WEB应用安全解决方案测试报告

--- By jiang.jx at 2017-08-11

WEB应用安全解决方案.docx

链接:https://share.weiyun.com/068b05467040d4d2a479f46e7a23c614 密码:sa4bwk

拓扑环境:

测试步骤:

启动测试环境的虚拟机实例

LLB负载均衡功能测试

步骤

操作

验证NSVPX-91上LLB负载均衡配置是否正确

===================================================

> show lb vserver lb_vsrv_llb

lb_vsrv_llb (0.0.0.0:0) - ANY Type: ADDRESS

State: UP

Last state change was at Wed Feb 28 13:53:13 2018

Time since last state change: 0 days, 00:21:39.620

Effective State: UP

Client Idle Timeout: 120 sec

Down state flush: ENABLED

Disable Primary Vserver On Down : DISABLED

Appflow logging: ENABLED

No. of Bound Services :  3 (Total)      2 (Active)

Configured Method: ROUNDROBIN  BackupMethod: NONE

Mode: IP

Persistence: DESTIP      Persistence Mask: 255.255.255.255    Persistence v6MaskLength: 128     Persistence Timeout: 2 min

Connection Failover: DISABLED

L2Conn: OFF

Skip Persistency: None

Listen Policy: NONE

IcmpResponse: PASSIVE

RHIstate: PASSIVE

New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0

Mac mode Retain Vlan: DISABLED

DBS_LB: DISABLED

Process Local: DISABLED

Traffic Domain: 0

TROFS Persistence honored: ENABLED

Retain Connections on Cluster: NO

1) svc_isp_outside_vmnat_one (192.168.195.2: 0) - ANY State: UP Weight: 1

2) svc_isp_outside_vmbridge_one (192.168.1.1: 0) - ANY State: DOWN Weight: 1

3) svc_isp_outside_vmbridge_two (10.0.100.1: 0) - ANY State: UP  Weight: 1

Done

> show lb route

Network          Netmask          Traffic Domain  VIP                  Flags

-------          -------          --------------  ---                  -----

1)    0.0.0.0          0.0.0.0          0               lb_vsrv_llb          UP

Done

===================================================

在Win2008R2AD这台机器上,对www.bing.com域名对应的主机进行tracert.exe操作,查看链路走向:

===================================================

PS C:\Users\adpadmin> TRACERT.EXE www.bing.com

通过最多 30 个跃点跟踪

到 cn-0001.cn-msedge.net [202.89.233.101] 的路由:

1    <1 毫秒   <1 毫秒   <1 毫秒 192.168.185.91

2     1 ms    <1 毫秒    1 ms  OPENWRT [10.0.100.1]

3     4 ms     5 ms     6 ms  163.125.48.1

4     7 ms     6 ms     8 ms  120.80.165.233

5     7 ms     *        *     221.4.0.125

6     *        *        *     请求超时。

7     *        *        *     请求超时。

8    40 ms    40 ms    39 ms  123.126.8.250

9     *        *        *     请求超时。

10    41 ms    42 ms    43 ms  61.148.60.134

11     *        *        *     请求超时。

12     *        *        *     请求超时。

13     *        *        *     请求超时。

14     *        *        *     请求超时。

15    40 ms    40 ms    41 ms  202.89.233.101

跟踪完成。

===================================================

在NSVPX-91上禁用10.0.100.1/24这条链路:

===================================================

> disable service svc_isp_outside_vmbridge_two

Done

> show lb vserver lb_vsrv_llb

lb_vsrv_llb (0.0.0.0:0) - ANY Type: ADDRESS

State: UP

Last state change was at Wed Feb 28 13:53:39 2018

Time since last state change: 0 days, 00:43:44.400

Effective State: UP

Client Idle Timeout: 120 sec

Down state flush: ENABLED

Disable Primary Vserver On Down : DISABLED

Appflow logging: ENABLED

No. of Bound Services :  3 (Total)      1 (Active)

Configured Method: ROUNDROBIN  BackupMethod: NONE

Mode: IP

Persistence: DESTIP      Persistence Mask: 255.255.255.255    Persistence v6MaskLength: 128     Persistence Timeout: 2 min

Connection Failover: DISABLED

L2Conn: OFF

Skip Persistency: None

Listen Policy: NONE

IcmpResponse: PASSIVE

RHIstate: PASSIVE

New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0

Mac mode Retain Vlan: DISABLED

DBS_LB: DISABLED

Process Local: DISABLED

Traffic Domain: 0

TROFS Persistence honored: ENABLED

Retain Connections on Cluster: NO

1) svc_isp_outside_vmnat_one (192.168.195.2: 0) - ANY State: UP Weight: 1

2) svc_isp_outside_vmbridge_one (192.168.1.1: 0) - ANY State: DOWN Weight: 1

3) svc_isp_outside_vmbridge_two (10.0.100.1: 0) - ANY State: OUT OF SERVICE       Weight: 1

Done

===================================================

在Win2008R2AD这台机器上,对www.bing.com域名对应的主机进行tracert.exe操作,查看链路走向:

===================================================

PS C:\Users\adpadmin> TRACERT.EXE www.bing.com

通过最多 30 个跃点跟踪

到 cn-0001.cn-msedge.net [202.89.233.100] 的路由:

1    <1 毫秒   <1 毫秒   <1 毫秒 192.168.185.91

2    <1 毫秒   <1 毫秒   <1 毫秒 192.168.195.2

3     *        *        *     请求超时。

4     *        *        *     请求超时。

5     *        *        *     请求超时。

6     *        *        *     请求超时。

7     *        *        *     请求超时。

8     *        *        *     请求超时。

9     *        *        *     请求超时。

10     *        *        *     请求超时。

11     *        *        *     请求超时。

12     *        *        *     请求超时。

13     *        *        *     请求超时。

14     *        *        *     请求超时。

15     *        *        *     请求超时。

16    42 ms   153 ms    42 ms  202.89.233.100

跟踪完成。

===================================================

在NSVPX-91上恢复10.0.100.1/24这条链路:

===================================================

> enable service svc_isp_outside_vmbridge_two

Done

> show lb vserver lb_vsrv_llb

lb_vsrv_llb (0.0.0.0:0) - ANY Type: ADDRESS

State: UP

Last state change was at Wed Feb 28 13:54:09 2018

Time since last state change: 0 days, 00:51:41.140

Effective State: UP

Client Idle Timeout: 120 sec

Down state flush: ENABLED

Disable Primary Vserver On Down : DISABLED

Appflow logging: ENABLED

No. of Bound Services :  3 (Total)      2 (Active)

Configured Method: ROUNDROBIN  BackupMethod: NONE

Mode: IP

Persistence: DESTIP      Persistence Mask: 255.255.255.255    Persistence v6MaskLength: 128     Persistence Timeout: 2 min

Connection Failover: DISABLED

L2Conn: OFF

Skip Persistency: None

Listen Policy: NONE

IcmpResponse: PASSIVE

RHIstate: PASSIVE

New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0

Mac mode Retain Vlan: DISABLED

DBS_LB: DISABLED

Process Local: DISABLED

Traffic Domain: 0

TROFS Persistence honored: ENABLED

Retain Connections on Cluster: NO

1) svc_isp_outside_vmnat_one (192.168.195.2: 0) - ANY State: UP Weight: 1

2) svc_isp_outside_vmbridge_one (192.168.1.1: 0) - ANY State: DOWN Weight: 1

3) svc_isp_outside_vmbridge_two (10.0.100.1: 0) - ANY State: UP  Weight: 1

Done

===================================================

在Win2008R2AD这台机器上,对www.bing.com域名对应的主机进行tracert.exe操作,查看链路走向:

===================================================

PS C:\Users\adpadmin> TRACERT.EXE www.bing.com

通过最多 30 个跃点跟踪

到 cn-0001.cn-msedge.net [202.89.233.101] 的路由:

1    <1 毫秒   <1 毫秒   <1 毫秒 192.168.185.91

2     1 ms     1 ms     1 ms  OPENWRT [10.0.100.1]

3    22 ms    47 ms     3 ms  163.125.48.1

4     6 ms     7 ms     7 ms  120.80.165.233

5     *        9 ms     *     221.4.0.125

6    46 ms    42 ms    44 ms  219.158.15.37

7     *        *        *     请求超时。

8    41 ms    40 ms    40 ms  123.126.8.250

9     *        *        *     请求超时。

10    40 ms    40 ms    41 ms  61.148.60.134

11     *        *        *     请求超时。

12     *        *        *     请求超时。

13     *        *        *     请求超时。

14     *        *        *     请求超时。

15    40 ms    40 ms    42 ms  202.89.233.101

跟踪完成。

===================================================

结论:可以NSVPX-91虚拟机实例的系统可以自动切换链路,始终保持数据包在正常链路上进行通信,避开失效的链路。

验证结束

统一网关功能测试

步骤

操作

在NSVPX-91上验证UG是否配置正确:

===================================================

> show cs vserver myUnifiedGateway

myUnifiedGateway (10.0.100.111:443) - SSL     Type: CONTENT

State: UP

Last state change was at Wed Feb 28 13:54:36 2018

Time since last state change: 0 days, 01:31:49.120

Client Idle Timeout: 180 sec

Down state flush: ENABLED

Disable Primary Vserver On Down : DISABLED

Appflow logging: ENABLED

State Update: DISABLED

Default: Content Precedence: RULE

Vserver IP and Port insertion: OFF

L2Conn: OFF Case Sensitivity: ON

Authentication: OFF

401 Based Authentication: OFF

Push: DISABLED    Push VServer:

Push Label Rule: none

Listen Policy: NONE

IcmpResponse: PASSIVE

RHIstate:  PASSIVE

Traffic Domain: 0

1)    AppFlow Policy Name: _vpn_myUnifiedGateway_Transparent_apfw_pol       Priority: 255

GotoPriority Expression: END

1)    Content-Switching Policy: UG_CSPOL_myUnifiedGateway     Priority: 63000       Hits: 24

Done

> show vpn vserver UG_VPN_myUnifiedGateway

UG_VPN_myUnifiedGateway (0.0.0.0:0) - SSL   Type: CONTENT

State: UP  ARP:DISABLED

Down state flush: ENABLED

Loginonce: ON

Disable Primary Vserver On Down : DISABLED

HTTP profile name: nshttp_default_strict_validation

Appflow logging: ENABLED

Authentication : ON

Device Certificate Check: OFF

CGInfra Homepage Redirect : ENABLED

Current AAA Sessions: 0

Total Connected Users: 0

Icaonlylicense : OFF     IcaProxySessionMigration : OFF

DoubleHop : DISABLED       Dtls : ON L2Conn: OFF

Max Login Attempts: 0 Failed Login Timeout 0

Fully qualified domain name: UG_VPN_myUnifiedGateway

Listen Policy: NONE

IcmpResponse: PASSIVE

RHIstate:  PASSIVE

Traffic Domain: 0

1)    AppFlow Policy Name: _UG_VPN_myUnifiedGateway_Transparent_apfw_pol       Priority: 255

GotoPriority Expression: END

Flowtype: REQUEST

1)    Cache Policy Name: _cacheTCVPNStaticObjects      Priority: 10

GotoPriority Expression: END

Flowtype: REQUEST

2)    Cache Policy Name: _cacheOCVPNStaticObjects     Priority: 20

GotoPriority Expression: END

Flowtype: REQUEST

3)    Cache Policy Name: _cacheVPNStaticObjects  Priority: 30

GotoPriority Expression: END

Flowtype: REQUEST

4)    Cache Policy Name: _mayNoCacheReq     Priority: 40

GotoPriority Expression: END

Flowtype: REQUEST

5)    Cache Policy Name: _cacheWFStaticObjects    Priority: 10

GotoPriority Expression: END

Flowtype: RESPONSE

6)    Cache Policy Name: _noCacheRest    Priority: 20

GotoPriority Expression: END

Flowtype: RESPONSE

1)           VPN Session Policy Name: UG_VPN_SPol_10.0.100.111  Type: Advanced        Priority: 58000      GotoPriorityExpression: NEXT

1)    Url: bing

2)    Url: baidu

3)    Url: webgoat

1)    VPN Application: Intranet

1)           Primary ldap authentication policy name: 192.168.185.191_LDAP_pol       Priority: 60

1)           Primary local authentication policy name: NS_GATEWAY_DEFAULT_LOCAL_POL      Priority: 64000

1)    Intranet IP: 192.168.185.161 netmask: 255.255.255.224

1)    VPN PortalTheme: X1

1)    Eula : Security Message

Done

===================================================

在Win7MSP上访问统一网关站点:

输入用户名和密码以及接受许可,登录网站,选择无客户端访问:

使用无客户访问的方式浏览内网站点:

在移动设备IPhone上使用Citrix VPN软件,进行UG的连接:

UG可以使用两种方式进行连接

一种是基于SSL VPN的网络访问,另外一种是基于浏览器的无客户访问。

在MPSVPX-95中,可以看见统计的UG数据:

验证结束

安全WEB网关功能测试

步骤

操作

在NSVPX-91上验证SWG是否配置正确:

===================================================

> show cs vserver mySWG_Transparent

mySWG_Transparent (*:*) - PROXY    Type: CONTENT

State: UP[Certkey not bound]

Last state change was at Wed Feb 28 13:54:29 2018

Time since last state change: 0 days, 01:30:06.330  ARP:DISABLED

Client Idle Timeout: 180 sec

Down state flush: ENABLED

Disable Primary Vserver On Down : DISABLED

Appflow logging: ENABLED

State Update: DISABLED

Default: Content Precedence: RULE

L2Conn: OFF Case Sensitivity: ON

Authentication: OFF

401 Based Authentication: OFF

Listen Policy: NONE

IcmpResponse: PASSIVE

RHIstate:  PASSIVE

Traffic Domain: 0

1)    AppFlow Policy Name: _swg_mySWG_Transparent_apfw_pol Priority: 11

GotoPriority Expression: END

Done

===================================================

在Win2008R2AD这台机器上,访问外网,产生流量数据:

在MPSVPX-95上验证通过安全网关审计的流量:

验证结束

无缝集成文件流杀毒网关功能测试

步骤

操作

验证NSVPX-91上无缝集成文件流杀毒网关配置是否正确

===================================================

> show cs vserver cs_vsrv_uploadfile

cs_vsrv_uploadfile (192.168.195.112:80) - HTTP      Type: CONTENT

State: UP

Last state change was at Wed Feb 28 13:57:11 2018

Time since last state change: 0 days, 02:38:10.190

Client Idle Timeout: 180 sec

Down state flush: ENABLED

Disable Primary Vserver On Down : DISABLED

Appflow logging: ENABLED

Port Rewrite : DISABLED

State Update: DISABLED

Default: Content Precedence: RULE

Vserver IP and Port insertion: OFF

L2Conn: OFF Case Sensitivity: ON

Authentication: OFF

401 Based Authentication: OFF

Push: DISABLED    Push VServer:

Push Label Rule: none

Listen Policy: NONE

IcmpResponse: PASSIVE

RHIstate:  PASSIVE

Traffic Domain: 0

1)    Responder Policy Name: ICAPRequest      Priority: 100

GotoPriority Expression: END

1)    Content-Switching Policy: cs_pol_uploadfile    Target LB: lb_vsrv_test       Priority: 100   Hits: 0

Done

> show responder policy ICAPRequest

Name: ICAPRequest

Rule: HTTP.REQ.HEADER("Content-Type").CONTAINS("multipart/form-data") && sys.HTTP_CALLOUT(http_callout_squid)

Responder Action: ICAPError

UndefAction: Use Global

LogAction: Use Global

Hits: 0

Undef Hits: 0

Policy is bound to following CS VSERVERS

1)    Bound to: REQ VSERVER cs_vsrv_uploadfile

Priority: 100

GotoPriorityExpression: END

Done

===================================================

上传正常文件:

上传病毒文件:

查看策略是否命中

查看文件流杀毒服务器的日志:

验证结束

应用防火墙功能测试

步骤

操作

验证NSVPX-91上应用防火墙配置是否正确

===================================================

> show lb vserver lb_vsrv_webgoat

lb_vsrv_webgoat (192.168.195.101:443) - SSL   Type: ADDRESS

State: UP

Last state change was at Wed Feb 28 15:51:14 2018

Time since last state change: 0 days, 01:00:34.860

Effective State: UP

Client Idle Timeout: 180 sec

Down state flush: ENABLED

Disable Primary Vserver On Down : DISABLED

Appflow logging: ENABLED

No. of Bound Services :  1 (Total)      1 (Active)

Configured Method: SOURCEIPHASH BackupMethod: ROUNDROBIN

Network mask: 255.255.255.255

Mode: IP

Persistence: SOURCEIP Persistence Mask: 255.255.255.255    Persistence Timeout: 2 min

Vserver IP and Port insertion: OFF

Push: DISABLED    Push VServer:

Push Multi Clients: NO

Push Label Rule: none

L2Conn: OFF

Skip Persistency: None

Listen Policy: NONE

IcmpResponse: PASSIVE

RHIstate: PASSIVE

New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0

Mac mode Retain Vlan: DISABLED

DBS_LB: DISABLED

Process Local: DISABLED

Traffic Domain: 0

TROFS Persistence honored: ENABLED

Retain Connections on Cluster: NO

1) svc_webgoat (192.168.185.73: 8080) - HTTP State: UP       Weight: 1

1)    Rewrite Policy Name: rw_pol_sendtowebgoat  Priority: 101

GotoPriority Expression: NEXT

Flowtype: REQUEST

1)    AppFlow Policy Name: lb_vsrv_webgoat_Transparent_apfw_pol    Priority: 255

GotoPriority Expression: END

1)    Policy : appfw_pf_webgoat Priority:100     GotoPriority Expression: NEXT

Done

===================================================

验证结束

WEB应用安全解决方案测试验证的更多相关文章

  1. ASP.NET MVC View 和 Web API 的基本权限验证

    ASP.NET MVC 5.0已经发布一段时间了,适应了一段时间,准备把原来的MVC项目重构了一遍,先把基本权限验证这块记录一下. 环境:Windows 7 Professional SP1 + Mi ...

  2. Web APIs 基于令牌TOKEN验证的实现

    Web APIs 基于令牌TOKEN验证的实现 概述: ASP.NET Web API 的好用使用过的都知道,没有复杂的配置文件,一个简单的ApiController加上需要的Action就能工作.但 ...

  3. spring事务详解(四)测试验证

    系列目录 spring事务详解(一)初探事务 spring事务详解(二)简单样例 spring事务详解(三)源码详解 spring事务详解(四)测试验证 spring事务详解(五)总结提高 一.引子 ...

  4. ASP.NET Web APIs 基于令牌TOKEN验证的实现(保存到DB的Token)

    http://www.cnblogs.com/niuww/p/5639637.html 保存到DB的Token 基于.Net Framework 4.0 Web API开发(4):ASP.NET We ...

  5. 手把手让你实现开源企业级web高并发解决方案(lvs+heartbeat+varnish+nginx+eAccelerator+memcached)

    原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 .作者信息和本声明.否则将追究法律责任.http://freeze.blog.51cto.com/1846439/677348 此文凝聚 ...

  6. 《Web安全攻防 渗透测试实战指南 》 学习笔记 (三)

    Web安全攻防 渗透测试实战指南   学习笔记 (三) burp suite详解                                                 是一款集成化渗透测试工 ...

  7. 《Python Web 接口开发与测试》---即将出版

    为什么要出这样一本书? 首先,今年我有不少工作是跟接口自动化相关的,工作中的接口自动化颇有成效. 我一直是一个没有测试大格局的人,在各种移动测试技术爆发的这一年,我却默默耕耘着自己的一亩三分地儿(We ...

  8. Web服务器性能/压力测试工具http_load、webbench、ab、Siege使用教程 - VPS侦探

    Web服务器性能/压力测试工具http_load.webbench.ab.Siege使用教程 - VPS侦探 http://soft.vpser.net/test/http_load/http_loa ...

  9. 宣布发布 Windows Azure 导入/导出服务的预览版以及 Web 和移动解决方案场景的若干增强功能

    客户评估基于云的存储解决方案时,面临的挑战之一是以经济高效.安全快速的方式从 Blob 存储区移进和移出大量数据.今天,我们很高兴地宣布发布 Windows Azure 导入/导出的预览版,这款新服务 ...

随机推荐

  1. $PMTargetFileDir 参数位置

    系统/session参数与变量参数和变量都配置在Session中,如$PMTargetFileDir.$PMBadFileDir等.这些变量有哪些.在哪里定义.是否可以修改呢?在控制台(Admin C ...

  2. Oracle RAC运维所遇问题记录二

    oracle12c RAC源端与Dataguard目标端实时同步,因业务需求需要在源端增加PDB 1. 源端添加PDB CREATE PLUGGABLE DATABASE kdlxpdb admin ...

  3. Change the environment variable for python code running

    python程序运行中改变环境变量: Trying to change the way the loader works for a running Python is very tricky; pr ...

  4. CSS中的背景用法详解

    background 属性是CSS中用于设置元素背景的属性,最简单的background属 性名,是针对背景若干设定的合并简写,最早的CSS只能使用单一背景图片,而在现在却可以设置多个背景图片.而不用 ...

  5. 《数据结构与算法(C语言版)》严蔚敏 | 第五章 建立二叉树,并完成三/四种遍历算法

    PS:所有的代码示例使用的都是这个图 2019-10-29 利用p126的算法5.3建立二叉树,并完成三种遍历算法 中序 后序 先序 #include<iostream> #include ...

  6. PHP 判断是否为手机端访问

    /* * 判断是否为手机端 */function check_wap(){ // 如果有HTTP_X_WAP_PROFILE则一定是移动设备 if (isset ($_SERVER['HTTP_X_W ...

  7. 为 PhpStorm 配置 Xdebug 来调试代码

    当项目越来越复杂,排错就越发困难. 你以为代码是这么运行的,但就是有未想到的功能导致流程变得不可捉摸. 此时我们需要调试啊调试... PhpStorm 是一款优秀的 PHP IDE,排除其 Java ...

  8. How to not show unnecessary zeros when given integers but still have float answers when needed

    NSString *str = [NSString stringWithFormat:@"%g",12.10]; NSLog(@"str = %@",str); ...

  9. linux的shell脚本运行python程序

    可以说和windows里的bat是一样的. python3 /opt/pyweibo/get_user_info.py 104501 104502 104503

  10. CSS页面乱码 GB2312、UTF-8格式问题解决方案

      如同左图所现,出现了页面乱码问题本来应该是显示gb3212字符的"关闭"文字了.. 解决方案一: 在所调用的CSS页面的第一行添加下边的这一句代码, 注意:一定要是在CSS的头 ...