WIPS A Practical Intrusion Prevention System for Web Applications

Abstract

近來Web應用的蓬勃發展，衍生出許多Web應用安全的問題。國際產業研究公司Gartner Group也提到在所有攻擊事件中，有百分之七十五是發生在應用層(OSI Application Iayer)，並且四分之三的商業網站是有漏洞的，但是傳統的網路安全設備（例如入侵偵測系統以及防火牆）並不能有效的防止應用層的攻擊。有鑑於此，本論文延伸有限狀態機 (finite state machine)的原理及整合stateful session檢測機制，提出Web入侵防禦系統(WIPS)來解決Web應用所造成的安全問題。Web入侵防禦系統並結合正面表述(positive approach)與負面表述(negative approach)的優點防止Web攻擊的產生。本系統已完成設計且將其系統實現在Intel網路處理器搭配MontaVista Linux的開發平台上，透過功能性與效能性的實際量測可以證明Web入侵防禦系統可以有效且快速的阻擋Web攻擊，建立一個高安全性的Web應用環境來保障企業以及合法使用者的財產安全。

Web application portal with the single sign on (SSO) feature provides an integrated E-Business solution such that web application becomes an essential building block for business operations. Gartner Group report indicates that 75% of malicious attacks targeting the application layer and three out of four business Web sites are vulnerable to Applicationlevel attacks. Therefore, the traditional security devices (such as firewall and intrusion detection system) are not able to protect web-based applications any more. Implementing a solid web application security protection shield is top-of-mind of security researchers. Extending the finite state machine theory and coupling with stateful session inspection, we propose Web Intrusion Prevention System (WIPS) to solve web application security issues listed in the OWASP Top Ten project. WIPS works as the last defense line to separate web browsers and web servers by examining network traffic, maintaining every session’s state information and allowing only specific web behaviors defined by web finite state machine to pass through. With embedded Snort capability, WIPS also provides negative security models to resist the lower layer attacks. A WIPS prototype has been implemented on Intel Network Processor (IXP425) running with MontaVista Linux. In our study, the functionality and performance has been assessed to show WIPS providing a key answer for advancing the state-of-the-art in web application security in a realistic environment.