Discuss about rebuilding the security defense system from the point where hackers step on

Deploy data leakage protection to reduce hacker "step-by-step" approaches

Footprinting. For example, when thieves decide to rob a bank, they will not go in and ask for money directly (at least wise thieves will not ). On the contrary, they will have a hard time collecting information about the bank, includes the route and shipping time of an armed escort vehicle, camera location and camera range, number of cashiers, escape exit, and any other information that helps with the operation. The same requirements apply to Zhao Ming's opponent. They must collect a large amount of information in order to concentrate on surgical attacks (such attacks may not be easily caught ). Therefore, attackers can collect as many aspects of the security situation as possible. Finally, hackers get a unique Footprint (Footprint). That is to say, hackers can also get the structure diagram provided on the BKJIA website.

◆ Company Web page?

◆ Related organizations?

◆ Geographical location details?

◆ Phone number, contact list, email address, and detailed personal data?

◆ Major recent events (merger, acquisition, downsizing, rapid growth, etc )?

◆ Can the privacy/security policies and technical details of the existing information security mechanism be indicated?

◆ Archived information?

◆ Dissatisfied employees?

◆ Search engine, Usenet, and resume?

◆ Other information of interest

For example, the contact list and email address are also useful information. Most organizations use a variant of their employee names as their usernames and email addresses (for example, Zhao Ming's usernames are often "zhaoming", "zhaom", or "zm ", and his e-mail address is often a zhaoming@company.com or something similar ). If we can find a user name or email address in an organization, we can infer the user name and email address of many users fairly accurately. When we try to obtain access to system resources later, a valid user name will be very useful, which may cause the website management account password to be "Brute Force cracked "!

So how can we prevent O & M personnel and common internal users from disclosing private information and making it a good meal for hackers to step on? We hope Zhao Ming can use certain technologies or management techniques to prevent users' specified data or information assets from being intentionally or accidentally exported in the form of violating security policies. Therefore, in terms of management, Zhao Ming can use more educational means to improve the ability of common users to throw information on the Internet, while in terms of technical means, Data leakage prevention, DLP), product support.

Through the analysis of Zhao Ming's network and application structure, we can find that the sensitive data is usually stored on the file server, and common users access the data through their own terminals. Printers, removable storage devices, cameras, modems, and wireless networks around the user are also potential sources of local data leakage, zhao Ming can control it by deploying a host-based data leakage defense solution on the user's terminal. Communication between end users and the Internet, especially the most common E-mail, FTP, HTTP, and instant messaging are also common sources of network data leakage, in this case, you need to deploy a network-based data leakage defense solution at the exit of the internal network and Internet connection for control.

 

Deploy Traditional firewalls to prevent database exposure

If a click is like looking for and spying on the Intelligence Center, scanning is to beat the walls inch by inch in order to find all the doors and windows. Hackers gain a lot of valuable information by stepping on the site, including employees' names and phone numbers, IP address ranges, DNS servers, Web servers, Forum account information, and various information obtained through employees' personal documents and emails. They will use a variety of tools and techniques-such as ping scanning, port scanning, and various automatic discovery tools-to determine which systems in the target network are listening for external network communication (or true ). exist ), and which systems can be directly accessed from the Internet.

From the perspective of Web hosts, various built-in utility tools of servers can monitor ping or scan activities and record them into log files. If you find that icmp echo packets from a system or network are in a suspicious mode when you view the logs, it may mean someone is conducting network reconnaissance on your site. It is hoped that Zhao Ming will pay close attention to such activities, which often indicates that a comprehensive attack is imminent. In addition, there are many commercial network and Desktop Firewall tools (available for companies such as Cisco, Check Point, Microsoft, McAfee, Symantec, and ISS) ICMP, TCP, and UDP ping scanning activities can be monitored.

However, the existence of technologies that can monitor ping scanning activities does not mean that someone is closely monitoring such activities. Therefore, the best way is to create a firewall in front of the Web host to prevent such scanning from accessing the real host. Packet Filter is the Main firewall technology that provides security for the system. It uses devices to control and operate data flows in and out of the network. Packet filtering usually filters data packets while selecting routes. You can set a series of rules to specify which types of data packets can flow into or out of the internal network, and which types of data packets should be discarded for transmission. These rules filter the source IP address, destination IP address, encapsulation protocol (TCP/UDP/ICMP/IP Tunnel), and port number of the IP packet based on the IP packet information. A basic principle to be followed by a packet filtering firewall is the "Least Privilege principle", which explicitly allows the Administrator to pass the packets and disallow other packets.

Another common scan is "Port Scan". Hackers actively connect to the TCP and UDP ports of the target system to determine which services are running on the target system or are in the LISTENING (listener) status) status. Determining which ports are being monitored is a very important Attack step. Attackers can not only understand which services are running on the remote system, you can also accurately detect the types and versions of the operating systems and applications used by the target system. Active services in the listening status are like the doors and windows of your home-they are the channels for outsiders to enter your private territory. Depending on the specific type ("window" or "Gate"), some of these channels may allow unauthorized users to intrude into various improperly configured systems. Of course, we can also use the firewall to prevent tcp syn "half-open scanning", FIN scanning, third-party scanning ("proxy" or "BOT" scanning) and so on.

To sum up, you may think that I want to deploy a firewall in front of the Web server. Of course, but don't worry. What about database protection? This means that the Intranet is changed to two areas: one is the office area, the file server and the client are placed inside, and the other is the data area. The two databases are placed behind the firewall, as shown in:

When an external attack passes through the outer protection mechanism and enters the application service area, further intrusion is restricted by the application layer and core layer protection mechanism. Because the outer protection mechanism has detected intrusion and notified the Administrator in time, when the hacker attempts to enter the application area again, the administrator can monitor the hacker's behavior and collect relevant evidence, and cut off the hacker's attack path at any time, which provides the most comprehensive protection mechanism for SQL servers.

Back-to-Back Firewall is a general architecture adopted by large enterprises. It uses two firewalls to separate internal networks, DMZ zones, and external networks. The separated DMZ areas are specially placed on servers providing external services. Different network segments and internal firewalls are used to separate internal servers, this greatly reduces the harm to the internal network caused by attacks on external servers such as Web and SMTP Relay servers.

 

Deploy Web firewalls for in-depth detection at the application layer

However, traditional firewalls cannot detect many application-layer attacks. if an attack is hidden in a valid packet (HTTP access), it can still reach the application server through the firewall. Similarly, if an attack is encrypted or encoded, the firewall cannot detect the attack.

To address the disadvantages of traditional firewalls, Web application firewall is gradually widely used in small and medium-sized enterprises and Web Service hosting environments. It includes two key functions: real-time monitoring of HTTP/HTTPS protocols, HTTP round-trip traffic can be used to determine its behavior status and block the attack before it reaches the Web server, preventing malicious requests or built-in illegal program requests from accessing the target application.

In addition, I suggest Zhao Ming select a more advanced Web firewall, such as carrying the webpage anti-DDoS module, which can obtain the page information of the WEB site through the built-in self-learning function and "Crawl" the whole site ", after crawling, cache based on the set file types (such as html, css, xml, jpeg, png, gif, pdf, word, flash, excel, and zip, generate a unique digital watermark and enter the protection mode to provide tamper-proofing protection. When the client request page is compared with the web page protected by WAF self-learning, such as detecting the web page being tampered, the Administrator is immediately alerted in real time to display normal pages before tampering. Users can access the website normally. Of course, after the event, you can download and compare the original and tampered files locally to view the tampering records. For Zhao Ming, a 24-hour sentry post can be installed in the current website structure.

Tip: When configuring the Web firewall, the configured policies include HTTP protocol compliance, SQL Injection blocking, cross-site scripting attack protection, forms, ookie tampering protection, and DoS attack protection, this is a field that has never been involved in traditional firewalls.

Add a device to modify the Network Structure

Through the above analysis, we need to add three devices to Zhao Ming's website structure: Web firewall, data leakage product, and traditional Intranet high-speed firewall. These three products are stored in the front-end of the Web server, the database area behind the switch (back-to-back firewall to prevent direct exposure of the database), and data leakage products deployed on the file server and Intranet client.

We chose products with a high market share as an example :?

◆ Mingyu Web application firewall?

◆ Websense Content Protection Suite prevents data leakage