Deep Securityのホットデータを活用する ~AWS WAFの場合~

Transcript

1. The Three Points Protect your Web from cyber attack in

   Paris of terrorist attacks

2. Deep Securityͷϗοτσʔλ Λ׆༻͢Δ AWS WAFͷ৔߹

3. Who ami I ? • ٢ాͻΖ͔ͣ ( hirokazu yoshida )


   Security Engineer at cloudpack http://qiita.com/fnifni

4. and more ? • ࠷ۙɺ͝ԑ͕͋ͬͯɺ
 ӡ༻Ͱഓͬͨϊ΢ϋ΢ʢͭΒΈʣΛجʹ
 ηΩϡϦςΟͷϕʔεϥΠϯ޲্ͷීٴ׆ಈ΍
 R&D΍Β΋΍ͬͯ·͢ɻ

5. and more ? • ͋Μͳ͜ͱ΍

6. and more ? • ͦΜͳ͜ͱɻ

7. Attention ! • ຊ೔͓࿩͢Δ಺༰͸ɺॾൠͷࣄ৘ʹΑΓ
 2016/3/12(ۚ)·ͰSNSެ։ɺͭͿ΍͖Λ
 ͝ԕྀ͍ͩ͘͞ɻ • ຊ೔͓࿩͢Δ಺༰͸PoC (֓೦࣮ূ) ͷ݁ՌΛ

   ؚΈ·͢ɻαʔϏεϨϕϧͰ࣮૷͢Δʹ͸ɺ τϨϯυϚΠΫϩ༷ʹΑΔػೳվमΛཁ͠·͢ɻ

8. Points • Dynamically • Linkage • Operation (Tuning)

9. Points • Dynamically • Linkage • Operation (Tuning)

10. 2015.11.13

11. https://ja.wikipedia.org/wiki/%E3%83%91%E3%83%AA%E5%90%8C%E6%99%82%E5%A4%9A %E7%99%BA%E3%83%86%E3%83%AD%E4%BA%8B%E4%BB%B6

12. ೔ຊͱύϦͷ࣌ࠩ JST -8

13. CASE #1

14. 2015/11/12 23:26:29(JST)

15. None

16. ͜ͷ࣌͸ “ύϦ͔Βͷ߈ܸͳΜͩ” ”௝͍͠ͳ” ͘Β͍ʹࢥ͍ͬͯ·ͨ͠

17. 55,247

18. Painful • ະ஌ͷ߈ܸͷΛؚΉՄೳੑΛߟྀͯ͠ɺ
 ਵ࣌NACLʹొ࿥ʢӡ༻ෛՙߴ͍ʣ • IPίϩίϩସΘͬͯΠλνͬ͜͝ʢ40ۙ͘ʣ • ”195.154.0.0/16”ͱొ࿥͔͕ͨͬͨ͠ɺ
 ਺͕ඍົͩͬͨʢ࠷ऴతʹ͸ొ࿥ͨ͠ʣ

19. reActive͡ΌπϥΠ

20. Points • Dynamically • Linkage • Operation (Tuning)

21. CASE #2

22. ผͷ؀ڥʹͯ NACLͰͷःஅޙ΋ݕ஌ܧଓ

23. None
24. None

25. Painful • ௚લͷૹ৴ݩIPΞυϨε͕CloudFrontͳͷͰɺ
 x-fowerded-forʹه࿥͞ΕͨIPΛNACLʹొ࿥͠ ͯ΋ःஅ͕Ͱ͖ͳ͍ɻ • ౰࣌͸AWS WAF͕ग़ͨ͹͔ΓͰɺ
 ςετແ͠Ͱͷຊ൪౤ೖ͸ϋʔυϧ͕ߴ͔ͬͨɻ

26. IP੍ޚΛ଎΍͔ʹ
 CloudFront·Ͱ͍࣋ͬͯ͘ ඞཁ͕͋ͬͨ

27. ͦΜͳ͜ͱ΋͋ͬͨޙͷ 2015.11.27

28. https://github.com/deep-security/aws-waf

29. ੩త৘ใ (IP List)Λ AWS WAF΁ొ࿥͢Δ΋ͷ ͚ͩͲɺ࢖͑ΔΜ͡ΌͶʁ

30. ΑΖ͍͠ ͳΒ͹࣮૷ͩ

31. PoC (֓೦࣮ূ)

32. None

33. How to 1 (SIEM) IUUQpMFTUSFOENJDSPDPNKQVDNPEVMFUNET TQ%FFQ@4FDVSJUZ@@41@"ENJO@(VJEF@+1QEG

34. How to 2 ( totalization )

35. How to 3 ( push to DSM )

36. How to 4 ( DSM to AWS WAF ) http://qiita.com/fnifni/items/8ae2b49d5fe6af3d08fe

37. DEMO

38. Future Request • Deep Security • Output XFF in SIEM

    (syslog) • ip_list_to_set.py • Comment character (#) ← 3.4 fixed !! • Line of only a line feed code ← 3.10 fixed !!

39. Points • Dynamically • Linkage • Operation (Tuning)

40. νϡʔχϯάͷϙΠϯτ • ਪ঑ઃఆͷݕࡧ • ରԠࡁΈͷ੬ऑੑͷϧʔϧ͸֎͢ʢݕ஌ϕʔεʣ • ݕ஌܏޲Λ஌ΔʢͲΜͳ௨৴Λݕ஌͢Δ͔ʣ • αʔϏεͰ࢖༻͍ͯ͠Δ௨৴͔൱͔ •

    URI, POST, XML, SQL, CSS, HTML, SSL…

41. γεςϜ͸ੜ͖෺ ߈ܸ΋ੜ͖෺ νϡʔχϯά͸ӡ༻ͷҰ෦

42. ηΩϡϦςΟ੡඼͸ ӡ༻໋͕ʂ

43. Thank you !