Introduction to WAF and Network Application Security
•Download as PPTX, PDF•
3 likes•841 views
Drawing on recent industry case studies and expert knowledge, this presentation is designed to help you understand and recognize major security risks that threaten the availability and data stored inside apps and web applications, and how to deploy a variety of risk defense programs and principles using Alibaba Cloud's suite of security products. From this presentation, you will learn and gain a specific understanding of the following: - Core application security and typical network attacks methodologies - Implementing application security in the cloud - How to use Alibaba Cloud WAF to protect against SQL injections, and prevent website tampering and CC attacks, etc. More Webinars: https://resource.alibabacloud.com/webinar/index.htm Alibaba Cloud WAF: www.alibabacloud.com/product/waf
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Introduction to WAF and Network Application Security
Similar to Introduction to WAF and Network Application Security (20)
More from Alibaba Cloud
More from Alibaba Cloud (20)
Recently uploaded
Recently uploaded (20)
Introduction to WAF and Network Application Security
- 1. Network Application Security & WAF Presenter: Steve Xue
- 3. Alibaba Cloud Services Portfolio Cloud Monitor Anti-DDoS Cloud Shield WAF Web Application Firewall HSM Hardware Secure Module Monitoring & Security Block Storage OSS Object Storage Service Archive Storage NAS Network Attached Storage Message Service Storage ECS Elastic Compute Service Auto Scaling SLB Server Load Balancer Container Service E-HPC High Performance Compute BatchCompute Compute Global IDC Regions Available Zones MaxCompute Big Data RAM Resource Access Management CLI API DevOps Media Transcoding OpenSearch Mobile Analytics Log Service EDAS Enterprise Distributed Application Service Distributed RDS ROS Resource Orchestration Service ONS Open Notification Service Applications Infrastructure Technical Support Professional Services Training & Certification Cloud Architects Pricing Report Support Solutions O2O StorageHealthcareMedia Security GovernmentGaming IoT MobileWeb FinanceDigital Marketing VPC Virtual Private Cloud ExpressConnect Elastic IP CDN HA-IP High Availability IP RDS Relational Database Service Oceanbase Memcache Table Store Redis MongoDB DMS Database Management Analytic DB DTS Data Transmission Service Database PetaData KMS Key Management Service Performance TestingEMR Network 1
- 4. 2 Managed Security Service China Cybersecurity Law Compliance Service Vulnerability Discovery Service Key Management Service Data Encryption service Certificate Management Service WAF Server Guard Anti-DDoS Alibaba Cloud Services Portfolio
- 5. Network Threats 3 Social Engineering Reverse Engineering HTTP Floods SQL Injection Bots and Probes Application Exploits Reflection & Amplification Layer 4 and 7 Floods Slowloris SSL Abuse DDoS Targeted Attacks Application Hacks Application Attacks
- 6. 4 What to Trust? Network Threats
- 7. 5 OWASP - The Ten Most Critical Web Application Security Risks OWASP Top 10 - 2013 OWASP Top 10 - 2017 Network Threats
- 8. 6 Malicious Injection <?php $input = $_GET(“param”); Echo “<idv>”.$input.”</div>”; ?> Http://www.test.com/test.php?param=“option1”; User input: Http://www.test.com/test.php?param=<script>al ert(xxs)</script> var City; City = Request.form(“City”); var sql = “select * from OrdersTable where City = ‘” + City + “’”; User input: Beijing”; drop table OrdersTable-- HTML Injection SQL Injection Network Threats
- 9. 7 Browser Security • Same Origin Policy • Malicious website (Trojan embedded or Phishing) blacklist • Website certification and authentication Network Threats
- 10. 8 Application Layer DoS • CC Flood • Slowloris Network Threats
- 11. 9 Application Security WAF Highlights Web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to HTTP traffic. WAF • Based on 10 years of R&D experience protecting Alibaba sites • Helps protect websites and applications against attacks that cause data breaches & downtime • Protection against OWASP Top 10 Threats • Gartner reports that the main driver of WAF purchases (25-30%) is PCI compliance
- 12. 10 Alibaba Cloud Web Application Firewall (WAF) is an application level security product developed by Alibaba Cloud based on the company’s 10 years of experience in defensive and big data security capaabilities. Product functions include: Accurate Access Block Crawler Protection Human-machine Identification Big Data & Threat Intelligence 0-Day Vulnerability Hotfix Data Breach Protection Application Security
- 13. 11 Attack Vectors Addressed by WAF • SQL injection: Attackers insert malicious SQL code into web requests in an effort to extract data from your database • Cross-site scripting (XSS): Malicious scripts are injected into otherwise benign and trusted websites • Scanners and probes: Malicious sources scan and probe Internet-facing web applications for vulnerabilities • Known attacker origins (IP reputation lists): A number of organizations maintain reputation lists of IP addresses of known attackers • Bots and scrapers: Some automated clients misrepresent themselves to bypass restrictions • Application-level exploits Application Security
- 14. 12 WAF Bad Traffic Mitigation Internet Hackers & Bot Legitimate Traffic IP ReputationBig Data Intelligence Mitigation Expert SupportEnhanced Algorithm Backend WAF Application Security
- 15. 13 Traffic Mitigation Example Client Server DNS Server IP:1.1.1.1 3: Access 1.1.1.1 Before: DNS Record: booking.com 1.1.1.1 Client Server WAF DNS Server After: 2: IP is 1.1.1.1 1: What is the IP? 2: wafabc.alibabcloud.com 1: What is the ’s IP? DNS CNAME Record: booking.com wafabc.alibabcloud.com IP:1.1.1.1 DNS Record: booking.com 1.1.1.1 3: Access wafabc.alibabcloud.com HTTP Head Host: booking.com 4: Forward to 1.1.1.1 wafabc.aliyun.com Application Security
- 17. Business Sustainability Industries Suffering With Bad Bots 15 - Ticket on-hold - Low attendance rate - Revenue loss Aviation E-commerce Real Estate - Product Price Crawler - Product Line-up Crawler - Real estate DB Crawler - Competitor business analysis
- 18. 16 How Do We Defend Against Bots? Browser IP Reputation Bot Protection Human-bot Identification Expert Support WAF Anti-Bot Protection Legitimate Traffic Bot Traffic Mobile App SDK Web Server App Server Business Sustainability
- 19. The Anti-fraud Architecture 17 Anti-Fraud Architecture Fintech E-Commerce Third-party Payment Game & Entertainment Social Network Other Malicious Registration Brute Force Marketing Cheating SPAM Other Big Data Analysis (Mobile phone, Email, IP, etc. ) Human-machine Identification Data Modeling and Algorithms Risk Score Risk Rank Risk Report Input Output False Identity Core Technology Business Sustainability
- 20. 18 Anti-bot Case Study “We need Alibaba Cloud to continue to give us the support and assistance in fixing our issues.” Declan – AirAsia Group CIO Business Sustainability
- 21. 19 Anti-bot Case Study Submit Fake User Info Reserving Seats (30 minutes) Placed Order (Without Payment) Business Sustainability
- 22. 20 Anti-bot Case Study Business Sustainability
- 23. 21 Some Advice About Security O&M Find and Fix Defend and Defer Secure at the Source Management (70%) Technology (30%)
- 24. Q&A ? 22
- 25. 23 Training Cloud Computing ACT 81001 Technical Essentials Security Big Data ACT 81002 Technical Operating ACT 83001 Security ACT 82001 Maxcompute & DataIDE ACT 81003 Architecting ACT 82002 E-MapReduce
- 26. 24 Certification Expert Live Streaming Specialist Fin Tech Specialist Cloud Security Specialist Gaming Solution Specialist Senior Engineer Cloud Architect System Analyst Data Analyst Big Data Developer Junior Engineer Cloud Developer Big Data Engineer Security Engineer Operator Beginner Users Developers interested in Cloud Computing Cloud Computing Security Big Data ACP ACA ACE Expert Professional Associate ✔️ ✔️ Coming Soon ✔️ ✔️ 0Coming Soon
Editor's Notes
- Before we talk about Alibaba Cloud Security, I want to talk a little bit about our personal security . After I joined Alibaba as a trainer, my lovely boss Annie told me that we need you to work on cloud security solution training area. I told her I love this direction, because I am a person has serious security problem. Annie was surprised and asked me why? I said, my 2 former employees both promise me to live long enough and now they are all gone, I totally lost my faith to IT industry at all! Then Annie said, don’t worry, man, Alibaba will last for at least ten decades, trust me! I said how do you know, she said, because Ma Yun said so. So, personal security is all about the trust level you have to the future, future is unpredictable and keep changing, what we can only do is strengthen our capabilities to deal with the unknown future. That is also the reason we build Alibaba Cloud Security products and solutions. If you are the person running your own business, you need to trust your partners and your loyal customers to boom your business, but at the same time, you should never trust the whole internet environment and should always be careful to prevent any intrusion from any unknown hackers or organization who want to crash your business in one night.
- 1> In previous slide, we show our regions. In each region, we have several Azs. Each AZ is a T3+ or T4 Data Center. 2> We classified our services into several categories. It’s more easier for users to understand. The first 3 categories are compute, network and storage. Those are the most fundamental parts we provided, almost each customer use these services. The difference or we say the benefit of using cloud services is it’s flexibility. Firstly, the infrastructure and the services are already deployed in quite a lot areas. Or the areas you want to deploy can be covered by the cloud regions nearby. So you don’t have to spend a lot of time to setup the infra. You can open, release, scale up/down your cloud infra/services by a simple click and the operation will be completed in several minutes. Another benefit for our customers is they only pay for what they used. Take the ECS service as an example, we have two billing models: one is pay-as-you-go, it’s counted by hours. Another model is reserved, you can reserved the instance for a month or a year. The unit price of reserved is cheaper than PAYG. 3> We also provide managed database services. We assure 99.95% availability and 99.9999% durability. 4> Log service works like Splunk. For ex, you may have web servers. There are logs configured to record each connection to your website or apps. Log service can read and analysis logs in real-time. It’s easy to tell the health of your system by monitoring the errors and also can monitor the PV/UV of your system. The results can be stored into a database as well. 5> Edas is a distributed computing framework. Compared with the traditional service bus architecture, it adopted the de-centralized system architecture. The service provider and invoker are connected directly. It avoids the spof risk of service bus and also improves the efficiency of the system. It embeds auto-scaling feature and can manage 100K servers. It also embeds monitoring system, log analysis system and session management framework. Taobao is using this and it’s working very well in 11.11 festival.
- SSL 对服务器性能的要求,导致可能的ddos攻击更高级。 Slowloris is a type of denial of service attack tool invented by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. Target attacks: 举例,俄罗斯黑客团伙,针对某一个具体目标,使用所有的社交和可用的渠道,通过换取内部人的信任,或者诱导有权限的人点击,访问一些假的链接,间接的获得权限。或者使用内部人士身份,再次发起诱导。
- When server side is not hostile , it might want you to click on some page which has special executable string embedded so they can gain your client side information . This accelerate the protocol invented and also CA is created to provide the sever side authentication. When internet become more and more popular, more and more websites has clients sensitive information like account information stored. So more hackers are. SSL stands for Secure Sockets Layer and, in short, it's the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information). It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses. TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from Symantec you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption. HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. Target: Sensitive Data, Service Availability Through: XSS, SQL Injection, CSRF, DDOS, etc. Heartbleed: https://baike.baidu.com/item/Heartbleed/13580882 2014年4月9日,Heartbleed(意为“心脏出血”)的重大安全漏洞被曝光,一位安全行业人士在知乎上透露,他在某著名电商网站上用这个漏洞尝试读取数据,在读取200次后,获得了40多个用户名、7个密码,用这些密码,他成功地登录了该网站。[2] Heartbleed能让攻击者从服务器内存中读取包括用户名、密码和信用卡号等隐私信息在内的数据,已经波及大量互联网公司。[4] 受影响的服务器数量可能多达几十万。其中已被确认受影响的网站包括 Imgur、OKCupid、Eventbrite 以及 FBI 网站等,不过 Google 未受影响 。[6] Github2014年4月9日发布了一个受影响网站的列表,在这个列表上发现了诸多知名互联网企业,例如雅虎、Stackoverflow.com、Outbrain.com、OKCupid.com、Steamcommunity.com、 Slate.com和 Entrepreneur.com等。其中很多网站都表示他们已经解决了这个问题。[10] OpenSSL“心脏出血”漏洞的严重性远比想象的严重,一些用户没有考虑到手机上大量应用也需要账号登陆,其登陆服务也有很多是OpenSSL搭建的,因此用户在这阶段用手机登陆过网银或进行过网购,则需要在漏洞得到修补后,更改自己的密码。
- OWASP: 开放式Web应用程序安全项目(OWASP,Open Web Application Security Project)是一个组织,它提供有关计算机和互联网应用程序的公正、实际、有成本效益的信息。其目的是协助个人、企业和机构来发现和使用可信赖软件。 The OWASP Top 10 - 2017 is based primarily on 40+ data submissions from firms that specialize in application security and an industry survey that was completed by over 500 individuals. This data spans vulnerabilities gathered from hundreds of organizations and over 100,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact. A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas, and provides guidance on where to go from here.
- Cc flood story:绿盟的反ddos设备叫做 collapasar,黑客挑战,叫做challenge collapasar Slowloris 2009年 Rsnake提出,以极低的速度发http请求,但这些请求的header都是畸形的,server会一直保持资源,认为http hearder还没有结束,直到并发的资源数量太多
- Payment card industry (PCI) compliance is adherence to a set of specificsecurity standards that were developed to protect card information during and after a financial transaction. PCI compliance is required by all cardbrands. There are six main requirements for PCI compliance. A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. Prevent website scraping, crawlers, and BOTs Mitigate DDOS (HTTP/HTTPS floods) While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
- Alibaba Cloud Web Application Firewall (WAF) is a service based on distributed architecture. It can filter massive malicious accesses in real time to avoid leakage of your website assets, enhance system security and your website's availability. It supports multiple access control modes based on IP, UA, Referer, and URL for users to customize the protection policy.
- Cross Site Script (XSS) attacks refer to a kind of attack by tampering the webpage using HTML injection to insert malicious scripts so as to control the user's browser when the user browses the webpage. XSS vulnerabilities may be used for user identity stealing (particularly the administrator identity), behavior hijacking, Trojan insertion and worm spreading, and also phishing.
- Big Data & Threat Intelligence We have analyzed and know the attribute of 4.2 billion IPs worldwide, like location, owner, from home/company or IDC/cloud, proxy/crawler or not, etc. 400 million IPs information of China is more accurate by Taobao’s address database. Accurate Access Block The WAF can add more than one million IPs to blacklist, and it can block the client IP if it comes from IDC or cloud easily. The WAF also can block the request base on URL, cookie, user agent, etc., and the white list is available. Crawler Protection The WAF has crawler reputation database, it also can identify the crawler behavior by behavior analysis technology and block the IP some time. Human-bot Identification Anti-fraud feature in WAF is for human-bot identification.
- The Anti-fraud service, which is based on Alibaba big data capability and industry leading risk management engine, to address the threat of fraud in key business areas such as corporate accounts, activities and transactions, and reduce corporate financial loss.
- 1.Change it to a new image for ‘slide verification’, not to use customer real picture
- SOC: security operation center