SSL 사용환경에서의 어플리케이션보호를위한...
Transcript of SSL 사용환경에서의 어플리케이션보호를위한...
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
SSL 사용환경에서의어플리케이션보호를위한보안장비가시성확보방안
이진원차장 / FSE
F5 Networks Korea
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.2
SSL 암호화의성장
E-Commerce개인정보
모빌리티
스노든사태
0
0.5
1
1.5
2
2.5
3
3.5
1998 2002 2006 2010 2014
새로운표준 (TLS 1.3, RFC7258)
RSA ECC
서로다른브라우저별설정및각설정에따른복잡도증가 (속도 or 보안)
HTTP/2.0 (TLS 1.2)
Perfect Forward Secrecy 의중요성대두
새로운 Cipher Suite 에대한요구와이에대한컴플라이언스증가
마켓의변화
SSL 은매년 30% 이상의증가세를보이고있으며 2014년이후가파른증가추이를보이고있습니다.
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.3
SSL Everywhere ‒ The challenge
• 사용자환경에서의속도및성능문제 (BYOD, Key 사이즈증가)
• 새로운기능에대한지원문제, 브라우저및서버 (HSTS, HTTP/2)
• 구형어플리케이션 (SSLv3, Windows XP)
• 암호화작업을위한복잡도증가 (개발, 설정, etc.)
• SSL 에관련한숙련된보안인력
• 키및인증서관리부분에서의확장성 (X.509, IoT/E)
• 암호화트래픽에대한보안홀존재 (네트워크보안장비, C&C 통신, 악성프로그램)
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.4
SSL의사용환경은빠르게변화하고있습니다.
2014년 10월기준 SSL V3 지원사이트
98%
현재 SSL V3지원사이트
~35%
PFS 지원사이트
>33%
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.5
HTTP HEADERS
HTTP PAYLOAD
SSL
HTTP HEADERS
HTTP PAYLOAD
TCP
SSL
HTTP HEADERS
HTTP PAYLOAD
IP
TCP
SSL
HTTP HEADERS
HTTP PAYLOAD
Browsers
Wire
SSL이란?Encapsulation
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.6
ServerClient
ClientHello
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
SSL트래픽살펴보기Full handshake
Ivan Ristic: Bulletproof SSL and TLShttp://en.wikipedia.org/wiki/Transport_Layer_Security
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.7
SSL Full handshake vs Session reuseFull handshake Session reuse
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.8
HTTPS / SSL 의사용 =안전하다
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.9
Log Jam
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.10
SSL Security Summary SSL Labs Grade Distribution Protocol Support
BEAST Attack RC4 Forward Secrecy
** SSL Labs
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.11
여러분의 SSL 현황은?
https://www.ssllabs.com/
www.f5.com
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.12
여러분의 SSL 현황은?
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.13
Perfect Forward Secrecy
PFS 지원웹사이트
>33%
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.14
https://www.youtube.com/watch?v=M7SPv- EPGZU&feature=youtu.be&linkId=14085657
Key Exchange - ECC vs RSA
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.15
Perfect Forward Secrecy
국내 사이트
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.16
Qualy SSL Labs Rating Guide: https://www.ssllabs.com/projects/rating-guide/index.html
Perfect Forward Secrecy
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.17
Perfect Forward Secrecy & HSTS
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.18
Strict-Transport-Security: max-age=10886400; include SubDomains
IN SECONDS OPTIONAL (RECOMMENDED)
Status: HTTP/1.1 200 OK
Date: Wed, 27 May 2015
Server: IIS8.0
X-Powered-By: ASP.NET
Content-Type: text/html
Transfer-Encoding: none
Connection: close
Content-Encoding: none
Status: HTTP/1.1 200 OK
Date: Wed, 27 May 2015
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Strict-Transport-Security: max-age=10886400
Content-Security-Policy: allow 'self'
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Encoding: gzip
HTTP Strict Transport Security - HSTS
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.19
보안장비에서의 SSL
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.20
SSL적용시주요이슈 – 성능저하
가시성SSL 트래픽의증가에따른트래픽에대한가시성저하
악성코드/
소프트웨어C&C 서버와의통신에암호화
채널을사용
Blind Spots
암/복호화에따른성능저하유발
차세대방화벽%79
SSL 지원 IPS%75
APT 솔루션*SSL 지원안함
%100
방화벽, IPS 와같은네트워크보안장비에 SSL 을활성화하는경우최대 80%의성능저하가예상.
성능
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.21
F5 SSL Visibility &
Data Protection
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.22
F5 Full Proxy 아키텍쳐
iRule
iRule
iRule
TCP
SSL
HTTP
TCP
SSL
HTTP
iRule
iRule
iRule
ICMP 플러딩네트워크플러딩
SSL 재협상공격
데이터유출Slowloris attackXSS
NetworkFirewall
WAF WAF
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.23
SSL 가시성보장을위한 Proxy 방식
Reverse Proxy • 외부일반사용자와내부애플리케이션간동작• 애플리케이션에대한 SSL Offloading, 캐싱, 트래픽로드밸런싱기능• 해당장비에서비스도메인인증서설치
Forward Proxy • 내부사용자와외부애플리케이션간동작• 내부사용자가 SSL 트래픽으로외부로접속할때가시성보장• 사용자가 F5 장비의인증서설치(배포) 작업필요
외부사용자
내부사용자
내부애플리케이션
외부애플리케이션
SSL SSL or HTTP
SSL SSL
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.24
SSL 가시성보장을위한 Proxy 방식
SSL Offload
User
Regulated Apps
StandardApps
Stronger
Weaker
FastApps
Clear
SSL OFFLOAD AND TRANSFORMATION
Use BIG-IP to enforce encryption policy to applications and
for in-line SSL Visibility
Strong
SSL Visibility:FW, IPS, WAF
인바운드
SSL Intercept (Air-Gap)
아웃바운드
Corporate
Network
Internet
SSL Intercept
Use SSL Intercept for visibility into SSL traffic with 3rd party
security devices like NGFW, NG-IPS, DLP, and APT threats
Air
-
Ga
p
Air
-
Ga
p
• 인바운드 (Reverse Proxy Mode) – 대외서비스
• SSL 복호화/ 오프로드(절감) / 가속기능
• SSL 인증서통합 (웹서버에서프록시로이관), 호스팅
• 새로운보안솔루션과의연동(NGFW, IPS, DLP, WAF etc.)
• 보안인프라통합 (Consolidation with AFM, ASM, LTM)
암호화트래픽에대한가시성확보
• 아웃바운드 (Forward Proxy Mode) – 내부사용자
• 사용자망에서외부인터넷으로의정보유출방지
• 새로운보안솔루션과의연동 (NGFW, IPS, DLP, etc.)
• SWG (유해사이트통제)로의보안아키텍쳐확대적용
• 보안성확대적용 (Consolidation with LTM, APM, AFM, SWG)
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.25
F5 SSL Visibility with security service chaining
Users / Devices
User
InternetFirewall F5 BIG-IP(Air Gap Solution)
Firewall
IPS(Pool)
DLP(Pool)
Web Gateway
(Pool)
Anti-Malware(Pool)
ICAP1-Armed /
2-Armed
NGFW(Pool)
Inline Insertion
(L3 Mode)
Forensics/Performance
(Clone Pool)
Passive
(Tap)
복호화및가속화(정책기반,
바이패스옵션)
재암호화사용자인증
Inline Insertion
(L2 Mode)
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.26
F5 & FIREYE Solution
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.27
F5 & FireEye 연동구성방안
MobileDevices
Unencrypted Traffic
HSM
Internet
SSL Traffic
연동구성설명
동작방식
F5와 Fireeye간 실시간악성 URL List 전달!!
악성 SSL URI 차단!!
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.28
F5 & FireEye 연동구성방안 – F5 악성 URL차단
FireEye NX• FireEye MVX엔진을통한
동적행위분석결과
도출된유입/CnC 네트워크정보전달을
위해실시간 urllist 관리
• 차단대상이되는
URI 정보를업데이트하여
실시간차단에반영
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.29
FireEye VM별부하분산
특징
장점
MobileDevices SSL
Offloading{
{
SSL Server
Side
Internet
Unencrypted
FireEye
MVX
EngineMulti-vectors Virtual
Execution
FireEye
MVX
EngineMulti-vectors Virtual
Execution
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.30
F5 + FireEye 연동아키텍쳐
Key benefits
• SSL 기반공격에대한 SSL 가시성보장
• 필요시유연한 FireEye 솔루션확장지원
• FireEye 탐지후 F5에서악성 URL 차단으로효율성극대화
• FireEye 탐지 VM 개수기준에부하분산기능제공
• 하드웨어기반높은 SSL 가시성성능보장
• SSL 을사용하는모든서비스 port에대해SSL 가시성보장(Port 443포함)
• 유연한정책설정에따라자동 / 수동 URL 카테고리 Bypass 기능지원
F5 Key Differentiators
• SSL 기반 malware 위험성노출
• 기존네트워크아키텍쳐의암호화가시성솔루션에준비되어있지않음
• SSL 암호화환경은인프라효율성및보안 / 애플리케이션성능에큰영향을미침
암호환경으로의전환시문제점
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.31
F5 SSL Everywhere 아키텍쳐기대효과
낮은 TCO,
빠른 ROI
SSL 에대한보안장비활용성보장
하이브리드환경에서의SSL 성능보장
컴플라이언스준수를
위한키보호
인바운드/아웃바운드SSL 트래픽에대한
보안적용
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.32
THANK YOU!!