www.hca.org.vn su kien sk hca toan canh cntt nam2013 chuongtrinhhoithao2013 11.tranhoang
TRANSCRIPT
Agenda
• Các mối hiểm họa và tấn công
• Chiến lược phòng thủ
• Tổng kết
Mỗi doanh nghiệp đều có những lỗ hổng an ninh
“8 out of 10 websites vulnerable to attack”
- WhiteHat “security report ”
“97% of websites at immediate risk of being hacked due to vulnerabilities! 69% of vulnerabilities are client side-attacks”
- Web Application Security Consortium
“75 percent of hacks happen at the application.”
- Gartner “Security at the Application Level”
“64 percent of developers are not confident in their ability to write secure applications.”
- Microsoft Developer Research
Tình trạng các mối đe dọa
“It is no secret that attackers are moving up the stack
and targeting the application layer. Why don’t our
defenses follow suit?”-Verizon 2011 Data Breach Report
““As in previous years, Verizon has found that most cyberattacks were
avoidable if network managers followed best practices for information security.
Verizon said that 96% of attacks were “not highly difficult,” and 97% of attacks
were avoidable through “simple or intermediate controls.”-Verizon 2012 Data Breach Report
Tổng quan một số tấn công lớp 7Attack
(L7)
Slowloris XerXes DoS LOIC/
HOIC
Slow POST
HTTP
(RUDY)
#RefRef
DoS
Apache Killer SSL BEAST SSL THC
DoS
Active
(Since)
Jun 2009 Feb 2010 Nov 2010 Nov 2010 Jul 2011 Aug 2011 Sep 2011 Oct 2011
Threat
/Flaw
HTTP Get
Request,
Partial
Header
Flood TCP (8
times increase,
48 threads)
TCP/UDP/
HTTP Get
floods
HTTP web
form field,
Slow 1byte
send
Exploit SQLi
for recursive
SQL ops
Overlapping
HTTP ranges
SSL/TLS 1.0
“plain text“
attack
Aggressive
SSL secure
renegotiation
within single
TCP
Impact Attack can be launched remotely, Denial of Services (DOS),
Resource Exhaustion, tools and script publicly available
IBM Xforce threat report 2011
Quản lí bảo mật một cách hiệu quả?
Vấn đề lớn nhất: Chính chúng ta!
ENTERPRISE
DATA CENTER
DATA CENTER/ PRIVATE
CLOUD
CUSTOMER
HACKER
PARTNERS, SUPPLIERS
INTERNET
DATA CENTER
CLOUD
ENTERPRISE
HEADQUARTERS
ENTERPRISE REMOTE
OFFICE
MOBILE
USER
BYOD: Multiple devices
Partner | Vendor access
Application diversity
The cloud
Customer access
Global access
Remote access
Ai là người chịu trách nhiệm cho việc bảo mật?
Trước khi tìm kiếm các giảipháp ứng dụng nâng cao…
Is it that EASY ??
Security Evasion using Encoding:
Basic SQL Injection via URI parameter:
' or 1=1 or '
Encoded version:
%27%20%6f%72%20%31%3d%31%20%6f%72%20%27
Evasion using Inline Comments:
'/*comment*/ or/*comment*/ 1=1/*comment*/ or/*comment*/ '
Encoded, commented version:
%27%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f%20%6f%72%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f%20%31%3d%31%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f%20%6f%72%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f%20%27
UTM
/NGFW
Mô hình bảo mật trung tâm dữ liệu truyền thống bị phá vỡ
Internet
Network DDoS
Web/Email Access
Management
Firewall
(“Front-end”)Firewall
(“Back-end”)
DNS Attacks
Application DDoS
Appl Access
Management
Load Balancer
Appl Servers
User Directory
Thiểu tính bảo mật do triển k hai quá nhiềuthiết bị khác nhau FW, NGFW/UTM, AV,
IDS/IPS
(PHÒNG THỦ KHÔNG HIỆU QUẢ))
IPS
Massive Botnet
DDoS
Thiếu tầm nhìn
(MẤT KHẢ NĂNG HIỂU NGỮ CẢNH)
Thu thập các thông tin rời rạc từcác thiết bị khác nhau
(KHẢ NANG* MỞ RỘNG KÉM)
Load Balancer
Web ServersDNS Servers
DMZ
Email Servers
Proxy
CHIẾN LƯỢC PHÒNG THỦ
Hướng người dùng và ngữ cảnh
• Tích hợp với quản lí truy cập Web
• Bảo vệ chứng thực web
• Bảo vệ khỏi tấn công Brute Force và khai thác dữ liệu
Chiến lược để đạt được sự thông minh
Defense
In-Breadth
(Context)
L2-L4
Protocol
Visibility
Defense
Thru Diversity
Attacker
Bảo Mật Mạng Lưới Hướng Ngữ CảnhSuy nghĩ về kiến trúc bảo mật
IPv4, IPv6, TCP,
UDP, HTTP
L2-L7
Protocol
Visibility
IPv4, IPv6, TCP,
UDP, HTTP, SSL,
SIP, DNS, SMTP,
FTP, Diameter, and
RADIUS
Defense
In-Depth (Control)
• Hardened (Default
Deny) Platform,
• Multi-stack Architected
OS
• Purpose built HW for
High Performance
• Stateful failover
redundancy
Application Protocol
Cust Online Tx Srv HTTPS
Application Protocol
Cust Online Tx Srv HTTPS
Self Help Portal HTTP
Application Protocol
Cust Online Tx Srv HTTPS
Self Help Portal HTTP
Exchg Outlook SMTP
Application Protocol
Cust Online Tx Srv HTTPS
Self Help Portal HTTP
Exchg Outlook SMTP
VOIP SIP
Application Protocol
Cust Online Tx Srv HTTPS
Self Help Portal HTTP
Exchg Outlook SMTP
VOIP SIP
VDI - ICA/PCoIP TCP/UDP
UNIFIED SECURITY LAYERPerform at unprecedented speed, scale as needed, and
support thousands of users easily and cost-effectively.
Weak link: Disjointed Security
False sense of security by deploying various FW,AV,
IDS/IPS
(INEFFECTIVE DEFENCE FRONT)
Lack sophistication & visibility
(LOSE REAL TIME CONTEXT) Mismatched collection of
nonintegrated defences
(POOR ECONOMIC OF SCALE)
KIẾN TRÚC BẢO MẬT HỢP NHẤT
complexity to manage,
maintain and high cost
who, where, what?
Running
different
platforms
Holistic Security
Policy-driven Services
ENFORCERBROKER
Full Proxy
Service fluent
Orchestration
User Identity
Location
Application
Server State
Network Condition
Secure Access Mgmt
Application Security
Perimeter Defence
BẢO MẬT MẠNG LƯỚI HƯỚNG NGỮ CẢNH
BROKER
Full Proxy
Service fluent Orchestration
Holistic Security
Policy-driven Services
ENFORCER
(DEFENSE IN BREADTH)
(Prepare + Prevent)
(DEFENSE IN DEPTH)
(Protect + Project)
More to add on to Dynamic Security Strategy
Security
Lifecycle
Risk
Factor
Content
Context
Control
(Broker)
Control(Enforcer)
TỔNG KẾT
Management/
Policy Decision
Path
Data Path
USER APPGeo
Location
Device
TypeSecurity
Posture
to make more Intelligent Traffic Decisions...
24
ScalableElasticExtensibleIntelligentSecure
L3-L7
Services Fabric
L3-L7
Services Fabric
L3-L7
Services Fabric
App-Centric FireWalling
App Level DoS Protection
Web App Protection
App & User Access Mgt
Physical Cloud Hybrid
Whenever you find yourself on the side of the majority, it is time to pause and reflect. – Mark Twain
Thank You Start with the End in Mind & Sharpen Your Saw