Various tools are used to achieve Deep Security virtual patching. It includes:
The following features need to be considered while selecting a tool for Virtual Patching solutions:
The WAF provides the most sustainable solution for virtual patching. WAF works well in securing your websites and applications.
Robust HTTP and HTML Parsing
To analyze the input stream, an HTTP and HTML parser is required in the tool. The parser must be capable to recognize certain protocol features including content-encoding (multipart/form-data encoding or chunked encoding), request and response compression, and XML payload.
Also, the parser should be supple as the environment is protected as many headers and protocol elements are not used as stated in RFC requirements. For instance, Apache allows any sequence of white-space between the method and the URI in the HTTP request line but the RFC requires a single space between them. A stricter parsing may be acceptable in the tool because if IDS/IPS systems that fail to prevent evasion in a proxy deployment can be easily evaded by attackers.
Protocol Analysis
HTTP stream will be split up into logical entities like headers, parameters, and uploaded files for further inspection by the tool, based on the parsed information. Every element will be inspected individually for its length and count. It would never consider for its content. Besides, the tool divides the network stream when keep-alive HTTP connections are used to unique requests and replies, and correctly match requests and replies.
Anti-Evasion Capabilities
HTTP and HTML protocols permit the same information to be displayed in different ways. The signature based detection of attacks should inspect the attack vector in any form it may be in. Offenders elude detection systems using a less familiar presentation of the attack vector. Before inspection the tool should transform the request to a normalized form to prevent evasion
The tools should be capable to selectively make use of normalization functions for different input fields for every inspection carried out. For instance, the tools must be capable to normalize an HTML form field that accepts path names as input.
Rules instead of Signatures
Virtual patches must capable to implement complex logic. Instead of signatures, it requires more robust security rules language to define the tests.
For instance, the some features are given below:
See the below links:
Virtual Patching
Advantages of Virtual Patching
Virtual Patching: Definition