A 10 Networks Taiwan System Engineer Jack Chien
- Slides: 44
資料中心的安全威脅與進階防護 A 10 Networks Taiwan System Engineer Jack Chien jchien@a 10 networks. com August 2016
隱藏在SSL流量的網絡威脅 67% 50% 80% of Internet traffic will be encrypted by 2016 of attacks will use encryption to bypass controls by 2017 of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic Sources: Sandvine Internet Phenomena Report “Security Leaders Must Address Threats From Rising SSL Traffic, ” 2013
常用漏洞掃描 具 具類型 具名稱 網路、主機弱點掃描 • Nessus • Open. VAS • Core. Impact • Ne. Xpose • GFI Lan. Guard • Qualys. Guard 網站、網頁程式弱點掃描 • Burp Suite • Nikto • w 3 af • Paros proxy • Acunetix • Web. Inspect 無線網路弱點掃描 • Aircrack • Kismet • Net. Stumbler • in. SSIDer • Kis. MAC 14
漏洞和常見的攻擊(cont) Layer 2的攻擊– 利用Layer 2通訊協定的方式攻擊Layer 2 Switch或server的方 式. Ex: Address Resolution Protocol (ARP) Spoofing, MAC Flooding.
DDo. S 攻擊的演進 單一方式 多重方式 網路層攻擊 應用程式攻擊 放大攻擊 • • • Fragmentation SYN floods Ping floods … Slowloris HTTP GET floods R. U. D. Y. … DNS amplification NTP amplification SSDP amplification … 多重方式的攻擊 • Simultaneous attacks on all levels • Adaptive strategy
就能找到最脆弱的地方來攻擊 Application Networking Bandwidth Internet Pipe Routers Firewall Server
建立安全的基礎網路以檢測並阻止攻擊 Alert Network Alert Forensics DLP Block IPS Firewall ATP z Sales & Marketing Finance Engineering
但加密的流量使得安全設備像瞎了一樣的無法看到攻擊行為 Anomalous Activity Data Exfiltration Network Forensics DLP Undetected Malware Successful Attack IPS Firewall ATP z Sales & Marketing Finance Engineering
滲透和攻擊 惡意廣告使用了 SSL加密的技術 惡意軟體通過社 交媒體分佈 惡意軟件發送的 電子郵件附件和 即時通訊應用程 式 DDo. S與網頁應用 程式攻擊 • Yahoo malvertising attack • Facebook, Twitter, Linked. In use SSL • Koobface was a multimillion malware campaign that used Facebook • Skype, Whatsapp, Snapchat encrypt IM • Attackers can use SSL to bypass controls or overwhelm servers
DDo. S 攻擊類型分析 (1) ! DDo. S Internal LAN DMZ DNS Apps Source: IDG, 2016
DDo. S 攻擊類型分析 (2) ! DDo. S Internal LAN DMZ DNS Apps Source: IDG, 2016
DDo. S 攻擊目標分析 ! DDo. S Internal LAN DMZ DNS Apps Source: Akamai Q 4 2014
DNS 服務 DDo. S 攻擊事件 ! DDo. S https: //www. teamviewer. com/en/company/press/statement-onservice-outage/ DDo. S Source: Team. Viewer Web Portal DDo. S Internal LAN DMZ DNS Apps
HTTP 服務 DDo. S 攻擊事件 ! 1. DDo. S 攻擊流量 300 Mbps / 200 K CPS / 2 M Concurrent Sessions DDo. S 2. 多層次 DDo. S 攻擊 (Multi-vector DDo. S Attacks) a. Network Attack (網路層攻擊)(ICMP) b. Amplification Attack (放大攻擊)(UDP) c. Resource Attack (資源耗損攻擊) (TCP) d. Application Attack (應用層攻擊) (HTTP Slowloris) Internal LAN DMZ 3. Application Attack (應用層攻擊)特性說明 : ADC a. Attacker 透過殭屍網路(Botnet)(90% from TW)發起大量 TCP連線及HTTP Request封包 (~1 K conns per bot ) b. 對於防火牆而言屬於正常連線存取 c. 防火牆效能下降及 Server 資源耗盡。 Web Apps Secure from Outside Customer Data
OWASP Top 10十大網站安全弱點 A 1 – Injection(注入攻擊) A 2 – Broken Authentication and Session Management(身分驗證功能缺失) A 3 – Cross Site Scripting (XSS)(跨站腳本攻擊) A 4 – Insecure Direct Object References(不安全的物件參考) A 5 – Security Misconfiguration(安全性設定疏失) A 6 – Sensitive Data Exposure(敏感資料外洩) A 7 – Missing Function Level Access Control(缺少功能等級的存取控制) A 8 – Cross Site Request Forgery (CSRF)(跨站冒名請求) A 9 – Using Components with Known Vulnerabilities(使用已被發現有漏洞的元 件) A 10 – Unvalidated Redirects and Forwards(未驗證的導向) 33
DNS Application Firewall (DAF) 減少大量異常的非DNS封包的負擔(~70%) § 只允許合法的DNS流量 對後端的服務器提供更高的安全性 § 隔離惡意流量進行檢查?(或拒絕) § 保證正常運行時間 Regular Clients Perform as Expected “Zombies” Malicious and Infected Clients Invalid Non-DNS Generating Requests Traffic on Port 53 高級功能 § § § DNS Cache Block not in list domain query Deny ANY Type DNS Request Rate Limit Deny Long Length FQDN DNS force to TCP Denied Surge Protection Allowed Standard Optional Malicious CPU Usage and Invalid Traffic Redirection
高效能的防火牆 ! DDo. S Protection Stateful Firewall, ALG ADC Data Center Firewall Internal LAN DMZ Secure from outside to inside 高安全性功能 無與倫比的效能 Apps 卓越的價值
Security Control Gateway Architecture 資安控制閘道器
DMZ Servers/Applications/Business 傳統企業的網路演進 Anti-Spam ADC APT IPS APT SSL Decrypt IPS Anti-Virus SSL Decrypt Anti-Virus DOS/DDOS IPS Anti-Virus APT SSL Decrypt Tier -2 Firewall ADC Internal Users IPS APT Firewall SWG Anti-Virus SSL Decrypt Internal Servers/Applications/Business
資安控制閘道器 DMZ Servers/Applications/Business 資安控制閘道器功能 • 網路流量控制功能 – 流量管理 • SSL – 可視性 • 防火牆負載均衡與DDo. S功能 – FW, DDOS • • 防禦整合 ADC 整合 單點控制 – 簡化管理 最高的可用性 用戶的體驗提升 IPS Anti-Virus APT SSL Decrypt ADC APT SSL Decrypt IPS Anti-Virus SSL Decrypt Anti-Virus IPS DOS/DDOS Tier -2 Firewall ADC Internal Users Anti-Spam IPS APT Firewall SWG Anti-Virus Security Zone IPS Anti-Virus APT SWG Anti-Spam SSL Decrypt Internal Servers/Applications/Business
Palo alto networks certified network security engineer
Describe jack from jack and the beanstalk
Virtual circuit and datagram network
Backbone networks in computer networks
Educational system in taiwan
System install engineer asml
System engineer chap 1
Expert system shells
Systems engineer chapter 36
Máu chiên bò chúa không ưng
Man ray minotaur 1933
Dissection roussette
Joanne chien
Harry potter mythologie grecque
Un chien andalou
Production écrite description d'un chien
Position chien de fusil
Hãy chỗi dậy hỡi ai ngủ mê
Chúa chiến thắng khải hoàn ngọc khánh
Chúa chiên lành người thương dẫn tôi đi
Dyssocialisation primaire chien
Eric chien symantec
Glandes conglomérées
Tlvision ce soir
Sơ đồ chiến dịch điện biên phủ
Pancreatite anatomia
Zaira masood
Conduite à tenir devant une morsure de chien ppt
Chiến lược marketing của lg
Album photo chien
Chiến lược so st wo wt của vinamilk
Chiến thắng biên giới thu đông 1950 violet
Raymond marcillac et son chien
Chiến lược kinh doanh quốc tế của walmart
Biti's
Chiến lược xuyên quốc gia của ikea
Lepto chien
Anagramme fumoir
Andy chien
Socialisation du chien
Cholangite lymphocytaire chat
Chien de garde chapter 4
Chiến thắng mtao mxây
Teyu chien
Morphophysiologie
