Various tools are used to achieve Deep Security virtual patching. It includes:
- Web Application Firewall (WAF)
- Intrusion Prevention System (IPS)
- Web server plugin
- Application layer filter
The following features need to be considered while selecting a tool for Virtual Patching solutions:
- The virtual patching tool must be able to inspect every element in the HTTP request separately (like headers, parameters, uploaded files, etc.).
- It must have anti-evasion capabilities, like character encoding
- Instead of depending only on signatures, the tool must be capable of implementing robust security rules for complex logic.
The WAF provides the most sustainable solution for virtual patching. WAF works well in securing your websites and applications.
Robust HTTP and HTML Parsing
To analyze the input stream, an HTTP and HTML parser is required in the tool. The parser must be capable to recognize certain protocol features including content-encoding (multipart/form-data encoding or chunked encoding), request and response compression, and XML payload.
Also, the parser should be supple as the environment is protected as many headers and protocol elements are not used as stated in RFC requirements. For instance, Apache allows any sequence of white-space between the method and the URI in the HTTP request line but the RFC requires a single space between them. A stricter parsing may be acceptable in the tool because if IDS/IPS systems that fail to prevent evasion in a proxy deployment can be easily evaded by attackers.
HTTP stream will be split up into logical entities like headers, parameters, and uploaded files for further inspection by the tool, based on the parsed information. Every element will be inspected individually for its length and count. It would never consider for its content. Besides, the tool divides the network stream when keep-alive HTTP connections are used to unique requests and replies, and correctly match requests and replies.
HTTP and HTML protocols permit the same information to be displayed in different ways. The signature based detection of attacks should inspect the attack vector in any form it may be in. Offenders elude detection systems using a less familiar presentation of the attack vector. Before inspection the tool should transform the request to a normalized form to prevent evasion
The tools should be capable to selectively make use of normalization functions for different input fields for every inspection carried out. For instance, the tools must be capable to normalize an HTML form field that accepts path names as input.
Rules instead of Signatures
Virtual patches must capable to implement complex logic. Instead of signatures, it requires more robust security rules language to define the tests.
For instance, the some features are given below:
- Selectable anti-evasion transformation functions – every rule can perform a certain transformation function.
- Operators and logical expressions – can check an input field for attributes like its size or character distribution.
- Control structures – the control structures such as conditional execution enable the tool to perform various rules based on the transaction content.
See the below links: