how to encrypt everything that moves and keep it usable
Post on 17-Aug-2015
139 Views
Preview:
TRANSCRIPT
UNCLASSIFIED//COMSEC//CRYPTO
UNCLASSIFIED//COMSEC//CRYPTO
nsa
How to Encrypt Everything That Moves and Keep It Usable
Denis Gundarev, Application Solutions Architect, VMware
dgundarev@vmware.com @fdwlDelivered From: @FDWL
Dated: 20150722Page 0
UNCLASSIFIED//COMSEC//CRYPTO
UNCLASSIFIED//COMSEC//CRYPTO
nsafdwl@E0D23:~# gpg –d message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi %username%, my name is Denis Gundarev, I’m a Senior MTS/Architect at VMware
I hope you understand that the opinions expressed here represent my own and not those of my employer.
All data and information provided in this presentation is for informational purposes only.
-----BEGIN PGP SIGNATURE-----
iD8DBkjNWQIQFFxqRFCkjNWQIMEeCgg7y6IUikeCgg7yjNWQIW6eCgg7y3QE=
=aAhr
-----END PGP SIGNATURE-----
FIPS 140-2 Compliant
&Common Criteria
Certified
Certified SecurityWorldwide recognition as the industry standard for App and Desktop
security
XenApp & XenDesktop areCommon Criteria
Certified
XenApp & XenDesktop are FIPS compliant, simplifying highly regulated compliance
FIPS Compliance Documentshttp://www.citrix.com/about/legal/security-compliance/security-standards.html
Common Criteria Certificateshttp://www.cesg.gov.uk/finda/Pages/CCITSECResults.aspx?post=1&company=Citrix+Systems+Inc&status=Certified&sort=name
Workspace PortalHorizon Clients
Virtual Desktops
RDS Hosted DesktopsRDS Hosted Applications
Horizon 6 Enterprise
App Volumes
Desktop PoolsApp Pools
Root Certification Authority
Subordinate Certification Authority
Certificate Certificate Certificate Certificate
Public Key Infrastructure
Privet! I will send you encrypted message, use secret word “secret” to
decrypt it!
Hello x secret= ЙЦГШЩЗЪФ
ЮБЬИЧЯЖД / secret = Nice to
meet you
ЙЦГШЩЗЪФ! ЙЦГШЩЗЪФ / secret= HelloЮБЬИЧЯЖД!
Nice to meet you x secret= ЮБЬИЧЯЖД
Got It!
Symmetric Encryption
I want to send you a private message but don’t want anyone else to read
it…
Hello x a12f2d8ac = ЙЦГШЩЗЪФ
ЙЦГШЩЗЪФ! ЙЦГШЩЗЪФ / privatesecret=
HelloGot It!
Not a problem, here’s my public key – a12f2d8ac
Asymmetric Encryption
Howdy-doo!hablemos español!Here’s my ID, public
key and my 6bcfae6a
Privet! I want to speak privately with Yosemite Sam. I can speak Russian,
Chinese, Spanish and Englishhere’s my random e77dfb41
Hmm, California, USA, ok I trust your
IDEncrypt (convertir
en Español (E77dfb41 + 6bcfae6a))
Here’s pre-master, en español,
encrypted with your private
Decrypt (pre-master)
Lo tengo! (Got it!)𝑀𝐴𝐶=√𝑏2−4𝑎𝑐
2𝑎
𝑀𝐴𝐶=√𝑏2−4𝑎𝑐2𝑎
es tan genial para hablar en privado
sí, es difícil hablar libre en
estos días
SSL/TLS Handshake
Hmm, California, USA, ok I trust your
ID
Keep Private Keys Private
NTFS ACL
Windows private key ACL
Use Hardware Security modules Windows support out of the box
Apache support
Avoid using shared wildcard certificates
Subordinate Certification Authority
ESX Hosts Network equipment Users
Public Key Infrastructure
Root Certification Authority
Mobile devices
TLS recommendations
Use TLS or DTLS for everything that moves over the wire RDP https://technet.microsoft.com/en-us/magazine/ff458357.aspx
XenDesktop http://blogs.citrix.com/2014/10/16/xenapp-and-xendesktop-7-6-security-fips-140-2-and-ssl-to-vda/
Horizon View https://pubs.vmware.com/horizon-view-60/topic/com.vmware.ICbase/PDF/horizon-view-60-scenarios-ssl-certificates.pdf
SQL Server http://blogs.msdn.com/b/sqlserverfaq/archive/2012/04/04/can-tls-certificate-be-used-for-sql-server-encryption-on-the-wire.aspx
LDAP http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
Use other encryption methods for other protocols SMB Encryption http://
blogs.technet.com/b/filecab/archive/2012/05/03/smb-3-security-enhancements-in-windows-server-2012.aspx
Horizon View https://pubs.vmware.com/horizon-view-60/topic/com.vmware.ICbase/PDF/horizon-view-60-security.pdf
TLS recommendations
Disable weak ciphers and SSL 3.0 Windows https://support.microsoft.com/en-us/kb/245030
Apache https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
Nginx https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
NetScaler http://www.antonvanpelt.com/make-netscaler-ssl-vips-secure/
F5 https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
Use TLS internally
Use an appropriate Certification Authority
Switch to SHA256 - http://blogs.technet.com/b/pki/archive/2013/09/19/upgrade-certification-authority-to-sha256.aspx
Know the difference
Self-signed vs. preinstalled certificate Check the date/name
Intended usage Make sure that you use correct templates
Encryption vs. Obfuscation Unsecured private key = obfuscation
FIPS/Common Criteria
Remember who do you trust Certified software/hardware doesn’t secure you automatically.
Security policy “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” does not affect third-party and breaks .net
Certification may take years, release cycle usually shorter
Compliance
A foolproof plan for security Nothing is foolproof to a sufficiently talented fool
Standardized environments are easier to hack
Additional budget for IT
Enforcing documentation
Just a checklist to impress auditor
top related