IBM Security Team. Web Mail IBM Corporation

Transcription

1 IBM Security Team Web Mail

2 WEB IBM WEB IBM Rational AppScan IBM Proventia WEB Application Protection IBM Websphere Datapower! Tivoli Rational Proventia

3 WEB WEB 54.9%!"#$ 2008 WEB 74% Web 2008 % ' SQL injection 30 6 " PCI DSS WEB ( 152-)( WEB,, WEB & WEB %

4

5

6 50% Web *++ :, NSS, 12, 2009

7 : -%..! IBM: %. /% IBM % % %.

8 " #$$ %% WEB ", WEB, *++, % - / ". WEB, % " firewall WEB % % 1 0 &

9 IBM ' WEB!% Web & WEB ' X-Force Powered Protection & '(' )

10 (: IBM Web Application Security 2. : %,, & 3 (, Web 2.0 2: + % DataPower XML Security, SSL termination & acceleration, Proventia ( " AppScan + Web Applications & Databases

11 % : IBM Rational AppScan 1 Web ". IDC ' web SQL Injection Cross-site Scripting Web % % (. web % Conficker % % X-Force

12 Rational AppScan 3 3, + HTTP HTTP ) * +

13 Rational AppScan Developer & Build Edition SQL Injection Found

14 , : & ' AppScan Standard AppScan Enterprise AppScan Developer / Build AppScan Tester AppScan OnDemand AppScan Security Consulting,, AppScan Reporting Console

15 IBM X-Force ( % $ PAM %. IBM Proventia. PAM + 5 % IBM ISS. Virtual Patch. : (, % %,. # : %, 53%, %,. Threat Detection & Prevention. : 3. # : 4 % %. ( % Shellcode Heuristics (SCH), zeroday. Content Analysis. : 3.+ % + +., %. # : 5. ; %. Web Application Security. : ( SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery). # : & % %. Network Policy Enforcement. : 4 %, ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling. # :.

16 Proventia + Web application security web X-Force * IPS, % % : Web 2.0: JSON (java script object notation) blocking Database: SQL injection, LDAP, XPath injection Web application protection: shell command, server side include, XSS and directory traversal

17 Proventia Web Application Security %% SQL (Structured Query Language) Injection XSS (Cross-site scripting) PHP (Hypertext Preprocessor) fileincludes CSRF (Cross-site request forgery) Path Traversal HTTP Response Splitting Forceful Browsing %

18 Proventia WAP Open Web Application Security Project (OWASP) OWASP 10 : A1 - Cross Site Scripting (XSS) A2 - Injection Flaws A3 - Malicious File Execution A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 - Information Leakage and Improper Error Handling A7 - Broken Authentication and Session Management A8 - Insecure Cryptographic Storage A9 - Insecure Communications A10 - Failure to Restrict URL Access % Proventia WAP: A1 Cross Site Attacks A2 Injection Attacks A3 Malicious File Execution A4 Brute Force A5 Cross-site Request Forgery A6 Information Disclosure A7 Authentication Information Disclosure A8 Authentication A9 PAM Content Analyzer A10 Directory Indexing Directory Traversal

19 % ILE (Injection Logic Engine) 6. 4 / SQL injection 3,, SQL SQL (, % ( % +% % SQL injection! % SQL 6 6 ( 3 + " sql

20 + XML: / WebSphere DataPower XML Gateway 0 $ ' HTTP, HTTPS, SSL XML/SOAP Firewall ) %, / XML +, + +.+,, Authentication, Authorization, Accountability (AAA). Identity Management Solution (IMS) 1 %! % + & % % ICAP Web Services / XML Messages & $" " * ID (Tivoli, LDAP ) SOAP SOAP Web Services Requestor MQ Appl Service Providers

21 - '" % WEB 1 DataPower Proventia GX 3 SSL $, ', XML 2 IPS (NIPS) % Web Proventia MX Proventia MX Host Intrusion Prevention (HIPS) " SSL IIS Apache / -- % Web 2.0 % : Web 2.0: JSON (java script object notation) Database: SQL injection, LDAP, XPath injection Web application protection: shell command, server side include, XSS and directory traversal!% X-Force Proventia: 1. : IBM Proventia Network IPS 2.! : IBM Proventia Multifunction Security 3. " : IBM Proventia Server IPS )' " " 6.6 PCI DSS ( ) - +.

22 IBM Proventia Web security ) % ) WEB $ $ IPS VPN ' Proventia Server IPS $ SSL $ DataPower SSL Decryption, Load Balancing, and XML Security Proventia Network IPS ' IPS Web Application Protection Proventia MX! -- Web App Protection Proventia Server IPS Proventia Server IPS

23 ! Proventia Web Application Security Websphere DataPower + Web Application Firewall (WAF)! Proventia Web Application Security Buffer overflow exploits CGI-BIN parameter manipulation Form/hidden field manipulation Forceful browsing Cross-site scripting (XSS) Command injection SQL injection Web site defacement Well-known platform vulnerabilities Zero-day exploits! DataPower Cookie watermarking (sign and/or encrypt) Customizable error handling SSL Acceleration & Termination (Link) Dynamic routing and load balancing Session handling policies Rate limiting and traffic throttling/shaping General name-value criteria boundary profiles for: Query string and form parameters HTTP headers Cookies WAF

24 Rational AppScan Proventia Web app protection WebSphere DataPower Web app firewall ( ' -$" + + Oracle, MySQL, MS SQL + DoS % % + * + ($ SSL + SOA

25 , WEB IBM / - '" ' / 3 % SOA + " -" WEB 3 * " PCI DSS 6.6 ( ) Billions of mobile devices accessing the Web New Forms of Collaboration Globalization and Globally Available Resources Access to streams of information in Real Time

26 80% WEB 2010 % % WEB 4 WEB..

27 0? 1, /, /! 3

28 + WEB ibm.com/security IBM ISS & "15: