Mykonos Web Intrusion Deception - Protecting websites like no other
byssl_boy08-13-201204:32 AM - edited 08-15-201211:42 AM
This is a guest blog post. Views expressed in this post are original thoughts posted by Glen Kemp, Solutions Consultant at SecureData Europe. These views are his own and in no way do they represent the views of the company he works for.
At the recent Juniper Networks Champions Conference in Berlin, a friendly SE organised a session with the Mykonos VP and product manager. A small group of partners turned into a substantial crowd by the end of the session. When partners and Juniper's own people alike start to take an interest like that, you know there is something new and exciting on offer.
Mykonos is described as "Web Intrusion Deception" and straddles three more traditional security areas; Intrusion Detection Systems (IDS), Web Application Firewalling (WAF) and Network Honeypot (HoneyNet). The Mykonos approach is interesting in that rather than inspecting traffic looking for specific signatures or locking down web applications to very rigid I/O, it dynamically modifies pages so that they would appear to be a very tempting target. Mykonos works on the premise that the behaviour of a would-be intruder is different from that of a legitimate web customer. Consider these "real world" scenarios:
Man number 1 walks into a jewellery shop. He asks the shop keeper for advice on buying a second-hand watch. The shop keeper opens some locked glass cabinets. A selection is made and the customer makes a purchase with a credit card and leaves with a cheery doff of the cap.
Man number 2 walks into a jewellery shop. Immediately he starts to try and prise open the glass on each of the cabinets. When that fails he pulls an enormous bunch of keys from his pocket and systematically tries every one. By chance, one cabinet is unlocked and the "customer" stuffs his pockets with the contents. A random, expensive looking tiara is selected and dragged to the till. The "customer" then attempts to pay with monopoly money, then an obscure currency then finally an iffy-looking credit card. The transaction is completed and our mischievous friend bolts from the shop, only to be replaced by a dozen similar men moments later attempting to return obviously fake tiaras to a variety of different credit cards.
Even the most indifferent teenage shop assistant would be stabbing the silent alarm with 30 seconds of our second friend entering the shop. Security technologies (and by extension, IDS and WAFs) are very good at comparing lots of numbers to another set up numbers and telling you whether they are greater or lesser than a previous set of numbers. IDS and WAFS look for very specific sets of rules and if they match, flag an alarm. If something falls outside of those parameters IDS will allow whilst WAFS will block.
Mykonos behaves like a human shopkeeper; he doesn't know what the customer wants to buy until he asks, but he can easily observe and identify "bad" behaviour or just a slow or eccentric customer. This "human behaviour" based analysis is something that traditional security systems have been bad at emulating, but Mykonos seems to have nailed it. To "seed" the "bad" behaviour of the would-be attacker, the Mykonos software transparently injects "tempting" looking but ultimately useless code and objects into the session. To return to our "jewellers" scenario, it would be like deliberately installing lots of open cabinets of fake watches around the shop. It doesn't actually impact the normal line of business in any significant way, but would waste the time of the attacker. The goal is to ensure that customers get good services, whilst lead hackers down a series of increasingly elaborate garden paths. This makes it uneconomic for attackers to keep trying your site and go and find a softer or more lucrative target elsewhere.
The key advantage of this technique over traditional IDS and WAFS systems is that there is much less operational overhead with Mykonos. IDS systems (even the good ones) need a lot of policy work in order for them to work as designed. Traditional WAFS suffer from the fact that also require deep application knowledge; this is a laborious process and can easily "break" the apps they are designed to protect; a price which may be too high for some. My own experience with WAFS is that it forces the application development and network security teams to work in complete harmony, otherwise the business process they respectively maintain and protect can easily be made unusable. Here is an example were WAFS could create a significant problem. Recently in the EU and the UK the laws changed regarding how websites can handle cookies. The impact itself was pretty minor; essentially just provide the user fair warning of what you are doing. These kinds of things tend to be left to the last minute. A stressed development team could easily throw the changes in on a Friday afternoon, test in the pre-production environment and then push to live before packing up for the weekend. Come Monday morning, it's discovered that the production e-commerce site has been throwing error 500's to customer all weekends as the support pages for the cookie tracking changes have not been "learned" by the WAFS (which is helpfully only deployed on the production systems for cost reasons). Customers and revenue would be impacted, as well as egg on faces. These kinds of issues just would not occur with a product like Mykonos as it assumes the code on the web server is what the business wants to serve to customer.
Such is my enthusiasm for the product that I'm intending to deploy it to supplement our more traditional security controls as a matter of urgency in the next few weeks, and hopefully some customer environments in the next few months.
Ben has been working with service providers around the world for the last 15 years developing business cases for a variety of product concepts and new ventures.
Ben holds an MBA from MIT and a BS & MS in Mechanical Engineering from Johns Hopkins University.
A Marketing and Business Development professional with 24 years extensive Sales/Business Development, Marketing and Technical experience in the Networking/Telecoms/Datacomms and Mobile market segments, focused on selling to Service Providers.
Fomerly VP Marketing at the Metro Ethernet Forum (MEF)
David Noguer Bau is the head of Telco Vertical Marketing at the SP Strategic Marketing team in Juniper Networks. He has extensive experience in Service Provider network evolution and regularly runs executive sessions with technical and marketing teams of important telecom operators to accelerate the adoption of virtualisation.
David is based in Barcelona and has over 15 years of experience in the telecommunications sector. Prior joining Juniper Networks, Mr. Noguer Bau spent seven years at Nortel where he was a Business Development Manager specializing in Carrier Ethernet and Broadband areas. Before Nortel he worked at Eicon-Dialogic as Technical Manager in Spain. David has been the Country Marketing Chair at Metro Ethernet Forum for Spain.
Mr. Noguer has wide experience speaking at international Conferences. He was graduated as Computer Engineer by Universitat Autonoma de Barcelona (UAB) and has an executive MBA from EADA Barcelona and executive education at the Thunderbird School of Global Management (Arizona) and the Henley Business School (UK).
The views expressed here are my personal opinions , have not been reviewed or authorized by Juniper Networks and do not necessarily represent the views of Juniper Networks.
I’ve been 29 years in the industry, first as a trainee IBM operator at Barclays Bank, later starting my own business which was ultimately acquired by French listed company EasyVista – [giving me great insight into working as part of an internationally focused company alongside organisations like Reuters, UBS Warburg, GlaxoSmithKline and London Electricity].
I am Sales & Marketing Director at Netutils – a specialist IT Networking and Security solutions provider. My passion continues to be making enterprise more efficient via the intelligent deployment of technology, with a view to delivering real value for my clients.
Donyel Jones-Williams is Senior Product Marketing Manager overseeing SDN and Core Service Provider Product line for Juniper Networks. In this role, he leads all of the internal and external marketing activities for T-Series, PTX, IP/MPLSView and NorthStar SDN Controller.
Prior to joining Juniper Networks in January 2014, Donyel was a Senior Product Line Manager for Cisco Systems with in the High End Optical Routing Group managing product lifecycle for multiple products lines helping telecom providers operate efficiently and effectively including; ONS 155xx Product Family, ONS 15216, ONS 15454 MSTP, Carrier Packet Transport Product Family, ME 2600x, & ASR 9000v. He also negotiated favorable agreements with 3rd-party vendors furnishing components and parts and conducted both outbound and inbound marketing (webinars, case study-development, developed and delivered both business & technical at Cisco Live 2005-2012).
Donyel graduated from California Polytechnic State University-San Luis Obispo with a Bachelor of Science in Computer Science. While attending Cal Poly SLO he was a collegiate student athlete playing football as a wide receiver and a key member of the National Society of Black Engineers. Donyel is now an active volunteer for V Foundation.
With 20+ years of global IT management experience, Gary Clark oversees all technology services to support 9,600 employees at Juniper Networks, a $4.5 billion networking innovator with operations spanning 123 offices in 47 countries. Prior to Juniper, Gary held senior IT management roles at BlackRock/Barclays Global Investors and Deutsche Post/DHL.
Senior Systems Engineer for NEC NZ. Focused on Juniper Networking equipment, SDN and NEC compute platforms. Busy studying for the JNCIP-SP and ENT.
Outside of work I enjoy the great outdoors: Mountaineering, Bouldering, Rock or Ice climbing, Tramping (hiking to non-Kiwis) and Snowboarding.
I have been in the networking industry for over 30 years: PBXs, SNA, Muxes, ATM, routers, switches, optical - I've seen it all. Eleven years in the US, over 20 in Europe, at companies like AT&T, IBM, Bay Networks, Nortel Networks and Dimension Data. Since 2007 my focus has been on services at Juniper: support services, professional services, service automation. Our market is characterized by amazing technological innovations, but technology is no use if you cannot get it to work and keep it working. That is why services are so exciting: this is where the technology moves out of the glossy brochures and into the real world!
Follow me on Twitter: @JoeAtJuniper
For more about me, go to my LinkedIn profile: http://fr.linkedin.com/pub/joe-robertson/0/4a/34a
Jon joined Fujitsu UK&I as Chief Technology Officer in January 2011 from the public sector, where he was Chief Information Officer, Transformation Director and SIRO at the Valuation Office Agency. Prior to this he was Her Majesty’s Revenue and Customs’ first Chief Technology Officer, leading the integration of the former Inland Revenue and Customs & Excise organizations.
His roles in both organizations drove out savings in excess of £600m, as well as bringing about significant technology transformation, building high performing teams in the process.
Jon was a founding and core member of the UK Government Chief Technology Officer Council and recruited and led a team creating Public Services Network, XBRL mandation and cross government channel strategy.
Jon’s client side board level experience is built on 11 years at Accenture, with clients including Barclaycard, Legal & General, BP, Castrol and BG Group.
Jon now leads the UK & Irelands 1,200 strong Architecture Community, driving standard solutions, reinforcing rigorous re-use and a collegiate collaborative community and culture, leading with courage and conviction.
Jon is a firm believer in the 4Ps – Pace, Passion, Pride and Professionalism. He is a Chartered Engineer, Fellow of the British Computer Society, founding Fujitsu Fellow and a member of the Advisory Board for AppDynamics.
I'm a Distinguished Systems Engineer at Juniper Networks. My main technical interests are routing protocols, MPLS, PCE/WAN Controllers, automation, and optical integration. Before joining Juniper Networks in 1999, I worked at BT for several years, at first in the Photonics Research Department and later in the data transport and routing area. I have a PhD in ultrahigh-speed optical transmission and processing and an MA in Physics, both from Cambridge University. I co-authored the book "MPLS-Enabled Applications: Emerging Developments and New Technologies", with Ina Minei. The book is now in its third edition.
Marcel Wiget is Consulting Engineer Specialist and member of the Advanced Technology team for EMEA. His career within Juniper started back in 2009 as a Senior Systems Engineer driving one of the first MX based Broadband Edge deployment to success. Prior to Juniper, Marcel held various positions in pre-sales, professional services and development at Chantry Networks, Spring Tide, Nortel Networks and Wellfleet.
I love the intracacy and intimacy of succesful communications. Why and how people engage with each other is fascinating. I am also consumed with the way IT changes behaviours, values and expectations in society.
I bring this sense of wonder to my role in EMEA Service Provider Marketing Programs at Juniper Networks.
Down time: My passions are music, reading, politics, Derby County and playing the guitar (and the harmonica).
You can follow me elsewhere:
my personal blog: http://neilpound.tumblr.com/
my LinkedIn account: Neil Pound
I am one of a small team of Network Engineers working for Lumison Ltd, a UK ISP/MSP based in Edinburgh, Scotland. I have been with the company for almost 6 years moving from frontline support to the Managed Services team dealing with customer network design and implementation before talking up the role of Network Engineer. As well as the JNCIE-ENT certification.
I am currently a Sr. Product Marketing Manager specializing in Juniper's Security Portfolio in the Service Provider industry. I am an experienced senior technical leader, technical marketing engineer, solutions architect, and product marketing manager with over 20 years of Internet and Enterprise industry experience developing solutions from scratch often in relation with business units and technology groups, my projects ranged from product, solution, and technology development to corporate technology strategies. I have strong analytical skills and I am able to crunch and articulate complex technology to a variety of audience knowledge levels. I possess a deep hands-on technology and business knowledge of Service Provider and Enterprise architectures with deployment hands-on skills. I also bring a unique perspective of open source philosophy, including but not limited to open innovation, software development methodologies, open source monetization and business models, and licensing and compliance in software integration. I am a strategic leader with proved ability to empower a team to improve their product, themselves, their team, and our company’s market position.
An inspirational marketing leader working across the entire marketing mix to transform brand into business value, activity into results and thought leadership into measurable pipeline. You can follow me on Twitter at @PaulGainham
I have been at Juniper Networks since 2004, focused on Corporate Communications (media relations, analyst relations, customer reference progam) for the Europe, Middle East & Africa region.
I have worked in the networking industry since 1988.
Raghu Subramanian is VP of Sales Engineering for Asia-Pacific at Juniper Networks. Prior to this, he has served Juniper as chief strategist for the security business, product evangelist to channel partners, and product manager for M-series routers.
In past lives, Raghu was a chip designer at Hewlett Packard, and an R&D manager at a start-up acquired by PMC-Sierra.
Raghu has an MBA from the MIT Sloan School of Management, Ph.D. in Computer Science from the University of California at Irvine, and a B.Tech.in Electrical Engineering from the Indian Institute of Technology at Kanpur. In his spare time, he enjoys reading non-fiction, coaching kids for the Math Olympiad, and traveling with his family to other countries to learn about their ways.
Russell is the global leader of the Advanced Technologies team specializing in Data Center Virtualization and Automation. Russell leads the team that provides Juniper’s major customers with solutions to provide the network underpinnings for highly virtualized and automated data centers.
Stephen is currently a Partner Acccount manager at Juniper Networks, and has held this role for 3 years. Prior to Juniper, he worked at Extreme Networks for 11 years in a variety of roles.
Stephen is a Father of 3 children, a keen cricket fan and enjoys cooking, reading and theatre in his free time.
Stephen Liu is Senior Director of Product Marketing for Juniper Networks. In this role, he leads product marketing for Juniper’s industry-leading service provider portfolio of high-performance routing and switching products. These products include Juniper PTX Series, T Series, MX Series, and ACX Series platforms along with software and security.
Prior to joining Juniper in 2013, Stephen served as Director of Service Provider Marketing at Cisco Systems. In that role, he led product and solution marketing worldwide for the service provider routing, switching, optical, and software portfolio. Products included NCS, CRS, ASR, and ONS platforms.
Stephen attended the University of California, San Diego, where he received a bachelor’s of science degree electrical engineering – communication systems.
Hobbies include restoring old Volkswagens and coaching competitive youth soccer. He is based in Sunnyvale, California.
About Stuart Borgman, Business Systems Architect
Having spent many years in the telecommunications and networking industry, I understand just how complex networking technology can be, and equally, just how important it is for today’s fast-moving business.
Making the right IT choice for any organization is paramount, especially when it is helping drive business strategy. In my role at Juniper, I’m committed to helping all organizations plan and design their IT systems to make sure that each part works together to fully meet the needs of the business. Together with my colleagues in Professional Services, our aim is to ensure that all you need focus on is your business strategy, not the technology.
I'm currently working on a number of Service Provider projects focusing on Identity Management. These range from Mobile Operator WiFi offload projects & 3G SCADA device management to broadband authentication encompassing quota and service management for P2P and video traffic control.
I have over 15 years progressive experience designing complex RADIUS platforms to meet the demands of the most multifaceted businesses. One of the most successful projects focused on the consolidation of 22 separate RADIUS platforms spread over a large estate onto a single pair of RADIUS servers, offering the same functionality and business logic as the prior estate.
In addition I have spent a number of years observing and implementing solutions for the enterprise space in the BYOD and NAC market. It's a keen area of interest for me as it combines the whole concept of identity management and business needs together. My largest project in this space was for a UK company with global offices providing a NAC solution for over 200 sites, with over 150,000 staff.
Over the last 10 years Netutils have invested heavily in developing a technical team to support me and the business on these key areas. I strongly believe that a solution designed by Network Utilities should be the right solution technically and commercially for the customer, so my over-riding focus is on customer satisfaction. This follows on in the technical support service the Netutils team offer post implementation.
Not making tea, NAC, RADIUS, Quota Management, Diameter, full life cycle of the subscriber management. Working with large organisations taking a concept through to delivery around identity management whether authentication or Quality of Service.
An accomplished network engineer with 14+ years’ experience, and a Juniper employee since 2004, Tony leads the IT team focused on deploying “Juniper on Juniper”, using Juniper technology to run the business and deliver core business services across the enterprise. Tony holds a double JNCIS certification in Enterprise Routing, Security (JNCIS-ER, JNCIS-SEC) and a BS degree from California Polytechnic State University. Outside of work, Tony serves on a School Advisory Council, loves biking and good coffee.
Zoe Sands is Head of Digital Marketing at Juniper Networks and is responsible for digital marketing and social media across EMEA. She is an experienced Digital Marketer since 1997 with PRINCE2 practitioner status, during this period Zoe has successfully launched many new online innovations for Juniper Networks, Cisco, Dialogic, the Chartered Institute of Marketing (CIM) and Hyundai, including content managed and e-commerce based websites to integrated social media programmes. She has International exposure running projects globally, regionally and at a country level.
Zoe’s approach is to create an environment where those around her can share her passion for the Internet and the opportunities it presents. She says sharing knowledge, championing and communicating the benefits of digital capabilities enhances both the user experience and offers additional online communication channels and business opportunities. Zoe has a blog ‘Learning and sharing...’ to share her experience of all things online marketing, social media, chat online, SEO, SEM and mobile related content. You connect with Zoe via LinkedIn or find her on Twitter: @zoe9 and @ZoeSands.