Application Firewall Design

Application Firewall Design

Web Application Firewall, 7layer Firewall

Mr. Neo Chen (netkiller), 陈景峰(BG7NYT)

中国广东省深圳市龙华新区民之街道溪山美地
518109
+86 13113668890
+86 755 29812080
<netkiller@msn.com>

版权 2011, 2012 http://netkiller.github.com

$Id: appfirewall.xml 491 2012-11-14 10:09:53Z netkiller $

摘要

提供web url的保护, 实现访问控制

下面是我多年积累下来的经验总结,整理成文档供大家参考:

 

Netkiller Architect 手札 Netkiller Developer 手札 Netkiller Testing 手札 Netkiller Cryptography 手札 Netkiller Version 手札
Netkiller Linux 手札 Netkiller Debian 手札 Netkiller CentOS 手札 Netkiller FreeBSD 手札 Netkiller Security 手札
Netkiller Installation 手札 Netkiller Web 手札 Netkiller Monitoring 手札 Netkiller Storage 手札 Netkiller Mail 手札
Netkiller Database 手札 Netkiller PostgreSQL 手札 Netkiller MySQL 手札 Netkiller NoSQL 手札 Netkiller LDAP 手札
Netkiller Cisco IOS 手札 Netkiller Intranet 手札 Netkiller Multimedia 手札 Netkiller Shell 手札 Netkiller Docbook 手札
Netkiller Management 手札        

 

目录

1. 功能说明1.1. 访问控制列表 ACL1.2. 用户认证1.3. 元素2. 使用方法2.1. 嵌入使用2.2. URL代理2.3. 代理方式3. URL代理实现方式4. example

1. 功能说明

  1. 计数器
  2. 策略
  3. 访问控制
  4. 用户认证

1.1. 访问控制列表 ACL

  1. 黑名单
  2. 白名单

1.2. 用户认证

  1. AAA
  2. LDAP
  3. MySQL

1.3. 元素

  1. IP地址,端口号
  2. URL(GET)
  3. POST
  4. Cookie
  5. HTTP Header
  6. 协议(HTTP,JASON,AJAX,SOAP,XML-RPM...)

2. 使用方法

2.1. 嵌入使用

作为SDK/API的方式使用

2.2. URL代理

http://app.mydomain.com/firewall/login

login: http://login.mydomain.com/

根据login关键字,将url跳转到指定的保护URL上面

2.3. 代理方式

3. URL代理实现方式

http://app.mydomain.com/firewall/login

 

login: http://login.mydomain.com/

4. example

<?php
/*
* =====================================
* Website: http://netkiller.github.com
* Author: neo <netkiller@msn.com>
* Email: netkiller@msn.com
* =====================================
*/
class ApplicationFirewall{

	protected $status;
	protected $policy;
	protected $chain;
	protected $rule;
	protected $match;
	private $debug;
	//$get,$post,$cookie,$server;

	public function __construct() {
		$this->name 	= "ApplicationFirewall";
	}

	public function __destruct() {
		//print "Destroying " . $this->name . "\n";
	}

	public function enable(){
		$this->status = true;
	}
	public function disable(){
		$this->status = false;
	}

	public function get(){
		if($this->status){
			$this->chain 	= $_GET;
			return($this);
		}else{
			return($this->status);
		}
	}

	public function post(){
		if($this->status){
			$this->chain 	= $_GET;
			return($this);
		}else{
			return($this->status);
		}
		$this->chain 	= $_POST;
	}

	public function cookie() {
		if($this->status){
			$this->chain = $_COOKIE;
			return($this);
		}else{
			return($this->status);
		}

	}

	public function server(){
		if($this->status){
			$this->chain = $_SERVER;
			return($this);
		}else{
			return($this->status);
		}
	}

	public function match($key, $value){
		if($this->debug) print_r($this->chain);
		$this->match = false;
		if(!array_key_exists($this->chain, $key)){
			if($this->chain[$key] == $value){
				$this->match = true;
			}
		}
		return($this);
	}
	public function policy($p){
		$this->policy = $p;
	}
	public function counter($tm, $cnt){
		return($this);
	}
	public function allow($fun = null){
		if($this->status && $this->match){
			if($fun){
				$fun();
			}
		}
		$this->destroy();
		return($this->status);
	}
	public function deny($fun = null){
		if($this->status && $this->match){
			if($fun){
				$fun();
			}
		}
		$this->destroy();
		return($this->status);
	}
	public function debug($tmp){
		$this->debug = $tmp;
	}
	public function ip($ipaddr){
		return $this->server()->match('REMOTE_ADDR', $ipaddr);
	}
	public function destroy(){
		$this->chain = array();
		$this->match = false;
	}
};

#include_once('applicationfirewall.php')
$fw = new ApplicationFirewall();

$fw->debug(true);
$fw->debug(false);
$fw->enable();
//$fw->disable();
function test(){
	echo 'OK';
};
function allow(){
	echo 'allow';
};
function deny(){
	echo 'deny';
};
//$fw->policy('blacklist');

$fw->ip('192.168.3.17')->allow('allow');
$fw->ip('192.168.3.17')->deny('deny');

$fw->counter('1m',5)->match('id','1000')->deny('test');

/*
$fw->ip('172.16.0.0/24')->allow();
$fw->ip('172.16.0.0','255.255.255.0')->allow();

$fw->header(array('User-Agent' => 'MSIE5'))->deny()
*/
$fw->get()->match('id','1000')->deny('test');
$fw->get()->match('name','chen')->allow('test');
//$fw->get()->match(array('id' => '1000'))->deny();
/*
$fw->post()->data(array('action'=>'/login.php'))->allow()
$fw->cookie()->data(array('userid'=>'test'))->deny()
*/
$fw->server()->match('HTTP_REFERER', 'http://www.mydomain.com/index.html')->allow('test');
$fw->server()->match('REQUEST_METHOD', 'GET')->deny('test');

$fw->disable();
//$fw->destroy();
时间: 2024-08-06 18:55:13

Application Firewall Design的相关文章

Keeping Your Data Secure with Web Application Firewall

Abstract: How does a data leak occur? What should we do in case of data leaks? How should we prevent data leaks? 81.9% of network attackers are able to successfully intrude into another computer within one minute. A vast majority of attackers are abl

Web Application Firewall Cloud Options: Alibaba Cloud WAF &amp; AWS WAF

A web application or a REST API hosted in a cloud is a common scenario for most developers. However, not every application has the same level of security. Adding a Web Application Firewall (WAF) to your web application is a helpful way to improve you

Design and Application Learning of the Distributed Call Tracing System

1. Why the distributed call tracing system? With the surge in popularity of distributed service architecture and the application of design architectures, especially the microservices architecture, the chain of service calls is becoming increasingly c

Protecting Websites through Semantics-Based Malware Detection

Abstract: Malware detection is a fundamental feature of web security and serves as the first line of defense for most websites. For the past decade, malware detection using rule-based detection engines have dominated the market. However, this approac

学习网页制作之浅议 Web 表单设计

web|设计|网页 "输入框( Input )应当符合逻辑地划分为小组,这样大脑就可以很好的处理大堆区域间的关系."– <HTML权威指南> Web 应用程序总是利用表单来处理数据录入和配置,但并不是所有的表单都保持一致.输入区域的对齐方式,各自的标签(label),操作方式,以及周围的视觉元素都会或多或少影响用户的行为. 表单布局 考虑到用户完成表单填写的时间应当尽可能的短,并且收集的数据都是用户所熟悉的(比如姓名.地址.付费信息等),垂直对齐的标签和输入框可以说是最佳的

WEB安全工具大收集

很多,非常多. Test sites / testing grounds SPI Dynamics (live) – http://zero.webappsecurity.com/Cenzic (live) – http://crackme.cenzic.com/Watchfire (live) – http://demo.testfire.net/Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.com

走出WEB应用防火墙认识误区——WAF是强不是墙

在<走出Web应用防火墙认识误区>系列文章(一)中,我们分析讨论了谁能保护Web应用,在本文中我们将重点介绍WAF的特点和应用. 早在2004年,国外一些安全厂商就提出了Web应用防火墙(Web Application Firewall,简称WAF)的概念,并开始了逐步的尝试(例如梭子鱼网络有限公司将Netcontinuum公司纳入旗下,当时的Netcontinuum就是这一领域的先行者,其解决方案包含网站的网络应用安全.通信管理和SSL加速等).支付卡行业安全标准委员会也发布了支付卡行业数据

web防火墙技术简介

防止网页被篡改是被动的,能阻断入侵行为才是主动型的,前边提到的IPS/UTM等产品是安全通用的网关,也有专门针对Web的硬件安全网关,国内的如:绿盟的Web防火墙,启明的WIPS(web IPS),国外的有imperva的WAF(Web Application Firewall)等. Web防火墙,主要是对Web特有入侵方式的加强防护,如DDOS防护.SQL注入.XML注入.XSS等.由于是应用层而非网络层的入侵,从技术角度都应该称为Web IPS,而不是Web防火墙.这里之所以叫做Web防火墙

Web安全(下) 主动类安全产品技术分析

1. Web防火墙产品: 防止网页被篡改与审计恢复都是被动的,能阻断入侵行为才是主动型的,前边提到的IPS/UTM等产品是安全通用的网关,也有专门针对Web的硬件安全网关,国内的如:绿盟的Web防火墙,启明的WIPS(web IPS),国外的有imperva的WAF(Web Application Firewall)等. 本栏目更多精彩内容:http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/ Web防火墙,主要是对Web特