BẢO MẬT MẠNG LƯỚI HƯỚNG ỨNG DỤNG VÀ NGƯỜI DÙNG

Hoang Tran – Solution Consultant

hoang.tran@f5.com

Agenda

• Các mối hiểm họa và tấn công

• Chiến lược phòng thủ

• Tổng kết

Mỗi doanh nghiệp đều có những lỗ hổng an ninh

“8 out of 10 websites vulnerable to attack”

- WhiteHat “security report ”

“97% of websites at immediate risk of being hacked due to vulnerabilities! 69% of vulnerabilities are client side-attacks”

- Web Application Security Consortium

“75 percent of hacks happen at the application.”

- Gartner “Security at the Application Level”

“64 percent of developers are not confident in their ability to write secure applications.”

- Microsoft Developer Research

Tình trạng các mối đe dọa

“It is no secret that attackers are moving up the stack

and targeting the application layer. Why don’t our

defenses follow suit?”-Verizon 2011 Data Breach Report

““As in previous years, Verizon has found that most cyberattacks were

avoidable if network managers followed best practices for information security.

Verizon said that 96% of attacks were “not highly difficult,” and 97% of attacks

were avoidable through “simple or intermediate controls.”-Verizon 2012 Data Breach Report

Tổng quan một số tấn công lớp 7Attack

(L7)

Slowloris XerXes DoS LOIC/

HOIC

Slow POST

HTTP

(RUDY)

#RefRef

DoS

Apache Killer SSL BEAST SSL THC

DoS

Active

(Since)

Jun 2009 Feb 2010 Nov 2010 Nov 2010 Jul 2011 Aug 2011 Sep 2011 Oct 2011

Threat

/Flaw

HTTP Get

Request,

Partial

Header

Flood TCP (8

times increase,

48 threads)

TCP/UDP/

HTTP Get

floods

HTTP web

form field,

Slow 1byte

send

Exploit SQLi

for recursive

SQL ops

Overlapping

HTTP ranges

SSL/TLS 1.0

“plain text“

attack

Aggressive

SSL secure

renegotiation

within single

TCP

Impact Attack can be launched remotely, Denial of Services (DOS),

Resource Exhaustion, tools and script publicly available

IBM Xforce threat report 2011

Quản lí bảo mật một cách hiệu quả?

Vấn đề lớn nhất: Chính chúng ta!

ENTERPRISE

DATA CENTER

DATA CENTER/ PRIVATE

CLOUD

CUSTOMER

HACKER

PARTNERS, SUPPLIERS

INTERNET

DATA CENTER

CLOUD

ENTERPRISE

HEADQUARTERS

ENTERPRISE REMOTE

OFFICE

MOBILE

USER

BYOD: Multiple devices

Partner | Vendor access

Application diversity

The cloud

Customer access

Global access

Remote access

Ai là người chịu trách nhiệm cho việc bảo mật?

Trước khi tìm kiếm các giảipháp ứng dụng nâng cao…

Is it that EASY ??

Security Evasion using Encoding:

Basic SQL Injection via URI parameter:

' or 1=1 or '

Encoded version:

%27%20%6f%72%20%31%3d%31%20%6f%72%20%27

Evasion using Inline Comments:

'/*comment*/ or/*comment*/ 1=1/*comment*/ or/*comment*/ '

Encoded, commented version:

%27%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f%20%6f%72%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f%20%31%3d%31%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f%20%6f%72%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f%20%27

UTM

/NGFW

Mô hình bảo mật trung tâm dữ liệu truyền thống bị phá vỡ

Internet

Network DDoS

Web/Email Access

Management

Firewall

(“Front-end”)Firewall

(“Back-end”)

DNS Attacks

Application DDoS

Appl Access

Management

Load Balancer

Appl Servers

User Directory

Thiểu tính bảo mật do triển k hai quá nhiềuthiết bị khác nhau FW, NGFW/UTM, AV,

IDS/IPS

(PHÒNG THỦ KHÔNG HIỆU QUẢ))

IPS

Massive Botnet

DDoS

Thiếu tầm nhìn

(MẤT KHẢ NĂNG HIỂU NGỮ CẢNH)

Thu thập các thông tin rời rạc từcác thiết bị khác nhau

(KHẢ NANG* MỞ RỘNG KÉM)

Load Balancer

Web ServersDNS Servers

DMZ

Email Servers

Proxy

CHIẾN LƯỢC PHÒNG THỦ

Hướng người dùng và ngữ cảnh

• Tích hợp với quản lí truy cập Web

• Bảo vệ chứng thực web

• Bảo vệ khỏi tấn công Brute Force và khai thác dữ liệu

Chiến lược để đạt được sự thông minh

Defense

In-Breadth

(Context)

L2-L4

Protocol

Visibility

Defense

Thru Diversity

Attacker

Bảo Mật Mạng Lưới Hướng Ngữ CảnhSuy nghĩ về kiến trúc bảo mật

IPv4, IPv6, TCP,

UDP, HTTP

L2-L7

Protocol

Visibility

IPv4, IPv6, TCP,

UDP, HTTP, SSL,

SIP, DNS, SMTP,

FTP, Diameter, and

RADIUS

Defense

In-Depth (Control)

• Hardened (Default

Deny) Platform,

• Multi-stack Architected

OS

• Purpose built HW for

High Performance

• Stateful failover

redundancy

Application Protocol

Cust Online Tx Srv HTTPS

Application Protocol

Cust Online Tx Srv HTTPS

Self Help Portal HTTP

Application Protocol

Cust Online Tx Srv HTTPS

Self Help Portal HTTP

Exchg Outlook SMTP

Application Protocol

Cust Online Tx Srv HTTPS

Self Help Portal HTTP

Exchg Outlook SMTP

VOIP SIP

Application Protocol

Cust Online Tx Srv HTTPS

Self Help Portal HTTP

Exchg Outlook SMTP

VOIP SIP

VDI - ICA/PCoIP TCP/UDP

UNIFIED SECURITY LAYERPerform at unprecedented speed, scale as needed, and

support thousands of users easily and cost-effectively.

Weak link: Disjointed Security

False sense of security by deploying various FW,AV,

IDS/IPS

(INEFFECTIVE DEFENCE FRONT)

Lack sophistication & visibility

(LOSE REAL TIME CONTEXT) Mismatched collection of

nonintegrated defences

(POOR ECONOMIC OF SCALE)

KIẾN TRÚC BẢO MẬT HỢP NHẤT

complexity to manage,

maintain and high cost

who, where, what?

Running

different

platforms

Holistic Security

Policy-driven Services

ENFORCERBROKER

Full Proxy

Service fluent

Orchestration

User Identity

Location

Application

Server State

Network Condition

Secure Access Mgmt

Application Security

Perimeter Defence

BẢO MẬT MẠNG LƯỚI HƯỚNG NGỮ CẢNH

BROKER

Full Proxy

Service fluent Orchestration

Holistic Security

Policy-driven Services

ENFORCER

(DEFENSE IN BREADTH)

(Prepare + Prevent)

(DEFENSE IN DEPTH)

(Protect + Project)

More to add on to Dynamic Security Strategy

Security

Lifecycle

Risk

Factor

Content

Context

Control

(Broker)

Control(Enforcer)

TỔNG KẾT

Management/

Policy Decision

Path

Data Path

USER APPGeo

Location

Device

TypeSecurity

Posture

to make more Intelligent Traffic Decisions...

24

ScalableElasticExtensibleIntelligentSecure

L3-L7

Services Fabric

L3-L7

Services Fabric

L3-L7

Services Fabric

App-Centric FireWalling

App Level DoS Protection

Web App Protection

App & User Access Mgt

Physical Cloud Hybrid

Whenever you find yourself on the side of the majority, it is time to pause and reflect. – Mark Twain

Thank You Start with the End in Mind & Sharpen Your Saw