Comparative Product Review: Six Web Application Firewalls
by Sandra Kay Miller
Issue: Mar 2008
原文地址:http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1303838_idx1,00.html
No longer can security managers focus only on perimeter and host security. The application has become the prime target for hackers. We review six leading Web application firewalls that help deliver your critical apps securely.
Consider how much information gets plugged into databases through applications and then regurgitated in queries, reports and content. We live in a world of HTTP and HTTPS, where everything has been ported to Web-based interfaces and consoles. Traditional network firewalls operating lower on the stack have no way of identifying malicious requests traversing TCP ports 80 and 443 to online shopping sites, Web mail or business portals such as online banking and account services.
Add PCI-DSS requirements for application security, and it's easy to see why Web application firewalls, once considered niche technology, are gaining traction in corporate data centers. They prevent attacks that network firewalls, IDS/IPS and antivirus filters cannot by limiting suspect access through combinations of behavioral analysis and policy controls.
In a head-to-head review, Information Security examined six application firewall appliances, all of which delivered centralized management, enterprise reporting and comprehensive protection for applications: Barracuda Networks' Web Application Gateway (formerly NetContinuum); Bee Ware's iSentry; Breach Security's WebDefend; Citrix's Application Firewall; F5 Networks' Big-IP 8800 Application Security Manager; and Imperva's SecureSphere Web Application Firewall.
Each product was graded on ease of installation and configuration; administration; depth of security policy control; monitoring, alerting, auditing and reporting; and overall security effectiveness.
About this Review
Barracuda Networks Web Application Gateway NC1100
Bee Ware iSentry IS200
Breach Security WebDefend
Citrix Application Firewall
F5 Networks Big-IP 8800 Application Security Manager
Imperva SecureSphere Web Application Firewall
Information Security deployed six application firewall appliances from Barracuda Networks, Bee Ware, Breach Security, Citrix, F5 Networks and Imperva.
Each product was installed in our test lab between a network firewall and in front of or alongside the application servers (see "Inside The Lab," below), which included an Apache Web server and Microsoft Internet Information Server, each hosting a variety of applications including Web mail, an online forum and a Web site with shopping cart capabilities.
Client machines subjected to attack included systems running Microsoft XP SP2 with Internet Explorer and Linux (Debian 3.1) with Mozilla Firefox. We focused on common attacks against applications including buffer overflows, cookie tampering, SQL injection, session hijacking, cross-site scripting (XSS), cross-site request forgeries (CSRF), forms tampering, remote code execution, malicious code (Internet worms), denial of service, brute force login and forceful browsing.
Additionally, we configured application-side security features, such as Web site cloaking, and attempted to gain network and application configuration via nefarious reconnaissance practices such as identifying operating systems and Web server details through HTTP header data and scanning utilities like Nmap.
Breach's WebDefend was deployed in an out-of-line mode next to our Web servers using a span port.
--Sandra Kay Miller
Inside the lab
All application firewall appliances were deployed as reverse proxies (except for Breach Security's, which was attached to a span port) on a network between a traditional stateful inspection firewall and a variety of applications servers, including Microsoft IIS and Apache Web servers, Microsoft SQL, e-commerce applications with credit card transaction capability and an online forum. Browsers included Internet Explorer, Firefox, Netscape and Opera.
Installation and Configuration
All the products we tested were 1Uor 2Urack-mounted de-vices built on hardened appli- ances. Our first step was to gauge the ease with which each product could be in-stalled and configured. Al-though each appliance sup- ported a variety of deployment configurations (bridge, router, inline, out-of-line), we set up each as a reverse proxy, except Breach Security's WebDefend, which is designed to operate in a non-linear environment.
Imperva and Breach were easiest to set up and configure. Thanks to their intuitive design and wizards, each took approximately an hour to get running.
Using the Site Manager through Breach's console, we could easily verify that the domains, IP addresses and ports were correct. It even identifies the type of server on which the application is hosted (e.g., IIS). Through the logical tree structure, it's easy to locate and add sites.
At the Core - Installation and Configuration
The good news Imperva and Breach are easiest to set up and configure, thanks to their intuitive design and wizards, though Imperva requires a little more manual intervention.
The bad news Barracuda is somewhat complex, and setup is time-consuming, requiring a lot of manual configuration.
Imperva required more manual intervention for the configuration of our servers, Web sites, services and applications. It presented a logical tree structure similar to that of Breach, but lacked the useful at-a-glance verification and instead spread the information among four different tabs. Nonetheless, these were minor points and we found it overall to be on a par with Breach in this category.
Bee Ware's initial installation was similar to our other test subjects, and the configuration wizard stepped us through assigning the basics such as host name, date and time, network interfaces and assigning the destination IP address for our target back-end server. The documentation showed some rough translation issues from the original French, but the configuration wizard led us through a fairly straightforward setup.
F5's Application Security Manager (ASM) is a part of its BIG-IP port-based multilayer switch built on F5's proprietary TMOS platform, which is designed for traffic management, acceleration and load balancing. After a fairly painless installation onto our network, the configuration required us to spend the better portion of a day understanding how the ASM module integrated with the other modules, such as the Local Traffic Manager.
While all of this first appeared extremely complex, F5 features a clean and informative interface coupled with outstanding documentation and technical support. The complexity was offset by the rich load balancing and traffic management features necessary for delivering application security in big pipe environments.
At the Core - Administration
The good news Imperva offers highly granular features for delegating administration and assigning rights and permissions, with a comprehensive, easy-to-use interface.
The bad news Citrix's interface is intuitive and well-designed, but the options are limited, which may not suit some organizations' requirements.
Citrix required a lot of manual entry, but offered a clean Windows-based configuration utility. It wasn't as time consuming as Barracuda's Web Firewall's setup or as complex as F5, which required extensive understanding about network traffic management prior to setting up the security features.
Barracuda is somewhat complex and took a long time to set up. Even though we used Barracuda's Web application wizard, an extensive amount of manual security configuration was required to effectively protect our test applications against our attacks. Since Bar-racuda boasts of its ability to be set up in a pro- duction environment without causing disruption, we initially de-ployed the box in passive mode, producing logs that identified actions that would have been taken if it was in active response mode--for example, blocking traffic from an IP that was performing a brute force login, forceful browsing or bot activity. This allowed us to effectively tune the appliance prior to switching to active mode--a real plus for security managers without the time or resources to first deploy in a mirrored test environment.
Consider This
WEB APPLICATION FIREWALLS have additional features, such as those related to traffic management, including SSL acceleration, caches, compression, load balancing and high availability. The growing adoption of high bandwidth technologies requires that solutions are capable of delivering security without latency. Other factors that may influence your purchase decision are regulatory compliance features and out-of-the box policies and signatures to get you started without a lot of customization.
CLICK HERE for a PDF comparison of "Web Application Firewalls".
Administration
Ongoing maintenance and tuning plays a significant role in the continuing effectiveness of these devices, which cover numerous complex technologies and security issues. And, the pervasiveness of Web-based applications presents management challenges that make delegated administration an important factor.
Imperva offers the most granular administrative rights delegation and greatest ease of assigning rights and permissions. An expandable tree allowed us to instantly view administrative groups under which individuals are listed. Rights and permissions can be set globally, per group or per individual through a comprehensive list of available resources and applications. We could quickly set view/edit privileges. Individuals can be assigned to multiple groups as well, giving them different levels of access.
At the Core - Security Policy Control
The good news We especially like BreachMarks tagging. F5 features a good policy toolset, particularly for adaptive learning, and Imperva has an array of out-of-the box policies and attack signatures.
The bad news Bee Ware's policy creation is time consuming, poorly organized and difficult to navigate.
F5's comprehensive set of administrative tools supports its traffic management and load balancing capabilities, and the application security module. It helps tame the overwhelming task of administration by compartmentalizing objects such as virtual servers, URLs and databases for easier, more flexible delegation.
Similarly, Barracuda groups applications and resources into role-based administration silos to facilitate delegation. Navigation throughout the extensive feature set was relatively easy, despite complexity second only to F5. Roles define the user's permissions for command groups (meaning what type of actions) and are accessible for a particular site, so administrative duties can be delegated in a large or distributed environment.
Bee Ware keeps things simple by breaking down administrative tasks into two basic groups--administrators and webmasters. Administrators have access to global configurations and can create, disable or delete services and policies. Webmasters only have configuration rights to the services and policies for which they have been assigned permission. This provides the autonomy needed for different groups to make changes to their HTTP-based content as well as the overall security and oversight to prevent damage to active content pages.
Citrix's administrative capabilities are basic, but well-managed through a simple and intuitive management GUI. We were able to quickly add users for administrative purposes, but our options were limited to either an application administrator or an application guest, whose account could view, but not modify, configuration settings. We felt this was essentially useless.
At the Core - Monitoring, Alerting, Auditing and Reporting
The good news Imperva provides a wealth of easy-to-access information, and a virtual cornucopia of reports generated through robust filtering.
The bad news Bee Ware is just fair across the board here: no SMS or email alerts, limited monitoring and weak reporting.
Breach breaks out administrative tasks into two groups as well--system administrators with access to everything, and site administrators who only have rights to sites assigned to them. Additionally, Breach includes two view-only accounts--a Super Viewer who can see everything and a Viewer with read-only access to sites to which they are assigned.
Assigning sites was effortless, as all active sites are displayed in one window and could be assigned with a mouse click.
Security Policy Control
The real power behind these products lies in their ability to let organizations control access to dynamic applications. Unlike traditional network firewalls that simply permit or deny packets based upon policy, application firewalls must deliver more sophisticated control at the application layer through a variety of contextual rule sets and behavioral analysis.
All of the products included some sort of learning function, either the automatic learning of URLs or learning behavior and traffic patterns. Another significant policy designation was the firewall's ability to operate in a transparent mode, which allowed us to fine-tune actions prior to initializing full security measures, such as blocking and redirecting.
Breach provided the most predefined policy set out of the box, covering known attacks against popular applications such as IIS, Apache and SQL. We are skeptical that its controls have the robustness to be effective against unknown attacks.
The console isn't as complex or icon-driven as the other products, but is laid out in a way that let us drill down through our applications and review and set policies. Best of all, it provided one of the best visual interfaces along with information about security events.
We were particularly engaged by the use of Breach-Marks--regular expressions or custom strings used to identify sensitive information, such as credit card numbers.
The first order of business with Citrix was switching from bypass mode to operating mode--basically turning on the firewall. From the same page, we were able to choose whether to include failover protection in our security policy, assign session timeout thresholds and toggle between two diverse degrees of overall security--Enterprise, which included full filtering and blocking, or Express, with basic Web server policies.
Once traffic began passing through the appliance, we had to determine whether to enable failover protection. Initializing this option was difficult, as it required an in-depth understanding as to whether or not pages containing Web forms utilized Javascript or Get calls.
Citrix's Adaptive Learning mode examines traffic to determine what is normal and then builds recommendations that let users apply, edit and apply, skip or ignore. Unfortunately, when a recommendation is ignored, the firewall will no longer view that particular action as a threat when encountered. We would have preferred to see a threshold set for the skip option to allow change to meet new zero-day exploits and adaptive malware.
F5's policy management is quite flexible. Initially, the wizard walked us through each aspect rule definition. F5 also supports an assortment of adaptive learning tools to assist with policy generation. We found the Learning Manager and its counterpart, the Traffic Learning Screen, to be the most helpful in determining policy. Each time we created a potential violation, such as forceful browsing or multiple failed login attempts, the Learning Manager made suggestions as to how to adapt our security policy.
F5 offers the ability to create security policy templates to facilitate large-scale deployments.
At the Core - Overall Security Effectiveness
The good news Imperva is the closest thing to a silver bullet for application security, based on its combination of adaptive learning and other techniques.
The bad news Citrix delivers good security against attacks, but we would like to see traffic logging for comparison while it is run in passive mode.
Between Barracuda's policy wizard and the dynamic application pro- filing, we were able to create security policies specific to the traffic generated during our testing. However, it's easy to see how in a high-traffic environment, the constant tweaking would be bothersome and ultimately create a security risk from multiple changes.
Barracuda's passive mode is very good at displaying what results would be if policies were actively enforced. While the other products displayed what was taking place on the network, they didn't offer the extensive understanding of the ramifications of the security policy had it been active.
While Bee Ware's security policies provided adequate protection against our assortment of attacks, setting up polices proved to be difficult. The appliance utilizes blacklists, dynamic whitelists and behavioral analysis, but the logic required to institute rules and patterns is time-consuming and disorganized. Policy creation was spread across a series of tabs. We would have like to been able to create policies from a centralized location using drop-down menus and tables.
Imperva delivered an impressive set of predefined attack signatures. Custom signatures can be easily created through a simple menu system that includes a wide variety of metadata choices (Web, stream, SQL). The easy-to-navigate interface allowed us to peruse polices through a variety of filters listed in a hierarchical tree on the left side of the policies page.
Monitoring, Alerting, Auditing, & Reporting
All the products we examined had features specific to aid compliance auditing and reporting. Security managers want detailed information about malicious activities on their network--the who, what, why, where, when and how details. Auditing and reporting features can make or break a product's chances of ending up at the top of the short list.
Imperva sports a highly configurable real-time interface, in which we were able to monitor all our applications, alerts, events, connections and the overall health of our systems at a glance under the Monitoring tab.
A separate and equally functional tab offers more than 100 types of reports from which to choose--from a list or using Imperva's robust filtering capabilities.
The Admin tab put everything neatly at our fingertips. With a mouse click we could access users, sessions and, most important, the Application Defense Center--a catch-all for updates and information on signatures, policies, protocols, reports, etc.
Breach also offers an assortment of useful reports, many which are obviously focused on PCI compliance reporting. Monitoring our shopping cart application, it took only minutes to compile detailed reports about how credit card information transmitted through specific Web pages.
The Event Viewer offers nine filtering options to drill down on an incredible amount of information, as well as the ability to create customized filters.
Citrix provided adequate monitoring, alerting and logging capabilities. Monitoring is accessed via a dashboard icon on the main interface, as are reports and logs. There are two basic types of logs: The firewall log provides information about security-related events, and the audit log records all activities you select when you configure the box.
Compared to Imperva, the Citrix dashboard is plain and uninformative. We were disappointed by the weak reporting features, which offered only four types of administrative reports--an Executive Summary, a Security Sum-mary, a Configuration Summary and an Inspection Report, which listed the attacks.
In addition to Web Application logs, Barracuda provides syslogs, network firewall logs and Web firewall logs, each with its own page under the Logs tab on the dashboard. Overall, the logging displays were visually confining and dull. Reporting capabilities were as disappointing as those offered by Citrix, limited to alerts, diagnostics and error reports. They lacked the rich level of detail and customization found in Imperva and Breach.
F5 delivers excellent monitoring, alerting, historical and forensic capabilities, but the reporting tools are only mediocre Executive, Events, Security and Attack reports, despite the phenomenal amount of information gleaned through the multiple types of monitors that continuously track HTTP, HTTPS, TCP, FTP and other network protocols.
Bee Ware's monitoring capabilities were limited to real-time application activity and security logs, which are viewed via the administrative interface or ex-ported as syslog log files. Alerting was limited to SNMP traps and syslog messages. Security administrators require instant notification through a variety of methods, such as SMS and email, the moment a critical event occurs.
Bee Ware only offered two basic types of logs--security and access. Each provides a table of events and each event could be clicked on for additional information. We found the logs to be more helpful than the reports for which they provided the data. Reports were limited and poorly designed in their graphical display.
Report Card
CLICK HERE for a PDF of "Making the Grade".
Overall Security Effectivenesss
The Web has opened a multitude of new avenues for hackers to exploit Internet protocols and the applications that utilize them. The core functionality of all the products delivered comprehensive security for HTTP, HTTPS and FTP applications and XML services. In our test rail, all the products delivered a core set of security features, most notably Web site cloaking, protection against common Web vulnerabilities and exploits and data protection.
Our battery of attacks included but was not limited to SQL injections, buffer overflows, cookie tampering, forms tampering, session hijacking, cross-site scripting, remote code execution, malicious code (Internet worms), denial of service, brute force logins and forced browsing. We launched a Java-based Web crawler in an effort to fingerprint the applications and hosted sites behind the product under testing. Additionally, we purposely set up insecure pages that provided access to restricted data (credit card numbers, fake, of course) and attempted to gain access. Each product performed satisfactorily, and all are worthy of enterprise installations.
Given the massive amount of information stored in databases that are touched by Web-facing applications, we found that Imperva's application and database security provided the closest thing to a silver bullet security managers could institute. Using a combination of whitelists, blacklists and adaptive learning ("Dynamic Profiling Technology"), the device examined traffic and behavioral patterns of applications and databases to differentiate between valid traffic patterns and our attacks.
Barracuda uses a combination of Web ACLs, positive and negative security models and Dynamic Application Profiling to identify acceptable traffic. The included signatures for the negative model blocked all the common attacks (SQL, buffer overflow, tampering, etc.), while the positive model locked down all traffic unless defined through the powerful ACLs. We set a variety of ACLs that delivered superior security for our test sites.
Similarly, F5 employs both a positive security model, and a negative model for common attacks, with heuristic analysis of all traffic through the Adaptive Learning and Tuning engine. We credited the strong positive security model for initially blocking some of our legitimate traffic and returned to the transparent mode until we had established a traffic baseline through F5's automated policy builder. Our second attempt at enabling blocking resulted in flawless operation, with all attacks stopped while allowing permitted traffic to proceed.
The granular traffic movement controls allowed us to limit access to applications through customized traffic flow policies.
We started our Citrix testing in bypass mode; while we understood the validity of not filtering in this state, we would have liked to been able to at least log traffic for a comparison once the device was switched to operating mode. Our initial testing was met with a number of false positives requiring us to disable Adaptive Learning and do some manual tuning.
Adaptive Learning made suggestions that we could accept, deny or customize. We found this especially helpful whenever any changes were made to our applications, such as the addition of new sites or pages within sites, especially those containing vulnerable aspects such as forms, logins and dynamic links. All our malicious attacks were blocked in operating mode.
Bee Ware more than held its own under testing against common attacks and exploits such as SQL injection, buffer overflows, XSS and Microsoft and Unix vulnerabilities. Additionally, the behavioral analysis-based security engine offered enough automation of policy creation to make it attractive to smaller IT shops. Bee Ware's learning capabilities quickly identified new sites and pages added within our applications. However, until a new URL has been learned or manually added, it was rejected, leading initially to legitimate sites being blocked.
Breach uses dynamic application profiling combined with inbound and outbound traffic analysis to mitigate threats. Breach also identified imperfections in Web pages, such as miscoded URLs, images and objects that can create vulnerabilities, such as returning error pages displaying identifying information about the Web server or application.
We started our testing in learning mode with the option to automatically switch to protect mode once enough traffic has been analyzed. We were pleased to see a change without any false positives once the device initiated an active posture.
There's no doubt that Breach is an excellent solution for PCI compliance. Focusing on security aspects specific to credit card transactions, from masking account numbers to robust SSL protection, we were pleased with the overall performance of the appliance. When we tagged our test data simulating credit card information with BreachMarks, our exploitable shopping cart application lit up our alerts. At first, we allowed the private information to traverse the firewall to verify Breach's claims that it provides detailed records about any compromised information. This lets companies verify exactly what records have been illegally accessed.
Meeting The New Threats
All of the appliances we reviewed provide effective application layer protection; all scored well against the diverse attacks we threw at them. But we found significant enough differences depending on your organization's requirements. Imperva presented the strongest all-around offering, followed closely by Breach Security. Both were strong across the board. F5 and Barracuda Networks are strong choices, faltering only in their monitoring, alerting and reporting categories.
The scope of our testing was limited to a single appliance placed in front of a couple of Web servers. However, when working with these products it becomes apparent that they were designed to protect clusters of servers, if not entire server farms hosting Web-facing applications. Though network management features weren't part of our evaluation criteria, these may be important factors in your choice of an application firewall appliance.
Application firewalls represent next-generation digital security. As these technologies mature, and working in conjunction with traditional network firewalls, IDS/IPS and malware scanners, it is hoped they will reduce the threats faced by an increasingly Web application-driven society.
2009年7月2日 星期四
2008年9月15日 星期一
中秋水岸1
到达水岸
好久没来了,入口这边盖起来好些楼啊,路也拓宽了
河里的水不多,不知道以后能好点不
花园的景观那是相当的不错啊,呵呵
差不多到了8、9号楼的位置,花园就没什么风景了,据售楼部说,后续的景观要随着二期的开发同时进行,而二期要到明年开始,现在已经开始打地基了...
好久没来了,入口这边盖起来好些楼啊,路也拓宽了
河里的水不多,不知道以后能好点不
花园的景观那是相当的不错啊,呵呵
差不多到了8、9号楼的位置,花园就没什么风景了,据售楼部说,后续的景观要随着二期的开发同时进行,而二期要到明年开始,现在已经开始打地基了...
2008年9月10日 星期三
»ùÓÚWEB µÄʵʱʼþ֪ͨ·½°¸
基于 WEB 的实时事件通知方式大致有五种方案:HTTP拉取方式(pull),HTTP流,Long Polling,Flash XMLSocket方式,Java Applet。
首先说下Comet这个词,Comet 这个词是最早由Alex Russell(Dojo Toolkit 的项目 Lead)提出的,称基于 HTTP 长连接、无须在浏览器端安装插件的"服务器推(Push)"技术为"Comet"。
1.HTTP拉取方式(pull)
在这种传统的方法中,客户端以用户可定义的时间间隔去检查服务器上的最新数据。这种拉取方式的频率要足够高才能保证很高的数据精确度,但高频率可能会导致多余的检查,从而导致较高的网络流量。而另一方面,低频率则会导致错过更新的数据。理想地,拉取的时间间隔应该等于服务器状态改变的速度。常见的实现如利用 "<meta http-equiv="refresh" content="5" />" tag,当然利用xmlHttpRequest定时取也是一种方法。
2.HTTP流(Push机制)
HTTP流有两种形式:
* Page Stream: 页面上不间断的HTTP连接响应(HTTP 1.1 Keep Alive).
通过在 HTML 页面里嵌入一个隐�帧(iframe),然后将这个隐�帧的 SRC 属性设为对一个长连接的请求,服务器端就能源源不断地往客户端输入数据。
* Service Stream: XMLHttpRequest连接中的服务器数据流。
客户端是在 XMLHttpRequest 的 readystate 为 4(即数据传输结束)时调用回调函数,进行信息处理。当 readystate 为 4 时,数据传输结束,连接已经关闭。Mozilla Firefox 提供了对 Streaming AJAX 的支持,即 readystate 为 3 时(数据仍在传输中),客户端可以读取数据,从而无须关闭连接,就能读取处理服务器端返回的信息。IE 在 readystate 为 3 时,不能读取服务器返回的数据,目前 IE 不支持基于 Streaming AJAX。
注:使用 Page Stream(iframe) 请求一个长连接有一个很明显的不足之处:IE、Morzilla Firefox 下端的进度栏都会显示加载没有完成,而且 IE 上方的图标会不停的转动,表示加载正在进行。Google 的天才们使用一个称为"htmlfile"的 ActiveX 解决了在 IE 中的加载显示问题,并将这种方法用到了 gmail+gtalk 产品中。Alex Russell 在 "What else is burried down in the depth's of Google's amazing JavaScript?"文章中介绍了这种方法。Zeitoun 网站提供的 comet-iframe.tar.gz,封装了一个基于 iframe 和 htmlfile 的 JavaScript comet 对象,支持 IE、Mozilla Firefox 浏览器,可以作为参考。(http://alex.dojotoolkit.org/?p=538)
3.长时间轮询(Long Polling)
也就是所谓的异步轮询(Asynchronous Polling),这种方式是纯服务器端推送方式和客户端拉取方式的混合。它是基于BAYEUX协议(http://svn.xantus.org/shortbus/trunk/bayeux/bayeux.html) 的。这个协议遵循基于主题的发布――订阅机制。在订阅了某个频道后,客户端和服务器间的连接会保持打开状态,并保持一段事先定义好的时间(默认为45 秒)。如果服务器端没有事件发生,而发生了超时,服务器端就会请求客户端进行异步重新连接。如果有事件发生,服务器端会发送数据到客户端,然后客户端重新连接。
1. 服务器端会阻塞请求直到有数据传递或超时才返回。
2. 客户端 JavaScript 响应处理函数会在处理完服务器返回的信息后,再次发出请求,重新建立连接。
3. 当客户端处理接收的数据、重新建立连接时,服务器端可能有新的数据到达;这些信息会被服务器端保存直到客户端重新建立连接,客户端会一次把当前服务器端所有的信息取回。
4.Flash XMLSocket(push机制)
这种方案实现的基础是:
1. 安装了 Flash 播放器,Flash 提供了 XMLSocket 类(Flash 7.0.14以上版本)。
2. JavaScript 和 Flash 的紧密结合:在 JavaScript 可以直接调用 Flash 程序提供的接口。
具体实现方法:在 HTML 页面中内嵌入一个使用了 XMLSocket 类的 Flash 程序。JavaScript 通过调用此 Flash 程序提供的套接口接口与服务器端的套接口进行通信。JavaScript 在收到服务器端以 XML 格式传送的信息后可以很容易地控制 HTML 页面的内容显示。
关于如何去构建 JavaScript 与 Flash XMLSocket 的 Flash 程序,以及如何在 JavaScript 里调用 Flash 提供的接口,我们可以参考 AFLAX(Asynchronous Flash and XML)项目提供的 Socket Demo 以及 SocketJS(请参见 [http://www.aflax.org/ Asynchronous Flash and XML,提供了强大的 Flash、Javascript 库和很多范例。])。
Javascript 与 Flash 的紧密结合,极大增强了客户端的处理能力。从 Flash 播放器 V7.0.19 开始,已经取消了 XMLSocket 的端口必须大于 1023 的限制。Linux 平台也支持 Flash XMLSocket 方案。但此方案的缺点在于:
1. 客户端必须安装 Flash 播放器;
2. 因为 XMLSocket 没有 HTTP 隧道功能,XMLSocket 类不能自动穿过防火墙;
3. 因为是使用Socket接口,需要设置一个通信端口,防火墙、代理服务器也可能对非 HTTP 通道端口进行限制;
4. 必须使用XML格式作为消息格式,数据冗余增大。
此方案在一些网络聊天室,网络互动游戏中得到广泛使用。
5. Java Applet(Push机制)
类似于Flash XMLSocket方式。目前已经很少使用,原因极可能是因在手机等移动终端缺少支持。
总结和建议:
如果我们想要高数据一致性和高网络性能,我们就应该选择推送方式。但是,推送会带来一些扩展性问题;服务器应用程序CPU使用率是拉取方式的7倍。根据TUD(http://swerl.tudelft.nl/twiki/pub/Main/TechnicalReports/TUD-SERG-2007-016.pdf)的测试结果,服务器性能会在350-500个用户时趋于饱和。对于更大数量的用户,服务器端需要维护大量并发的长连接。在这种应用背景下,服务器端需要考虑负载均衡和集群技术;或是在服务器端为长连接作一些改进。
使用拉取方式,要想达到完整的数据一致性以及很高的网络性能是很困难的。如果拉取的时间间隔大于数据更新的时间间隔,就会发生一些数据的遗失。而如果小于数据更新的时间间隔,网络性能就会受到影响。拉取方式只有在拉取时间间隔等同于数据更新时间间隔时,才会恰到好处。但是,为了达到那样的目标,我们就需要提前知道准确的数据更新时间间隔。然而,数据更新的时间间隔很少是静态不变并可以预知的。这使得拉取方式只有在数据是根据某种特定模式发布的情况才有用。
控制信息与数据信息使用不同的 HTTP 连接
使用长连接时,存在一个很常见的场景:客户端网页需要关闭,而服务器端还处在读取数据的堵塞状态,客户端需要及时通知服务器端关闭数据连接。服务器在收到关闭请求后首先要从读取数据的阻塞状态唤醒,然后释放为这个客户端分配的资源,再关闭连接。所以在设计上,我们需要使客户端的控制请求和数据请求使用不同的 HTTP 连接,才能使控制请求不会被阻塞。
在实现上,如果是基于 iframe 流方式的长连接,客户端页面需要使用两个 iframe,一个是控制帧,用于往服务器端发送控制请求,控制请求能很快收到响应,不会被堵塞;一个是显示帧,用于往服务器端发送长连接请求。如果是基于 AJAX 的长轮询方式,客户端可以异步地发出一个 XMLHttpRequest 请求,通知服务器端关闭数据连接。
在客户和服务器之间保持"心跳"信息
在浏览器与服务器之间维持一个长连接会为通信带来一些不确定性:因为数据传输是随机的,客户端不知道何时服务器才有数据传送。服务器端需要确保当客户端不再工作时,释放为这个客户端分配的资源,防止内存泄漏。因此需要一种机制使双方知道大家都在正常运行。在实现上:
1. 服务器端在阻塞读时会设置一个时限,超时后阻塞读调用会返回,同时发给客户端没有新数据到达的心跳信息。此时如果客户端已经关闭,服务器往通道写数据会出现异常,服务器端就会及时释放为这个客户端分配的资源。
2. 如果客户端使用的是基于 AJAX 的长轮询方式;服务器端返回数据、关闭连接后,经过某个时限没有收到客户端的再次请求,会认为客户端不能正常工作,会释放为这个客户端分配、维护的资源。
3. 当服务器处理信息出现异常情况,需要发送错误信息通知客户端,同时释放资源、关闭连接。
【附】开源项目资源
Cometd(http://cometd.com/) Comet framework sponsored by the Dojo foundation.
Orbited(http://orbited.org/) 可缩放的分布式Comet 服务器 (python 语言实现)
Pushlets(http://www.pushlets.com/)一个开源框架,可以让服务器端java对象推送事件到浏览器端javascript,java applet,或者flash应用程序
Jetty(http://jetty.mortbay.org/) Servlet server java 实现
Pushup(http://pushup.causology.net/) Comet server (C++实现)
2008年9月8日 星期一
2006年-2009年大小非解禁规模
2006年总体解禁规模 834.5768534
2007年总体解禁规模 1282.399612
2008年总体解禁规模 1420.892109
2009年总体解禁规模 6918.273039
2007年总体解禁规模 1282.399612
2008年总体解禁规模 1420.892109
2009年总体解禁规模 6918.273039
大小非吃人成本最简单的演示!(转贴)
甲公司发行100股,其中50股国家股(大非)每股1元,50股公众股每股10元。
公众股发行上市后甲公司总资产:50(大非)+500(公众股)=550 元,每股资产变为550/100=5.5元
看明白了吧:大非花每股1元买的50股,资产价值由50元一下子变成了275元(50股乘以5.5)。吃人不?
第二年甲公司配股,10配2股 。大非放弃配股(历来如此,吃人不),还投票要公众股配股,每股配股价10元。公众股50股,10配2就是配10股,每股10元,公众要拿出100元来。此时公司总股本变为110股。
配完股甲公司资产值增加了100元:550+100=650 每股资产变为650/110(股)=5.91元
看明白了吧:大非花每股1元买的50股,资产价值由50元再次上涨变成了295元(50股乘以5.91)。吃人不?而大非其间一分钱也没再次投入,公众股却再次投入了100元(配股)。
第三年甲公司分红10送10股。这次大非不会放弃送股了,全要。送股后大非由上年度50股变成100股,公众股由上年度60股变成120股。公司总股本变为220股,公司每股资产变为650/220=2.95元
第四年甲公司又配股圈钱每10股配3股,大非再次放弃配股(历来如此),每股配股价10元。此时公众股120股,10配3就是配36股,每股10元,公众要再次拿出360元做贡献。配完股公众股变为120+36=156股。公司总股本变为220+36=256股,
总资产变为650+360=1010元。公司每股资产变为1010/256=3.94元
看明白了吧:大非花每股1元买的50股,送股后变成100股,资产价值由当初的50元再次上涨变成了394元(100股乘以3.94)。吃人不?而大非其间一分钱也没再次投入,公众股却再次投入了360元(配股)。
第五年甲公司分红了,红包大大得很,每股派现金0.5元。大非获得50元红利(100股乘以0.5)。公众股获得78元红利(156股乘以0.5)。公众股从认购到配股投入500+100+360=960元。
看明白了吧:5年里我们投入的960元获得了78元的"巨大收益"。大非5年里投入的50元获得了50元的"巨巨大收益"。大非收回了本钱,而我们却只收回了不到十分之一。
好了,更伟大的决策-----股权分置改革来了。对价是公众股10送2.5股,156股可获得39股对价-----就是大非从它的100股里拿出39股送 给公众股以换取流通权。此时大非持股变为100-39=61股,公众持股变为156+39=195股。由于大小非流通,市场资金接盘不住股价往下猛掉,一 值掉到了每股资产值价位:3.94元。假如大非以每股资产值3.94元卖掉持股可获的现金:61股乘以3.94=240元,加上前面50元红利大非获得现 金290元,投资收益290除以50=5.8倍。假如公众股也按每股资产值卖掉可收回现金:195股乘以3.94=768元。加上78元红利是846元。 就是说5年里,我们投入的960元依然亏本,而大非却获得5.8倍的资本增值。吃人吗?吃人的中国,与争利的掠夺者。
这个简单例子,实际很多公司不止两次配股。那更是连流通股的骨髓都吸干了。目前中国的大小非不是以每股资产价值减持,而是以市场价来抛售。一幕惨不忍睹的灾难!
公众股发行上市后甲公司总资产:50(大非)+500(公众股)=550 元,每股资产变为550/100=5.5元
看明白了吧:大非花每股1元买的50股,资产价值由50元一下子变成了275元(50股乘以5.5)。吃人不?
第二年甲公司配股,10配2股 。大非放弃配股(历来如此,吃人不),还投票要公众股配股,每股配股价10元。公众股50股,10配2就是配10股,每股10元,公众要拿出100元来。此时公司总股本变为110股。
配完股甲公司资产值增加了100元:550+100=650 每股资产变为650/110(股)=5.91元
看明白了吧:大非花每股1元买的50股,资产价值由50元再次上涨变成了295元(50股乘以5.91)。吃人不?而大非其间一分钱也没再次投入,公众股却再次投入了100元(配股)。
第三年甲公司分红10送10股。这次大非不会放弃送股了,全要。送股后大非由上年度50股变成100股,公众股由上年度60股变成120股。公司总股本变为220股,公司每股资产变为650/220=2.95元
第四年甲公司又配股圈钱每10股配3股,大非再次放弃配股(历来如此),每股配股价10元。此时公众股120股,10配3就是配36股,每股10元,公众要再次拿出360元做贡献。配完股公众股变为120+36=156股。公司总股本变为220+36=256股,
总资产变为650+360=1010元。公司每股资产变为1010/256=3.94元
看明白了吧:大非花每股1元买的50股,送股后变成100股,资产价值由当初的50元再次上涨变成了394元(100股乘以3.94)。吃人不?而大非其间一分钱也没再次投入,公众股却再次投入了360元(配股)。
第五年甲公司分红了,红包大大得很,每股派现金0.5元。大非获得50元红利(100股乘以0.5)。公众股获得78元红利(156股乘以0.5)。公众股从认购到配股投入500+100+360=960元。
看明白了吧:5年里我们投入的960元获得了78元的"巨大收益"。大非5年里投入的50元获得了50元的"巨巨大收益"。大非收回了本钱,而我们却只收回了不到十分之一。
好了,更伟大的决策-----股权分置改革来了。对价是公众股10送2.5股,156股可获得39股对价-----就是大非从它的100股里拿出39股送 给公众股以换取流通权。此时大非持股变为100-39=61股,公众持股变为156+39=195股。由于大小非流通,市场资金接盘不住股价往下猛掉,一 值掉到了每股资产值价位:3.94元。假如大非以每股资产值3.94元卖掉持股可获的现金:61股乘以3.94=240元,加上前面50元红利大非获得现 金290元,投资收益290除以50=5.8倍。假如公众股也按每股资产值卖掉可收回现金:195股乘以3.94=768元。加上78元红利是846元。 就是说5年里,我们投入的960元依然亏本,而大非却获得5.8倍的资本增值。吃人吗?吃人的中国,与争利的掠夺者。
这个简单例子,实际很多公司不止两次配股。那更是连流通股的骨髓都吸干了。目前中国的大小非不是以每股资产价值减持,而是以市场价来抛售。一幕惨不忍睹的灾难!
最近全球都在谈论一件金融大丑闻,很不幸,它的主角就是中国[ZT]
近期,香港区全国政协委员、金融专家刘梦熊撰写《我为人民鼓与呼》一文,在香港三家媒体以整版篇幅发表,引发震撼,各界关注。刘梦熊疾言厉色质问中 国财政金融管理当局有关拍板人:"你们这班败家子哪里来这麼大的胆子,拿国家人民的钱,来买天文数字的3763亿美元美国"两房"公司债券。现在"两房" 基本上已破產,你们如何向全国人民交代?如此离谱决策有没有黑幕,人大会应立即组织特别调查组彻查,追究责任!"
犹如闹市中引爆炸弹,引起社会各界,特别是金融乃至经济界强烈反响。不过都是在高层经济圈内,大陆平面主流媒体完全回避和沉默,网站也大量删除评论帖。详细情况是这样:——
次贷危机下,美国的两家房贷抵押机构"房地美"和"房利美"公司行将崩盘破产,荣登美国"两房"公司外国债权人之榜首的居然是中国,一共持有涉及该两间公司高达3763亿美元债券,约占中国外汇储备总额21% 。国际经济界称为一件匪夷所思的大丑闻。
国家资料显示,自2004年开始,中国对美国债券的持有一直在高速增长,从2004年到2007年惊人增长三倍,高达到9220亿美元。仅2006年到去 年2007年间,中国对美国债券的持有增长66%。在美国次按危机即将露出狰狞面目的前夜,中国仍然痴心不改地不断大手笔增持美国债券。究竟是谁拥有在这 样疯狂地处置中国巨额外汇储备的权利,如痴呆一样疯狂购买美国债券?
同样是亚洲大国的印度,外汇储备也很客观,但印度对美国"两房"债券持有量才2300万美元而已,人家是意思意思,中国的3763亿竟然是印度的一万六千倍,差不多是三万亿港币。这样投进美国"两房"是完全不可思议的!
国际公认的原则是,外汇储备公认的投资原则是安全第一,分散为宜,但中国财金当局却将外储的百分之二十以上投资于美国"两房",这相当于将大部分鸡蛋放在 一个篮子。当年亚洲金融风暴,香港和东南亚楼市崩溃,还闹出「负资产」,业主和银行一齐遭殃,说明房屋按揭本身风险很大,其衍生债券更是危险品。
不能只集中在一个菜篮里,这是金融投资常识性的金科玉律。外匯储备投资原则是安全第一,稳健至上,比重分散,结构多元。可是我们那些可爱的受握重权的国家外汇管理局、财政部、中国人民银行的败家子一般的官员,个个还都是硕士、博士学位!
就冲这点,中国民众还有什么脸面去嘲笑印度!叫人家阿三,自己都快成阿大了。到底是谁祸害中国如此吃亏,不,是重创,而成为世界笑柄!
我一贯就对什么莺歌燕舞的盛大晚会、开幕式不以为然,花钱给人看的东西,值得那样好面子搞成空前绝后的拔高?看清楚自己的弱点、忧患,早早修复自己可能被对手抓住而致命的死穴比什么都重要!
我认为:这件金融丑闻的暴露,实质上对中国经济重创之巨,对国民信心和精神打击之大,简直可以抵消大批我们自己宣传的其他成就光环。这决不是一般的问题, 甚至不是什么重大失误!不能用失误的概念,而是直接叫做中了"杀招"!它的背后是应该是严重的渎职 战略间谍的性质!
中国经济学家都在干什么,受那些所谓主流经济学家提出的高论影响而实行的政策,最后使谁最终受益,使谁陷入深深窘境了呢? 那些"主张对内狂引境外战略投资者、让其大赚贱卖的银行原始股;对外大力推出中国优质大型企业或国有垄断企业境外上市,向海外慷慨派送十倍于融资的分红" 的经济专家到底在干什么,他们的底细和真实身份到底是谁?
近些年来,境外利益集团在华活动十分活跃,境外利益集团在华活动手法多端:有的熟谙中国国情,巧妙利用各方人脉,想方设法接近各级领导人,进行商业游说, 影响相关决策,为商业活动铺路;有的境外利益集团对有关部委研究机构与学者给予丰厚的课题经费等途径,让他们利用自己的所谓研究成果和影响为境外跨国企业 集团谋利、鸣锣开道,对中国相关部门决策与立法施加影响。于是中国的经济专家和经济官员们他们当中有不少靠着暴利集团贿赂、靠着境外集团资助做研究报告, 通过境内外媒体精心包装、刻意打造,提供各类活动舞台,提高知名度、美誉度,从而成为中国国内行业精英,拥有强大的话语权,为国内外的利益集团鸣锣开道呼 号、充当掮客买办,多年来实际也真正影响了行业乃至国家经济决策。
我一直认为近年国家经济领域这样的怪异诡秘的现象和行为,决不仅仅是表面专家贪财、官员渎职那么简单,应该是境外对手和敌对势力精心地策划和不懈的努力后,其战略间谍的成功之作。今天,这场惊天的美国债券丑闻,更坚定了我的判断
订阅:
帖子 (Atom)
帖子
