BO MT MNG LI HNG NG DNG V NGI DNG

Hoang Tran Solution Consultant hoang.tran@f5.com

Agenda
Cc mi him ha v tn cng

Chin lc phng th
Tng kt

Mi doanh nghip u c nhng l hng an ninh

8 out of 10 websites vulnerable to attack
- WhiteHat security report

97% of websites at immediate risk of being hacked due to vulnerabilities! 69% of vulnerabilities are client side-attacks
- Web Application Security Consortium

75 percent of hacks happen at the application.

- Gartner Security at the Application Level 64 percent of developers are not confident in their ability to write

secure applications.

- Microsoft Developer Research

Tnh trng cc mi e da
It is no secret that attackers are moving up the stack and targeting the application layer. Why dont our defenses follow suit?
-Verizon 2011 Data Breach Report

As in previous years, Verizon has found that most cyberattacks were avoidable if network managers followed best practices for information security. Verizon said that 96% of attacks were not highly difficult, and 97% of attacks were avoidable through simple or intermediate controls.
-Verizon 2012 Data Breach Report

Tng quan mt s tn cng lp 7

Attack (L7)
Slowloris XerXes DoS LOIC/ HOIC Slow POST HTTP (RUDY) #RefRef DoS Apache Killer SSL BEAST SSL THC DoS

Active (Since) Threat /Flaw

Jun 2009

Feb 2010

Nov 2010

Nov 2010

Jul 2011

Aug 2011

Sep 2011

Oct 2011

HTTP Get Request, Partial Header

Flood TCP (8 times increase, 48 threads)

TCP/UDP/ HTTP Get floods

HTTP web form field, Slow 1byte send

Exploit SQLi for recursive SQL ops

Overlapping HTTP ranges

SSL/TLS 1.0 plain text attack

Aggressive SSL secure renegotiation within single TCP

Impact

Attack can be launched remotely, Denial of Services (DOS), Resource Exhaustion, tools and script publicly available

IBM Xforce threat report 2011

Qun l bo mt mt cch hiu qu?

Vn ln nht: Chnh chng ta!

ENTERPRISE HEADQUARTERS MOBILE USER

Global access

ENTERPRISE DATA CENTER

Partner | Vendor access BYOD: Multiple devices

PARTNERS, SUPPLIERS INTERNET DATA CENTER

Application diversity
CLOUD The cloud

Remote access

DATA CENTER/ PRIVATE CLOUD

HACKER

ENTERPRISE REMOTE OFFICE

Customer access CUSTOMER

Ai l ngi chu trch nhim cho vic bo mt?

Trc khi tm kim cc gii php ng dng nng cao

Is it that EASY ??

Security Evasion using Encoding:

Basic SQL Injection via URI parameter:

' or 1=1 or '

Encoded version:

%27%20%6f%72%20%31%3d%31 %20%6f%72%20%27

Evasion using Inline Comments:

'/*comment*/ or/*comment*/ 1=1/*comment*/ or/*comment*/ '
Encoded, commented version:

%27%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f% 20%6f%72%2f%2a%63%6f%6d%6d%65%6e%74%2 a%2f%20%31%3d%31%2f%2a%63%6f%6d%6d%65 %6e%74%2a%2f%20%6f%72%2f%2a%63%6f%6d% 6d%65%6e%74%2a%2f%20%27

M hnh bo mt trung tm d liu truyn thng b ph v

Thiu tnh bo mt do trin k hai qu nhiu thit b khc nhau FW, NGFW/UTM, AV,
IDS/IPS
(PHNG TH KHNG HIU QU))

Thiu tm nhn
(MT KH NNG HIU NG CNH)

Network DDoS

Application DDoS

Firewall (Front-end)

Firewall (Back-end) Appl Access Management

Appl Servers Internet

IPS DNS Attacks Load Balancer Load Balancer

DMZ
UTM /NGFW

User Directory

Massive Botnet DDoS

DNS Servers

Proxy

Web Servers

Thu thp cc thng tin ri rc t cc thit b khc nhau

(KH NANG* M RNG KM)

Email Servers
Web/Email Access Management

CHIN LC PHNG TH

Hng ngi dng v ng cnh

Tch hp vi qun l truy cp Web

Bo v chng thc web

Bo v khi tn cng Brute Force v khai thc d liu

Chin lc t c s thng minh

Bo Mt Mng Li Hng Ng Cnh

Suy ngh v kin trc bo mt
Defense In-Breadth (Context)
Attacker
IPv4, IPv6, TCP, UDP, HTTP, SSL, SIP, DNS, IPv4, IPv6,SMTP, TCP, FTP, and UDP,Diameter, HTTP RADIUS

Application Application Cust Cust Online Online Tx Tx Srv Srv Self Help Portal Exchg Outlook

Protocol Protocol HTTPS HTTPS HTTP SMTP SIP TCP/UDP

Defense Thru Diversity

VOIP VDI - ICA/PCoIP

L2L7 L2-L4 Protocol Visibility

Hardened (Default Deny) Platform, Multi-stack Architected OS Purpose built HW for High Performance Stateful failover redundancy

Defense In-Depth (Control)

KIN TRC BO MT HP NHT

False sense of security by deploying various FW,AV, IDS/IPS (INEFFECTIVE DEFENCE FRONT)

Lack sophistication & visibility (LOSE REAL TIME CONTEXT) who, where, what?

Mismatched collection of nonintegrated defences (POOR ECONOMIC OF SCALE) complexity to manage, maintain and high cost

Running different platforms

Weak link: Disjointed Security

UNIFIED SECURITY LAYER

Perform at unprecedented speed, scale as needed, and support thousands of users easily and cost-effectively.

Full Proxy Service fluent

Orchestration

BROKER

ENFORCER

Holistic Security Policy-driven Services

BO MT MNG LI HNG NG CNH

(DEFENSE IN BREADTH) (Prepare + Prevent) (DEFENSE IN DEPTH) (Protect + Project)

Full Proxy Service fluent Orchestration

BROKER

ENFORCER

Holistic Security Policy-driven Services

User Identity Location Application Server State Network Condition

Secure Access Mgmt

Application Security

Perimeter Defence

More to add on to Dynamic Security Strategy

Context Control (Broker)

Security Lifecycle

Content Control

Risk Factor

(Enforcer)

TNG KT

to make more Intelligent Traffic Decisions...

Management/ Policy Decision Path

Data Path

USER

Geo Location

Device Type

Security Posture

APP

Physical

Cloud

Hybrid

L3-L7 Services Fabric

App-Centric FireWalling

App Level DoS Protection

Web App Protection App & User Access Mgt

Extensible Intelligent Scalable Secure Elastic

24

Whenever you find yourself on the side of the majority, it is time to pause and reflect. Mark Twain

Start with the End in Mind & Sharpen Your Saw

Thank You