Situational Awareness Solution for Government Websites


I. Background

According to the 37th China Internet Development Statistics Report published by China Internet Network Information Center (CNNIC), the number of Chinese websites keeps growing rapidly and the number of Chinese web pages has outstripped 200 billion for the first time. However, the security protection abilities of the web are still vulnerable. The Cyberspace Administration of China has monitored and investigated the websites of prefectures, cities and counties with the domain name across the country from 2013 to 2015. It is found that 76% of government websites have security risks, and some websites have vulnerable site control. With the rapid development of the Internet, prefecture-level governments pay more attention to network security.

II. Solution overview

H3C SecCenter CSAP-WEB focuses on the characteristics of hacker attacks and the compliance with the corresponding national policies. It provides customers with active website security monitoring and detection in the form of cloud SaaS through technologies such as crawler technology, sandbox technology, and vulnerability scanning to actively safeguard website security and monitor website vulnerabilities. It also provides professional suggestions to reduce security risks and provides 7/24 monitoring to ensure continuity. When an unexpected attack occurs, it responds to and handles the attack timely, enabling the construction of a complete website security system. It monitors a wide range of websites by using automation technologies, which reduces labor costs. With all-round monitoring through unified indicators, it provides a technical basis and key indicators for unified supervision.

III. Solution features

Availability monitoring

* HTTP monitoring: Calculates the actual time required to open the website from the monitoring node by initiating an HTTP request to the URL of the monitoring website.

* DNS monitoring: The web monitoring center can send the DNS request packet of the monitored website to a designated DNS server, and determine whether the domain name resolution service of the website is available based on the calculated DNS response time, the domain name resolution result, and the preset threshold.

* PING monitoring: The web monitoring center can calculate the actual response time of the ICMP response packet by sending the ICMP request packet to the monitored website.

Compliance monitoring

* Remote web change monitoring service: Uses content matching algorithms and preset sensitivity to reduce false alarm rate.

* Remote sensitive information monitoring service: Detects the sensitive information of the monitored website.

* Remote malicious URL monitoring service: Detects malicious links such as hidden web links and bridge pages.

Security monitoring

* Web vulnerability scanning and detection service: Analyzes the website structure and vulnerability and obtains the website vulnerability status and repair suggestions in a timely manner.

* Host system vulnerability scanning and detection service: Obtains the host IP address and scans and detects vulnerabilities of the host, network devices, operating systems, databases, and application systems.

* Phishing detection service: Uses domain name matching and fuzzy matching to determine whether a website is a phishing website.

* Trojan detection service: Determines whether a web page is hanging horses based on sandbox detection and static rule matching detection.

* Weak password check and detection service: Performs remote automatic scanning of websites based on scheduled tasks to obtain the usernames and passwords of the websites.

* Webshell detection service: Provides plug-ins for local scanning of files, including common script files such as ASP, PHP, ASPX, JSP, and Perl.

Diverse ecological support

* Supports distributed deployment to meet the deployment requirements of multiple scenarios.

* Provides standard interfaces, enabling third-party vendors to access the security logs



Operating mode

Distributed deployment: supports up to 32 web-based management engines.

Independent deployment: supports the monitoring of up to 150 sites.

Web monitoring

Supports the detection of SQL injection, cross-site scripting attack (XSS), system vulnerability of middleware, CSRF, fire uploading via a Shell script, independent domain name, dynamic web page, and static web page.

Content monitoring

Supports real-time detection of tampering, hidden links, and sensitive information.

Availability monitoring

Supports the use of HTTP, DNS, and PING to check website availability.

Audit and alarm

Supports internal operation audit, third-party log server interface, and alarm reporting via SMS and emails.

Report management

Supports the export of monitoring reports in different formats, such as Excel, Word, HTML, and PDF.

System management

Supports online/offline signature database upgrade, interface enabling/disabling, and centralized management and unified monitoring.