthorized path access, DirectoryTraversal, SQL Injection, and HighbitShellcode to block all attacks that can enter the URL.

If a hack is detected by the specified security policy, it logs a log of how the hacking pattern worked and returns TRUE to indicate that the hacking pattern was found.

8 is a flowchart illustrating a security policy setting method using XML according to the present invention.

Referring to FIG. 8, an XML file is used to set a security policy. There are two ways to apply security policy settings to FOW driver.

First, when the FOW driver is loaded and when the XML document is modified (S812, S814). First, when the FOW driver loads an XML file containing information for each security setting, the handle of the XML setting file is obtained (S820), parsed (S830), and a value is assigned to the corresponding setting structure (S840). It is a process that must go through at first. After that, if the XML setting file is called by the FOW application and modified, the modified XML is set by deactivating and reactivating the installed FOW driver to reload the modified file.

9 is a flowchart showing a log recording method according to the present invention.

Referring to FIG. 9, when looking at recent types of hacking, hacking through the web that is easy to access takes a large part. As money-related things, such as internet banking and shopping, quickly enter the Internet, many people find and use the web because of its ease of use. In addition, a lot of security transactions occur on the web because a lot of money transactions and intellectual property are connected. There was a case where a parent game company had a page tampered with by a hacker and threatened to demand money. The evidence is needed to investigate the damage caused by these illegal acts. In the future, log files are created in areas not accessible from outside for legal evidence, and the date, IP, and attack type are continuously recorded through the file handle.

When the driver is initialized, a thread for log recording is generated (S910), and the corresponding routine is designated (S920). If the hacking during the security policy is checked, the contents of the logs to be recorded are stacked in the queue (S922), and an event to record to the thread is sent (S924).

Subsequently, it is determined whether or not to record the event (S930), and when the event is recorded, the thread receiving the event generates a file handle (S940), records a log (S950), and then records the file for the next recording. Close the handle (S960).

If the driver is removed in step S930, the thread is terminated through an event to terminate the thread (S932).

Log record records the date and time of the intrusion attempt as shown in Table 3 and records the sending and receiving IP. In addition, in order to determine in which part the hacking is made, the location of occurrence and the corresponding data are recorded, and a record of attempted intrusion and which part is blocked by the security setting.

Table 4 shows the results of testing the web application firewall FOW according to the present invention and responding to the OWASP TOP 10 vulnerabilities. The results obtained are as follows.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention but to describe the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The protection scope of the present invention should be interpreted by the following claims, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of the present invention.

1 is a view showing an OSI seven-layer model,

2 is a view showing the OWASP TOP 10 released by OWASP,

3 is a block diagram showing a schematic configuration inside a web firewall according to a preferred embodiment of the present invention;

4 is a flowchart illustrating a method of filtering a received packet according to a preferred embodiment of the present invention;

5 is a flowchart illustrating a method of filtering a transmission packet according to a preferred embodiment of the present invention;

6 is a flowchart illustrating a method for determining whether to hack a transmission / reception packet according to an embodiment of the present invention;

7 is a flowchart illustrating a method for determining whether to hack an HTTP header unit according to the present invention;

8 is a flowchart illustrating a security policy setting method using XML according to the present invention;

9 is a flowchart showing a log recording method according to the present invention.

<Description of Symbols for Main Parts of Drawings>

310: packet separation unit 320: packet delivery unit

330: packet inspection unit 340: log recording unit

350: access restriction

Claims (12)

It is built as an Intermediate Driver of NDIS (Network Driver Interface Specification) driver model, intrudes after applying Security Policy by distinguishing Receive Packet and SendPacket flowing into the Intermediate Driver. Web firewall for the security of the web server, characterized in that to record a log to make a record as evidence, The web firewall, A packet separation unit for distinguishing between a receiving packet and a sending packet to check only an area where hacking occurs, A packet forwarding unit that forwards the packet by dividing it into a Receive Firewall and a SendFirewall to apply a different security policy to each classified packet; A packet inspecting unit inspecting the packet according to an applied security policy; Log recorder that logs to leave evidence in case of hacking Web firewall for the web server security, comprising a. delete The method of claim 1, The web firewall, Restriction section that sends a page to the client that restricts access in response to hacking Web firewall for the web server security, characterized in that it further comprises. The method of claim 1, The web firewall sets the security policy using an extensible markup language (XML) file and reloads and applies the driver when the security policy is reset. The method of claim 1, And the security policy indicates input value verification, session management, system command execution, improper environment setting and improper error handling based on data type and redundancy allowance. A first step of distinguishing a ReceivePacket and a SendPacket to inspect only an area where hacking occurs; A second step of dividing the packet into a Receive Firewall and a SendFirewall to apply a different security policy to each classified packet; Inspecting the packet according to an applied security policy; Fourth step to record logs to leave evidence in case of hacking Web server security method comprising a. The method of claim 6, The fifth step of sending a page to the client that restricts access in response to the hacking Web server security method characterized in that it further comprises. The method of claim 6, And analyzing, at the third step, each header of the packet and inspecting an attack pattern according to a security policy to determine whether to block or transmit the packet. The method of claim 8, Web server security method characterized by analyzing the pattern through the scan method (Method, Version, Contents, Cookie, and URL), and determine the presence of hacking. The method of claim 6, And the security policy indicates input value verification, session management, system command execution, improper environment setting, and improper error handling based on data type and redundancy allowance. The method of claim 6 or 10, The security policy is set by obtaining a handle of an XML setting file when the driver is loaded, parsing it, and assigning a value to a corresponding setting structure. The method of claim 6, In the fourth step, when a driver is initialized, a thread for writing a log is created, and if the hacking is performed during the security policy check, the contents of the log to be recorded are stored in a queue, and an instruction to record to the thread is received. And a file handle is created by a thread to record the log.

Images