【SQL开源代码栏目提醒】:网学会员为需要SQL开源代码的朋友们搜集整理了应用层防火墙中的地址空间映射技术研究和实现 - 其它论文相关资料,希望对各位网友有所帮助!
华中科技大学硕士学位论文应用层防火墙中的地址空间映射技术研究和实现姓名林园申请学位级别硕士专业计算机系统结构指导教师张爱华20060401 摘 要 Web服务是当前最为广泛和重要的Internet应用针对web服务的攻击方法和手段层出不穷。
目前大量的攻击集中在更高的应用层以绕过网络层检测设备。
检测和阻止来自应用层的攻击具有非常重要的实际意义和使用价值。
应用级Web安全的内容涉及Web应用程序代码本身固有的缺陷。
一种解决方案是在现有的企业内部网前放置一个应用层防火墙。
目前大部分应用层防火墙方案都是基于反向代理的它是应用层防火墙的实现框架和基础。
反向代理提供企业内部网的单一访问点客户请求必须使用全球范围有效的URL地址才能到达反向代理。
企业内部网的结构非常复杂其网页或服务之间通常使用内嵌的URL来建立相互的联系。
这些链接一般是相对的。
目前的反向代理技术并没有考虑内嵌的URL问题。
但是现在很多内嵌URL使用了绝对地址它们基于内部服务器的地址空间无法直接访问。
地址空间映射技术是一项在反向代理中的新技术它位于反向代理的前端在网页被转发给客户之前独立而集中地使用一定的策略规则来转换网页中内嵌的URL将其映射到反向代理的地址空间客户请求才能通过反向代理到达内部服务器同时避免攻击者绕过应用层防火墙的检测。
基于Apache平台的反向代理配置以Apache的模块形式实现了应用层防火墙中的地址空间映射方案其中涉及到几个关键技术利用有限状态机原理实现HTML解析技术检测内嵌的URL以进行必要的修改针对动态网页中复杂的脚本代码提出了“异地代理”的解决办法配置了VPN访问方式解决URL和COOKIE的修改问题。
对模块的功能和性能的相关测试表明该模块能高效的完成预期目标。
关键词 应用层防火墙反向代理地址空间映射 ABSTRACT Web Service is the widest and most important Internet application and the attacking means toward the web service went out constantly. Lots of attacks now are focus on the application layer to pass through general detection device of network layer. The detection and prevention of the attack from application layer is of practical value. Application-level Web security refers to vulnerabilities inherent in the code of a Web application itself. One way is putting a Web application firewall WAF before the enterprise intranet. Most of WAFs nowadays are based on the Reverse Proxy technology which is the frame and base of the implementation of WAF. Reverse Proxy provides single access entry of the intranet and it can be reached only by the URL address available in the global range. The structure of the enterprise intranet is very complex it uses the embedded URLs to build connection between its web pages or services. Most of these links are relative. Present Reverse Proxy doesn’t take the embedded URL into account. But many
websites actually have absolute URLs which are based on the address space of internal server and can’t be accessed. The technique of Address Space Mapping is a new technique embedded in the Reverse Proxy. It is placed at the front end of the Reverse Proxy using certain tactics rules to transform the embedded URLs in the webpage independently and concentratively and mapping them into the address space of Reverse Proxy. Only by using this client request can go through Reverse Proxy and then reach the intranet meanwhile the malice people can’t bypass the detection of WAF. The scheme of Address Space Mapping is developed in WAF as Apache module based on Apache’s reverse proxy configuration. There are several key techniques: realizing HTML parsing utilizing the theory of Finite-state Automaton to detect embedded URL and do necessary transformation processing complex script codes in dynamic web pages using “auto robot” solving the transformation of URL and COOKIE by configuring the VPN accessing method. The related tests of the function and performance of the technique show that the module can attain the expected goal efficiently. Key
words: Web Application Firewall Reverse Proxy Address Space Mapping 独创性声明 本人声明所呈交的学位