Build a dynamic security defense system based on APPDRR (save O & M manager) (1)

Bkjia.com exclusive Article] after the "Saving website O & M Manager Zhao Ming activity", Pang Xiaozhi gave us a solution with the widest protection coverage.

I. Attack background

Late at night, Zhao Ming, a website O & M manager, received an anonymous phone call on his desk wearing a headset. Then he opened the company's homepage and found that the company's website was hacked. The screen suddenly leaves several bloody English letters "The edevil is coming, We will be back ". The company was forced to interrupt its website operations. The customer Department complained for the ninth time, and the operation Director looked gloomy...

Ii. Security Technology Status Quo Analysis

1. The current website structure of Zhao Ming is as follows:

2. Switching Network Security Status

Currently, only one vswitch is deployed between the WEB application server and database server. The WEB server and database server cannot be logically isolated. Although the access control of database servers and file servers can be achieved through the switch ACL function. However, the control capability is weak, because the switch-based ACL function can only implement simple packet filtering access policies and cannot implement access control based on status analysis, hackers can easily bypass the switch by forging TCP packets. Once the WEB server is compromised, the database server that carries the company's important business data becomes the next attack target.

3. Status Quo of Border Network Security

The network topology shows that the WEB server is directly exposed outside the Internet, and there is no dedicated DMZ zone for deploying WEB applications. No firewall protection is deployed on the network boundaries. Visitors from outside China can access the company's internal servers. Due to the lack of firewall border protection, context-based access control cannot be implemented for data streams transmitted between regions with different trust levels, and Intranet machines cannot be protected through NAT address translation, it cannot defend against various IP/port scans, route spoofing attacks, DOS/DDOS attacks caused by TCP/UDP Flood, ICMP Flood, and Ping of Death.

4. Network Security Status at the application layer

No intrusion detection system or intrusion defense system is deployed in the network, you cannot perform intrusion detection, Behavior Blocking, and real-time alarms on application-layer attacks, such as common SQL injection attacks, script attacks, and cookie spoofing attacks.

5. security status of the Intranet Client

Intranet clients do not implement security terminal control. Server passwords are stored at will, internal staff abuse P2P file sharing tools, virus and Trojan infections are everywhere, and confidential information is carried by emails, this eventually results in leakage of sensitive company information.

6. Host Security Status

The host security policy is not strictly set, or only the Default Configuration Policy is retained, which often brings a great 'backdoor 'to intruders '. Such as weak passwords of common accounts, remote use of Telnet Management Based on plain text, excessive folder permissions, Disabled Default Accounts, and security vulnerabilities caused by system patch installation.

7. Application Security Status

We can see from this security incident that the website page was tampered with illegally. It is estimated that some security risks, such as SQL injection, XSS, directory traversal, and CRLF Injection, have been discovered by intruders, however, there is no corresponding security protection device for attack defense. In addition, the host security policy is improperly configured, and the client leaks sensitive information. After the home page is illegally tampered with, it cannot be effectively restored in a timely manner, A network security accident that eventually causes hacker intrusion on the company's website.