Tar-Covered Clouds

When people say Mykonos they generally think of white buildings, cliffs, partying, and stunningly amazing woman. Australian’s might add The Wog Boys to this. Well Juniper has added another meaning. It involves Tar pits, reverse proxy magic, lies, deception, and some good old honest tom-foolery.

Wog Boys in Mykonos!

Mykonos, acquired by Juniper, is a reverse proxy web application security product that is application neutral. Through client profiling, code adjustment, application adjustment to name a few, it allows defence through obfuscation. Expected results yield results that shouldn’t. By logic that screams dirty coding practice, or manually configuring tricks and traps in an application. This is where Mykonos shines.

Play funny buggers

Detection by Deception is the products motto and utilizes a threat detection and mitigation life cycle through Detect, Track, Profile, and Respond.

Detection occurs by well conceived tar traps. Known to many as honey-pots, these tar traps confirm with a certainty that the intention of the user is not ordinary and there is an ulterior motive. This allows the ability to avoid the boy who cried wolf scenario where false positives take an edge of the sharpness that is your internal staff!

The Track phase initiates and fingerprinting occurs. IP address isn’t the only way to guess who. OS detection, the ability to decipher scripts and software being used to leverage an attack can be also determined. This allows an identity to be built. Once this information is collected, phase three can be initiated.

Once tracked, a Profile is assigned to a said attacker. This lists attempted attack vectors, how they have done it, the threat level and more. A random name and user ID is assigned to the profile which includes information from the previous phase. Here you can build an identity database to quantify results.

The Respond phase of the attack is the most creative. Once a profile has been established and correlated with what attacks are taking place it is possible for Mykonos to deter and make an attackers life painful. Slowing connections, forcing captcha, force logout, simulation of a broken web application are some responses, just to name a few. Heck, you can even scare them and show results of local law attorneys.

Slotting in Mykonos

Yo, check out my sick tricks

Mykonos responds by doing some crazy but quite logical tricks. Little snippets of code are injected at serve time after a request has come back from the web server. This allows the application to remain untouched but a crafted and unexpected result to appear to the attacker. This is very different to many other things I have seen on the market. Now that most web services party on port 80 and 443 you will find that firewalls uses are limited for web applications. This is a refreshing change in security postures.
Diminishing Returns

An important thing to take on board is the value of the target. Never say you aren’t valuable to anyone as the old adage goes “One mans trash is another mans treasure.” This is so true with data. If you make it difficult and trickier to attack and slow the attack down the return on investment is lessened. If you work on a financial model, If each hack gains 10 dollars and they take one hour to crack at a cost of 5 dollars an hour then you profit 5 dollars. If you leverage something like Mykonos and you slow down an attack to where takes 3 hours, they will have spent 15 dollars and gained nothing. Most likely they will have given up and as my simple dollars show it is not a worthy return.

Why have any cookie when you can have a SUPERCOOKIE?

What sounded like a steroid filled sweet was the One thing that made me a little sad in the pants. This cookie is what assists in the profiling of a user. The persistent cookie can seed up to seven variations of itself. Pretty hardcore. The mentality that Mykonos uses in conjunction with the Do Not Track feature in website standards is “Others don’t play by the rules so why should we.” I like the idea of good morals and ethics. This didn’t sit well with me though now being of the software coder type, I couldn’t think of an alternative to the supercookie. To me this seems like the only negative part of Mykonos but some may call me “too nice”.

Slick GUI

Simple and easy to use, the GUI provides the NOC the ability to identify threats and action accordingly. With explanations of what is happening and response in real-time the ability to design workflows around incident response can be pushed right down to Level 1. The dashboard provides great information in the form of access, top hackers, incidents, deployed counters, responses. Very useful management reports to find where the best next spend is. Super effort has been made here and would love to get my hands in a live, no demo deployment.

Slave and Master

Currently each Mykonos appliance can support up to 1 Gig throughput. This is great but what if you are a company that requires more? What if you have multiple webpages served by one data center and the aggregate throughput exceeds this? Well Master and Slave boxes are the solution. Using a clustering solution, Mykonos allows slaves to be added to the master to increase the products traffic throughput. I am not sure if this is a licensed extra or just costs more. Reverse Proxy services put 14ms on to web requests when reaching 1GB. That was pretty mind-boggling. I’ve seen worse at less.

Austerity measures in CapEx and recurring OpEx is required

I would love to see some official pricing. Mykonos doesn’t seem affordable for everyone. We were told that pricing was based on throughput. This scaled up to a number I saw of being around 1GB traffic. 1GB throughput with Mykonos doing its magic was $175,000 dollars per annum. I would love someone to clarify list pricing please.

Why a Tar-covered cloud?

My title of my post refers to the fact in how Mykonos can be deployed. Virtualized? Check. Custom hardware box? Check. AWS iso? Check! Super. With a lot of customers leveraging AWS or EC2 instances for web applications it would be foolish not to address this. Juniper have gone and ensured that their product will have a wide market. I am sure this isn’t new but I thought it was great. Stick those Tar traps in the cloud and make your cloud stickier than the proverbial!

NFD4 presentation

Juniper, you are to be commended. Kyle Adams did your team proud. He delivered a solid presentation with what I believed technical accuracy and a working demonstration. His Gartner reference was luckily negated by his Defcon sticker. I was pumped and excited the whole time and Kyle delivered this product with passion and enthusiasm!

In closing

For the cost of a slice of Mykonos itself you can deliver some pretty neat cool web security. I do not have a massive web front end so I cannot comment of a real world deployment. The test scenario was more than enough to web my whistle of excitement. I would suggest anyone who has a revenue driven webpage, deals with credit cards or user information, to investigate Mykonos’ offerings.

2 thoughts on “Tar-Covered Clouds”

  1. Pingback: Tar-Covered Clouds

Leave a Reply

Your email address will not be published. Required fields are marked *